
State of Industrial Control Systems in Poland and Switzerland - achillean
https://medium.com/@woj_ciech/state-of-industrial-control-systems-in-poland-and-switzerland-656e2e363fe3
======
Tharkun
This is mind boggling. Who installs these systems? Who maintains them? Surely
this is supposed to be done by someone with at least a certain amount of clue?
Enough clue not to hook up your insecure gear to the internet? No?

I don't even get how this happens. Surely these things are not just plugged in
to a modem? There has got to be some kind of LAN involved. If there is, then
there should at least be an edge firewall. Or even a simple garden variety
gateway with NAT, which would already prevent all of those open ports from
being accessible. So what gives? Are people _deliberately_ hooking this gear
up to the internet, _deliberately_ exposing ports _without_ taking security
into consideration? That is patently insane.

~~~
cookiecaper
How much do engineers specializing in these systems get paid? I interviewed at
a couple of places that do industrial-style systems and in one case, I got an
offer that clocked in far below the requested rate (not a negotiation tactic,
they declined to revise it), and at another, the recruiter couldn't hang up
fast enough when she heard salary requirements.

It's something like the Idiocracy Effect. In Idiocracy, the present-day
world's best minds devote all their energy to eliminating hair loss and
prolonging erections, eventually leading to a collapsed society. The real
world is not too far off. Our best minds are dedicated to improving ad
targeting and keeping users in vanity-gratifying loops on social media, while
our industrial control systems that literally run the modern world wallow in
the 70s.

Everyone has some culpability in that. How many of us yearn to work for the
local power utility (or one of their upstream vendors) rather than Facebook,
Google, or the latest VC pump-and-dump scheme -- err, I mean, hot SV unicorn?
Even if they _did_ compensate competitively, are there enough hackers with a
sense of [realism/duty/patriotism/INSERT_OTHER_SOCIAL_VALUE_HERE] to heed the
call?

There's definitely a role for some type of regulation or standards here.
Industrial controls should be considered vital infrastructure that require
serious and immediate investment. A brief visit to Shodan will show thousands
of exposed industrial resources, and that _should_ scare your pants off.

~~~
philpem
As someone who worked in this industry -- it's peanuts, but they'll tell you
its gold.

I walked out of my IA job with the boss screeching about how I was "making the
biggest mistake of my life", how "nobody can match our prestige"... after a
four-year pay freeze. Nearly a 20% pay rise right off the bat, and that was
the initial offer.

The other thing about IA is there's no career progression for engineers unless
someone higher-up quits (which usually triggers a deckchair shuffling or a
hiring). If you're good at sales, you can progress into that -- otherwise your
only option is likely to be management.

If you want to make cool things, IA is not the industry for you.

If you're happy making the same thing day-in day-out, just with a different
coloured box? You'll fly.

If you can play politics and ruthlessly spike your colleagues, you'll get all
the way to the boardroom.

~~~
ChuckNorris89
May I ask how did you get out of industrial automation and where did you go
after?

------
jacquesm
SCADA and industrial stuff are absolutely terrible. Plenty of places where
relays will happily change state when you send alternating packets of all 0's
and 1's via UDP. Anything from heating / cooling, building lights, alarm
systems and industrial processes are wide open. This is definitely not limited
to certain countries.

------
nikomen
Organizations using ICS equipment could use this tool to find their own
systems that are accessible to the internet. However, I would imagine that
companies that are responsible enough to perform checks like these hopefully
already have procedures in place to prevent issues like this.

I wonder if there's room to use this software to provide direct feedback to
the organizations and let them know without being prosecuted?

~~~
achillean
Shodan actually has a service that will notify you when it discovers a public
industrial control system:

[https://monitor.shodan.io](https://monitor.shodan.io)

Shodan Monitor is to the Internet as Google Alerts is for the web. And the
membership (one-time payment of $49 for a lifetime upgrade) lets you monitor
up to 16 IPs.

Disclaimer: I'm the founder of Shodan.

~~~
nickpsecurity
Have you noticed any significant change as part of your work with Shodan? If
you contact them, do the organizations even do fixes at a steady rate? What's
the situation?

