The rise of the Internet of Things (IoT) has ushered in a new niche of widespread security vulnerabilities. Apart from attacking obvious targets like consumer devices and smart home appliances, hackers can exploit this niche to target and remotely seize control of a wide range of critical public and private infrastructure. A large number of these potential targets are run by legacy Industrial Control Systems (ICS) that were designed without cybersecurity in mind and are thus extremely vulnerable to cyberattacks.
Our research found that despite growing investments in infrastructure security, many ICS panels for both public and private infrastructure in the US are still unprotected and easily accessible to hackers.
All of these control systems are left out in the open and easy for anyone to seize and manipulate. In the event of a coordinated cyberwarfare campaign, these control panels could be used by attackers to cause severe damage to private and public property, the environment, and public health and safety in the US.
About this research
By scanning IP blocks for open ports in the US IP address range as part of an internet mapping project, we found a number of unprotected and accessible Industrial Control Systems in the country.
What we discovered
Industry, institutions, and cybersecurity experts are all aware of the dangers associated with outdated ICS systems. But as our research shows, many ICS access points in the US, particularly in water and energy sectors, are still vulnerable to attacks:
- By using search engines dedicated to scanning all open ports, or scanning the ports themselves, hackers can remotely take control of critical private and public US infrastructure
- Unprotected ICS access points mostly include the energy and water industries: offshore and onshore oil wells, as well as public and private water distribution and treatment systems
- These systems could be accessed by anyone – with no passwords at all
What follows is a set of real examples of unprotected and vulnerable Industrial Control Systems that have been left completely in the open for anyone to seize control of. Open access to these systems has now been disabled – after we contacted CISA, CERT, and their public and private owners.
Onshore oil wells
By accessing exposed onshore oil well ICS, we could take control of multiple oil silos and cause damage to US energy supply by silencing alarms, opening and closing discharge gates, adjusting freefall setpoints, and more.
Coastal oil wells
Unprotected offshore oil well control systems gave a single access point to as many as five coastal oil wells. This is incredibly dangerous, as offshore oil rigs are particularly vulnerable to attacks “as they shift to unmanned robot platforms where vital operations […] are controlled via wireless links to onshore facilities.”
This means that in the event of a hostile takeover, there’s a likelihood that no human employees would be present to manually override the attackers’ commands.
Public water distribution system
We found an unprotected public water distribution system that would allow us to shut off the water supply for more than 600 people, causing a targeted water outage for an entire town that threat actors could potentially synchronize with arson attacks.
Public water treatment facilities
We discovered multiple water treatment facilities left out for anyone to access, allowing us to interfere with sanitization processes and potentially make drinking water unsafe to consume for more than seven thousand people in total.
A public sewer pump station
An exposed control panel allowed us to seize manual control of a sewer pump station in a town of more than 18,000 residents and potentially damage an entire town’s sewer system by adjusting sewage flow speeds or shutting the system altogether.
Significance of the discovery
Virtually anyone with a specific skill set and a special interest can cause harm to critical US infrastructure. From silencing alarms on oil wells, to infecting the water supply by shutting down disinfectant production, to causing town-wide or farm-wide water outages, such attacks could physically affect thousands of people.
In the face of a major geopolitical conflict, these systems can be used by state-sponsored actors to cause untold amounts of damage in the US – to the civilian population, the local economies, and the environment. Several countries are major players in attacking (or supporting cyberattacks on) US targets – Iran, China, and Russia (with Russia being the source of the most sophisticated cyber intrusions).
In the event of a conflict, domestic critical infrastructure would be on the front line of cyberwarfare against the US. In light of this, an up-to-date approach to the cybersecurity of critical US infrastructure should be a national security priority. While most American institutions and companies are well aware of the ever-growing threats from hostile actors, there seems to be a lack of urgency and will to enforce adequate protection in all industrial control systems at the moment.
We notified CISA and CERT about the above vulnerabilities and contacted the public and private owners of these industrial control systems in January 2020. Open access to these systems has since been disabled.