With analysis and research by Stephen Hilt (Independent Researcher)
Even as attacks on SCADA devices has become more public, devices are constantly being reported as Internet-facing and thus, vulnerable to attacks. Very little security is implemented on these devices, making them perfect targets of opportunity. Recently, Internet-facing gas station pumps have gained some attention, when several articles exposing the availability of these devices were published online.
Figure 1. Webserver of some of the pump monitoring systems
After performing our own research, independent researcher Stephen Hilt and I wondered if attackers are actively attempting to compromise these Internet-facing gas pump monitoring systems. We began searching for these devices to see if we could glean any intelligence on attacks that have occurred against these devices.
The Guardian AST Monitoring System is a device designed to monitor inventory, pump levels, and assorted values of pumping systems typically found in gas stations. The pump systems support a variety of products and data points to monitor within the device, which are often easily accessed through the Internet. These are typically deployed online for easy remote monitoring and management of gas providers.
These monitoring devices are deployed at many U.S. and worldwide-based gas stations. One important note is these devices support six-digit PINs for security access to devices.
Figure 2. List of products monitored by the Guardian Pump Monitoring System
Gas Pump Hunting
When investigating and hunting for gas pumps, attackers use a multitude of tools and techniques to find and track these devices. One of these tools, which is quite prominent, is the site Shodan, which is a “search engine for Internet-connected devices.” Queries in Shodan will show a multitude of data points including tank name, command issued, volume, height, water, and the temperature of the tank.
Figure 3. Example of Shodan output for a pump monitoring system
In addition to using Shodan for hunting, attackers have been witnessed using Nmap, the popular port-scanning tool on Port 10001.
Overall statistics derived from Shodan are concerning. At the time of writing, there were over 1,515 gas pump monitoring devices Internet exposed worldwide, all of them lacking security measures that prevent access by unauthorized entities. The U.S. accounts for 98% of Internet-facing devices.
Figure 4. Percentage of exposed pump monitoring systems on the Internet by country
Possible Anonymous Attacks Against Gas Pump Monitoring Systems
With the increased notoriety of SCADA systems, attacks have increased at a dramatic pace. This also holds true for the Guardian ASTs. When investigating possible attacks, we first went to Shodan, our trusty search engine. Fairly quickly, we found evidence of tampered devices.
Figure 5. Possible Anonymous attack against a pump name at a US gas station
It became apparent that an attacker had modified one of these pump-monitoring systems in the U.S. This pump system was found to be Internet facing with no implemented security measures. The pump name was changed from “DIESEL” to “WE_ARE_LEGION.” The group Anonymous often uses the slogan “We Are Legion,” which might shed light on possible attributions of this attack. But given the nebulous nature of Anonymous, we can’t necessarily attribute this directly to the group.
An outage of these pump monitoring systems, while not catastrophic, could cause serious data loss and supply chain problems. For instance, should a volume value be misrepresented as low, a gasoline truck could be dispatched to investigate low tank values. Empty tank values could also be shown full, resulting in gas stations have no fuel.
We have previously discussed problems that unsecured, personal IoE devices, such as surveillance cameras, come with their own set of security issues. But those issues pale in comparison to unsecured SCADA devices, where one vulnerability can result in critical errors and damage.
The results of our investigation are interesting in two levels. One would be the fact that an attack was possibly carried out by the group Anonymous or people claiming to be part of the group. But on another level, our investigation reveals that Internet-facing devices are actually being attacked. Discussions regarding Internet-facing devices often revolve around possible, hypothetical scenarios. We now have proof that these scenarios are possible, and worse, actually occurring in real life.
Our investigation shows that the tampering of an Internet-facing device resulted in a name change. But sooner or later, real world implications will occur, causing possible outages or even worse. Hopefully, with continued attention to these vulnerable systems, the security profile will change. Ideally, we will start seeing secure SCADA systems deployed, with no Internet facing devices.
We are continuing to monitor these concerning events, and will report additional findings in a forthcoming report.
We would like to thank Independent Researcher Stephen Hilt for his contributions and expertise to this article.