~~~
achillean
We've had great success working through other CERTs and enterprise customers
that have existing relationships with affected customers. Reaching out
ourselves has been a mixed bag. For us, we have more success directly working
with vendors and trying to make sure that moving forward devices are properly
configured. And to let them know who's impacted so they can follow-up as part
of their regular support services.

------
mmaunder
This illustrates something I'm worried about. Cyber as a battle space, and the
extreme vulnerability of some countries negates some of the traditional
strategic advantages that superpowers have had. That will rebalance in time.
But I worry that for an up and coming power with a kick-ass cyberwarfare
operation, there is no better time to start a war than right now.

~~~
jorblumesea
One saving grace is that if a cyber attack was bad enough, it would likely
result in retaliation in the physical space, provided attribution could be
proven. Superpowers generally have armed forces far superior to asymmetric
attackers and would be able to inflict punitive damages far beyond the cost of
the initial cyber attack. There is some deterrence against some of the worst
attacks eg: knocking out a power grid.

If you look at the pattern of really nasty cyber attacks against
infrastructure and industry, they usually are the other way around. Stuxnet
was the US attacking Iran, Ukraine was attacked by Russia.

------
Roark66
This whole submission looks like an ad for Shodan. For those who don't know.
Shodan is a basically a search engine on top of a DB created by mass port
scanning. If it sounds shoddy as fuck to you, you would be right. They
basically managed to find few ISPs that disregard hundreds or possibly
thousands of abuse notifications they must be receiving and they are
monetising their find. No doubt someone will reply "but port scanning is not
illegal", well walking from car to car and trying door-handles to see if any
are open in a supermarket car park is also not illegal, but don't be surprised
if you get a security guy's baton treatment if you're spotted doing that. My
point is, it is not illegal, but it is also not acceptable. Don't believe me?
Try to do a mass port scan on any normal ISP's connection. You'll be getting a
phone call or a letter in the post to stop it soon or they will disconnect
you. Same with AWS, Azure, Rackspace and any other reputable cloud provider.
"Oh, but we provide a much needed service to companies that need to be
notified if any unsecured devices pop up on their network" \- they'll say. My
answer to this is that there are hundreds if not thousands of WhiteHat
scanning companies that will happily provide you with a scanning service if
you prove you own the range. It is only Shodan that will preemptively scan
everyone and then let people search their DB. This is basically equivalent to
a script kiddie running nmap on 0.0.0.0/0\. Seriously, this is not OK.

Some ISPs that should be named and shamed for allowing this to be going on:
SingleHop - a US based cloud provider CariNet Inc from San Diego - another
small cloud provider M247 Europe - a Colo provider in Romania

The above have been found to be hosing one or more of the servers that do the
actual Shodan scanning. Servers are named censusX.shodan.io where X is a
single digit.

I suggest that everyone annoyed with Shodan's activity emails those service
providers and tells them what they think about it.

~~~
iofiiiiiiiii
Hiding our heads in the sand only means that the vulnerabilities will not be
fixed and that only especially crafty attackers (i.e. the most dangerous ones)
can exploit them. We need more openness, not security based on someone's
feelings of morality.

~~~
Roark66
How does Shodan promote openness? Anyone who wants to scan their own network
can already do so with paid for and free tools. What this service does is, it
scans your network whether you want it or not, then allows others to search
for vulnerable hosts. It is a script kiddie wet dream come true service.

Continuing my "trying door handles on cars or houses" analogy imagine there is
a service that has people walking from car to car and from house to house
covering whole cities. Then once it compiled a database of which
houses/flats/cars tend to be unlocked it made a business out of selling access
to that DB. Would you have no moral reservations about that?

Almost everyone is for openness in matters of vulnerabilities in software so
companies are forced to fix them, but still most 0day researches give heads up
to the companies and shortly later mailing lists about the vulnerabilities
they discover before they openly publish all the details including an example
exploit. Therefore openness has widely accepted limits. Making a business out
of selling information about third parties that are vulnerable is way past
those limits.

