by Stephen Hilt, Numaan Huq, Vladimir Kropotov, Robert McArdle, Cedric Pernet, and Roel Reyes
Energy and water are two of the most central critical infrastructures (CIs). Both sectors have undergone necessary changes to reflect the latest in technology and improve how natural resources are harnessed and distributed. At present, these changes are heading toward more interconnected systems, especially through the integration of industrial internet of things (IIoT) technologies. This continuing development in the energy and water sectors has allowed people and businesses to enjoy a more efficient and reliable flow of resources — but it has also made it more difficult to secure each significant system behind the infrastructures. As vulnerabilities in the systems behind CIs increase, specifically for supervisory control and data acquisition (SCADA) human machine interfaces (HMIs), it’s important to look at what risks these critical sectors face.
Using open source intelligence techniques (OSINT), we were able to get a glimpse of possible problem areas for the energy and water sectors. Using internet scanning (mainly through Shodan) and physical location mapping, we were able to identify a number of exposed and vulnerable HMIs, all of which are from small to medium businesses. What this tells us is how important cybersecurity is for each level of the supply chain as well as for each CI sector.
The complete results and accompanying images can be found in our report Exposed and Vulnerable Critical Infrastructure: Water and Energy Industries. For this entry, we provide examples of the exposed HMIs we found in different subsectors that deal with energy and water in various regions of the world as well as implications of such exposure to the CI supply chain.
Exposed and Vulnerable HMIs
For the water sector, we found exposed HMIs from facilities all over the world. These exposed systems included monitoring and control interfaces from different water-related systems, namely water heating, geothermal, water pumping, water filtration, and seawater reverse osmosis and sterilization.
Figure 1. Screenshot of an exposed HMI for controlling/configuring a water treatment plant
There were several exposed subsectors for the energy-related systems as well: oil and gas, biogas, and power. Save for a single drilling rig in the Middle East, most of the exposed HMIs from the oil and gas sectors were from the U.S. These HMIs allowed us to view information such as real-time production levels and even critical controls like shutdown and reset options.
The exposed HMIs of biogas facilities we found were, understandably, from countries where this energy extraction method is prevalent: Germany, France, Italy, and Greece. These exposed HMIs were top-level menus bearing submenus on pump control, air-gas mixers, circulation, parameter adjustment, etc.
Figure 2. Screenshot of an exposed biogas HMI showing a top-level menu and available submenus
We were also able to find exposed power systems from Germany, Spain, Sweden, the Czech Republic, Italy, France, Austria, and South Korea. These systems included those from solar, wind, and hydroelectric plants. As with the other exposed HMIs, we found several monitoring interfaces, control interfaces, and even an exposed user database.
These findings imply that attackers could also monitor and use the information from these same systems. In addition, most of the exposed HMIs bear critical controls like temperature control and shutdown. Meaning, by gaining access to these HMIs, attackers can eventually directly interact with the systems and devices. The likelihood of an attack scenario is high due to what we observed: 1) only a few of these HMIs required user authentication; 2) these interfaces appear to be live (based on several Shodan screen caps); 3) interest in critical infrastructure ICS has been expressed in the chatter in underground web forums. The bottom-line being, all the mentioned HMIs are not only exposed but are also vulnerable.
Real-world and supply chain implications
From a broader perspective, because of the inherent importance of energy and water, attacks through the exposed and vulnerable systems described above could have far-reaching effects. One attack could cascade failures further down the supply chain or propel attackers to move on to bigger targets. Three possibilities are detailed below:
- Shortage of supply and service distribution in the same sector. For example, should water treatment plants or power plants with vulnerable top-level domain menus be tampered with, it would directly affect the overall supply these infrastructures provide to their respective regions. Smaller companies also provide resources for larger companies; therefore, an unexpected shortage of supply could impede the operations of these bigger companies.
- Disruption in other CI sectors. Interdependencies and dependencies that exist between CIs further extend the influence of one compromised system to the supply of other types of resources. In this case, an unnoticed tampering in a water purification plant could easily have cascading effects to the food and health industries. Likewise, a sudden shortage in oil and gas could directly affect the transportation industry.
Figure 3. Cascading effects of an attack on the supply chain
Based on “Critical Infrastructure: Understanding Its Component Parts, Vulnerabilities, Operating Risks and Interdependencies,” chapter 2, page 100
- SMBs used as testing ground for larger organizations. Even though larger companies seem less likely to have exposed devices on the internet due to their greater cybersecurity awareness, their similarity in operations and equipment with smaller companies make the latter an enticing testing and learning ground for attackers.
For the purpose of research, these findings all came from pure observation of the exposed HMIs. However, cybercriminals are motivated differently and will cause real damage despite the consequences. It is important therefore for organizations in the two sectors to defend against the mentioned threats while still theorized. The existence of exposed and vulnerable HMIs serves as a reminder for small and medium businesses that all those who contribute and benefit from a supply chain are equally important players in its overall security. For larger organizations, it highlights the need to ensure equally secure third-party suppliers because a security mindset must be extended beyond the margins of the company.
To get a fuller understanding on this topic, read our paper Exposed and Vulnerable Critical Infrastructure: Water and Energy Industries, where we provide a comprehensive description of exposed HMIs in several subsectors of the water and energy sectors and the nature of discussions on CI systems in underground forums. We also provide a review of security strategies to better protect ICSs and supply chains.