Monthly Archives: September 2012

Low-Medium Critical Infrastructure Security

As the Internet says

                              Security is as strong as it’s weakest link.

While researchers are busy with analyzing stuxnet and duqu, there exists a wide range of ICS on the internet with relatively less or almost no security at all.  Current research covers just the high critical targets while low-medium critical targets or almost ignored. I wouldn’t say that the strategy of researchers are wrong, they are right, it is the right choice to protect a oil refinery from a intruder rather than protect a water treatment plant of a golf course. It must be the responsibility of the vendors to protect against such attacks; actually it doesn’t requires that much of a path breaking research to protect these (low-medium critical) devices, the right architecture and right configuration is what all it needs to secure these devices.

I don’t know how many would believe if i say i’ve saw this thing many times before the news even broke out. It was just hanging around in Shodan. The default password was 100 or 101 i believe, if my memory cells are still intact. One does not need a high probability NIDS to protect the infrastructure of these devices, since they are hardly being targeted by industrial/political espionage or terror attacks. People who hijack these devices are simple script kiddies or psychopaths.

I’m not saying that the security of low-medium critical systems should be taken lightly, but instead of leaving it alone just like that without any protective measures, with the time being i think few very basic solutions by the vendors or Infrastructure Admin might keep those script kiddies away.

By basic solutions i mean,

* Make VPN support available out of the box

* Banner display to show last logged in time, IP and host names.

* Strong Passwords

* Clean or deceptive banners, after all that is how Shodan identifies you.

* Strip out legacy services like FTP, SNMP.

* A sticker which says “Do not connect this thing to internet without a basic VPN” 🙂

Advertisements