~~~
def_true_false
If it forces people to invest in securing their systems, it will have already
done more good than whining about morality.

~~~
Roark66
>If it forces people to invest in securing their systems, it will have already
done more good than whining about morality

It'll not force people to do anything, unless by forcing them you mean it will
send attackers their way, they will get pwned, their systems screwed and they
learn their lesson the hard way. You may well be in favour of this kind of
mass education of inept-admins, but I'm not.

As for "whining" about morality, you know humans invented and use it when
making decisions because it is useful in preventing conflict. What happens if
companies don't give a fuck about morality of their actions? People hurt by
them use forceful means to "make things right" in their mind.

------
kernelPan1c
Industrial control systems are experiencing the growing pains of letting go of
older technology that was designed prior to security being much of a concern.

ICS networks are often designed to be 'air gapped'. All too often the air gap
is broken via a vpn into the network so that someone can RDP to a windows
scada machine (that doesn't receive updates because it can't reach the
internet itself).

------
statictype
Ugh. None of the industrial protocols like Bacnet or modbus have any built in
security so this looks pretty bad

~~~
nikomen
Agreed. These protocols are difficult to secure. However, it shouldn't be
difficult to isolate devices from the internet. Isolation doesn't protect
against inside attackers or an external use from causing trouble after getting
into the network. It should be obvious these devices shouldn't have access to
the internet.

~~~
statictype
Right. Even internally they should ideally be on their own subnet.

------
runciblespoon
“Everyone knows how fragile these systems are”

How about not connecting your ICSs directly to the Internet?

~~~
achillean
The number of ICS directly connected to the Internet has grown 10% every year
since we started tracking them at Shodan
([https://exposure.shodan.io](https://exposure.shodan.io)) so even worse this
is an increasing problem. This is a known issue in the security industry and
has been for a while but fixing it is a hard problem.

The other thing we've noticed is that people are putting the ICS devices on
non-standard ports in an attempt to hide them from Internet crawlers. This
means that there are people that know this is a bad idea and instead of
putting it behind a VPN or something more secure they just decide to change
ports and leave it at that.

~~~
zhte415
> This is a known issue in the security industry and has been for a while but
> fixing it is a hard problem.

I've never heard of Shodan, it seems like a valuable service and seems like
you care. I'm not in the 'industrial control systems space', but am in an
industry which is 'sensitive'.

The 'last line of defence' is often audit. Are you able to reach out to
auditors (Big4) and regulators and educate them on this service (audit often
have a financial background, CPA etc, and it's rare to find an auditor with a
deep technology understanding, and MBA programs, which a lot of company heads
might have taken, tend to lack anything very information technology
technically - basically finance rooted)? I'm thinking this could be a business
development route for a valuable service; make it a win-win for them too.

------
Creationer
Isn't it the role of State Security/Defense Services to conduct these sort of
scans, and notify companies of their vulnerability?

~~~
TheRealPomax
It is not. What made you think it was?

~~~
TeMPOraL
People keep saying here and elsewhere that this is what the NSA was supposed
to be about in the US.

In Poland, every couple months I see news that our government/military is
supposedly creating some sort of "cyber force". If one day they actually
create it, I hope this kind of stuff will be its focus.

~~~
noir_lord
The NSA has a dual role, break other people’s stuff and secure the US govs
stuff (in theory).

They can (and have) act in an advisory capacity but they have no regularity
authority to force companies to secure their shit.

Now whether such an organisation should exist that’s an interesting question I
guess.

Over here in the UK we have a similar body.

[https://en.m.wikipedia.org/wiki/National_Cyber_Security_Cent...](https://en.m.wikipedia.org/wiki/National_Cyber_Security_Centre_\(United_Kingdom\))

As someone in the UK tech industry I’m not sure what they actually do on the
ground.

~~~
YjSe2GMQ
One thing those are good for is being a call center for white hat hackers.
I.e. if you find some holes you can report to those agencies, and they'll take
it from there. I know that's what people that speak about their findings on
CCC do.

