A survey of connected Scada computers identified that 500,000 machines could potentially be targeted.
The survey, carried out by Bob Radvanovsky and Jacob Brodsky of security consultancy InfraCritical and featured on BBC News, saw the men write a series of scripts that interrogated the Shodan search engine using 600 terms compiled from lists of Scada manufacturers and the names and product numbers of the control systems it sells.
From this, it identified 500,000 potential targets and after working with the US Department of Homeland Security, it determined the most important 7,200 targets that are being contacted.
According to details originally featured by Threatpost, Radvanovsky and Brodsky found not only devices used for critical infrastructure such as energy, water and other utilities, but also Scada devices for HVAC systems, building automation control systems, large mining trucks, traffic control systems, red-light cameras and even crematoriums.
This research was filed into a report by the US Department of Homeland Security's industrial control systems cyber emergency response team (ICS-CERT), who highlighted the control systems used by critical infrastructure in the US that are susceptible to attack from viruses and other malware.
The report claimed that "internet facing control systems devices were also an area of concern in 2012", as the ICS-CERT said that it worked with tools such as Shodan and ERIPP to identify and locate internet-facing control system devices that may be susceptible to compromise.
In another experiment it credited researcher Eireann Leverett, who used Shodan to identify over 20,000 ICS-related devices that were directly IP addressable and vulnerable to exploitation through weak or default authentication. This research found that a large portion of the internet-facing devices belonged to state and local government organisations, while others were based in foreign countries.
Speaking to SC Magazine in 2011, Dominic Storey, EMEA technical director at Sourcefire, said that there is no best practice for connecting network security layers for Scada-based systems, and no way of looking for connected sensors or what came from a sensor.
“Also, think of Scada as a hardware system, nine times out of ten it is an old Windows system, so often there are vulnerabilities. Technology needs to be proactive and able to take action,” he said.
Chris McIntosh, CEO of ViaSat UK, said: “This highlights a great weakness in critical infrastructure both in the US and beyond: security is still firmly rooted in the 20th century. While this is fine for physical security, the interconnectivity of the grid and the trend toward distribution automation, [it has] granted malicious attackers a multitude of ways to cause major disruptions.
“With an interconnected grid, a single vulnerable utility becomes a weakness for every single part. As mentioned previously by the US Department of Homeland Security, malware can lurk for months before detection: companies should be working on the assumption that their systems have already been compromised and plan accordingly.
“Protection of the network must go beyond typical IT solutions, and address the unique nature of these interconnected systems. Encryption of data in transit and rigorous authentication protocols, for example, should become de rigueur. The genie of cyber warfare is out of the bottle: organisations now need to get their heads out of the sand.”
The security of critical infrastructure may be a key theme for 2013 after a year when major espionage tools were detected. The impact upon systems such as Scada, which was such a key part of the Stuxnet infections, may prove to be a telling point when it comes to critical national infrastructure security.