Eireann Leverett, a computer science doctoral student at Cambridge University, wrote a paper called Quantitatively Assessing and Visualising Industrial System Attack Surfaces, in which he detailed how he managed to map the large number of potentially critical infrastructures, using a tool he had developed in a period of six months, Wired reports.
“Vendors say they don’t need to do security testing because the systems are never connected to the internet; it’s a very dangerous claim,” Leverett said at the S4 conference.
“Vendors expect systems to be on segregated networks — they comfort themselves with this. They say in their documentation to not put it on an open network. On the other side, asset owners swear that they are not connected.”
His fairly limited research prevented him from determining exactly how many of the 10,358 ICSes he found represented working critical infrastructure systems, but he did come across a few that belong to water utilities in Ireland and sewage facilities in Canada.
Not only many of the systems were exposed to the public Internet and all the dangers that come with this practice, but around 83% of the systems he located didn’t even request authorization credentials when accessed.
Since he’s no hacker and since he didn’t want to be confused with one, Leverett passed the information he had obtained to the Department of Homeland Security (DHS) which contacted the systems’ owners.
His tool works by searching for the names of popular ICSs and by determining their date, time zones and server versions, it can pinpoint the location and type of a system. Also, the tool could determine if a system is patched and secured, but the researcher couldn’t establish this without accessing them.