Every once in a while you run across some information that should not be accessible from the internet, and SCADA systems are by far no exception. Researchers from Free University Berlin are working on a stunning project of mapping internet accessible SCADA Systems worldwide using Shodan and a custom search program.
And… Their map includes sites that contain known vulnerabilities!
According to the project website SCADACS.org, their Industrial Risk Assessment Map (IRAM) “visualizes the approximate geospatial locations of ICS/SCADA and BMS network interfaces found on the Internet. Currently, we use Google Earth and Google Maps for this purpose.”
The custom map allows a user to “browse for ICS/SCADA systems by location and by keyword, and to drill down on information the map backend gathers on these systems from open sources. One such source is the Shodan computer search engine. Another source of information is the alpha version of our own crawler which covers services the Shodan engine does not cover.”
And as you can see from their video above, this map information backend includes a list of known vulnerabilities. Yes the video shows two locations that contain vulnerabilities, one in Austria and another in the US. But before you get too excited, these locations have been tagged as no longer publicly accessible.
So, how big a problem is internet connected SCADA systems, how many are there in Europe?
Oh, a few:
Okay, how about America?
With all the hype about a “Cyber Pearl Harbor” (when Chinese hackers take over our country, kills our power and takes away FaceBook), that doesn’t really look so bad.
But there is a catch.
According to an exceptional article titled “The Great Cyberscare: Why the Pentagon is razzmatazzing you about those big bad Chinese hackers” by Dr. Thomas Rid (Reader in War Studies at King’s College London), the map only displays German manufactured systems:
“The United States looks as if it has the measles. But note that the map is incomplete: It is biased towards German products, the project’s founder told me. If that flaw can be fixed, the United States and other countries would look as bloody red as Germany does already.”
So there is definitely a lot of work to do in securing America’s public systems. Some good news is that the Pentagon plans to create 100 defensive cyber teams by 2015. Of the 100, thirteen teams will focus on defending our national infrastructure:
“National mission forces will employ 13 teams focused on securing U.S. private networks powering critical infrastructure such as transportation systems and other vital industries.“
Hopefully this will be done sooner, rather than later.
A sanitized public Google Maps and Google Earth version of the IRAM map can be located at SCADACS website.