More than 100 pieces of vital infrastructure, including four hydroelectric dams, had their computer control systems connected to the public internet where anyone could access them and potentially carry out acts of sabotage, according to German security researchers.
Researchers at InternetWache.org in Berlin began looking for routers used by industrial control systems last year. Lead researcher Tim Philipp Schafers was surprised to find unprotected management interfaces for industrial control systems, or ICS, showing up in searches.
Using a simple Python script and some free search tools, he eventually catalogued more than 100 of them, according to a post by Kaspersky Labs on their Threatpost blog.
ICS are special computerized systems that control industrial processes or other machinery, including dam sluice gates. They are typically built with a user dashboard or control panel attached through which they can be remotely controlled. Generally experts recommend against deploying these kinds of applications on the internet, and if they are on the web, they need to be protected by encryption, firewalls and strong passwords.
None of the systems that Schafers found was protected like that.
“It’s possible to access the web applications that control processes in these plants; you don’t need to know a special configuration,” Schafers told Threatpost. “We found more than 100 systems, and about half required authentication, while some were without any and were administrator accessible [to anyone].”