The incautious connection to the Internet of any unprotected Industrial Control System (ICS) is enormously risky, especially if those belong to critical infrastructures like the national power grid. The goals of this work are to revise a methodology for estimating the exposure of the ICSes over the Internet, which we apply to the Italian network, and to raise awareness about this subject. In order to estimate such an exposure, our approach followed diferent phases. First, we studied the working principles and the technology of industrial control systems. Then, a list of the main ICS protocols was drawn up. Finally, we investigated the exposure of each ICS protocol over the Italian IP address space by querying Shodan's database for protocol-specific features (e.g., TCP/UDP ports, headers). Besides, we investigated the exposure of IT technologies commonly used for monitoring and managing ICSes (e.g., web HMI and remote desktops).
With IT services representing a substantial part of any business process many actors proved themselves able to threaten the IT surface of public and private sectors, showing that it is possible to wreak havoc through world-wide cyber-attacks even against critical infrastructures; besides, attackers are hard to identify as in many cases their attacks can be carried out with low-cost technology. Among critical infrastructures such as transportation, health and communications, the most sensitive are with no doubt energy and water infrastructures. Just consider how efective could be a cyber-attack that manages to disrupt energy or water distribution inside a country, causing a domino efect that would afect all the other national infrastructures. CEUR
A typical under-estimated risk comes from the incautious connection of not adequately protected devices to the Internet. It is known that cyber-attacks are mostly directed against the IT domain, that is the ordinary corporate network made of servers, databases, endpoints and network devices. Nonetheless, the equivalent OT domain (i.e. the ensemble of software and hardware used to monitor and control all the physical processes running in an industrial environment) represents in many ways an even more critical and strategic target for cyber-attacks. That because OT systems very often do not benefit from the same cyber-protection commonly implemented into IT systems, despite their criticality. The causes are several: responsible parties’ lack of knowledge, technical complexity or just pure negligence. Furthermore, considering that often OT systems are not designed to be resilient to cyber risks, it goes without saying that leaving them underprotected and accessible via the public internet makes easier for an attacker to map and exploit them. Even worse, this could pave the way for stealthy cyber-attack planning and homeland security risks.
Now more than ever this risk is real and even short disruptions of the processes running in an
industrial context could cause huge economical losses. For instance, if such disruptions afected
(as already occurred) national power plants and power grids, they could cause nation-wide
power outages. Analogous themes about the online exposure of ICSes around the world and
the connected cyber risks have been addressed in [
Therefore, it is essential to adequately protect ICSes and in order to achieve that the main requirement is to maintain an updated view of ICSes exposure over a nation-wide IP address space. The main contribution of this work is to estimate such an exposure within the Italian IP address space, in order to raise awareness about this cyber risk and to inform the audience about the importance of securing ICSes.
No matter the type, it is never appropriate to leave a device exposed over the Internet, let alone if such a device belongs to ICSes. Yet, this simple rule is not always respected and many devices widely expose their services.
Right now, a large number of ICSes is exposed online and it is very easy to find them by using
search engines freely available online, whether generic like Google or specific like Shodan [
Just to further prove our point we mention a noteworthy and quite recent episode that was also
reported by numerous publications and newspapers. As stated by the American ”Department of
Justice”, in 2016 a grand jury indicted seven Iranian individuals that performed work on behalf
of the Iranian Government on computer hacking charges related to their involvement in an
extensive DDoS campaign of over 176 days, among which one was charged with obtaining
unauthorized access into the SCADA systems of the Bowman Dam, a small dam located in Rye,
New York, United States, in 2013. Specifically, we read in the Press Release:
”Between Aug. 28, 2013, and Sept. 18, 2013, [the hacker - Ed.] repeatedly obtained
unauthorized access to the SCADA systems of the Bowman Dam, and is charged with
one substantive count of obtaining and aiding and abetting computer hacking. This
unauthorized access allowed him to repeatedly obtain information regarding the status
and operation of the dam, including information about the water levels, temperature
and status of the sluice gate, which is responsible for controlling water levels and
lfow rates. Although that access would normally have permitted [the hacker - Ed.] to
remotely operate and manipulate the Bowman Dam’s sluice gate, [the hacker - Ed.] did
not have that capability because the sluice gate had been manually disconnected for
maintenance at the time of the intrusion. Remediation for the Bowman Dam intrusion
cost over $30,000.” [
As reported in [
The goal of this work is to estimate as precisely as possible the exposure of ICSes all over the case of the Italian IP address space, in full compliance with the Italian law.
According to the Italian mechanism, we notified the exposures to CSIRT (Computer Security Incident Response Team - Italia), following what is published in its web page.1 CSIRT belongs to the Italian national security and notifies interested actors without revealing the source.
The approach of our work followed five phases. In the first phase, we studied the technological
background, the peculiarities and the typical problems behind the ICSes and the OT network
architectures. In the second phase, we identified the most used ICS communication protocols
(or devices that run very identifiable network services) and studied their working principles:
Automatic Tank Gauges (ATG), BACnet [
In the third phase, we set up everything we needed to discover the exposed ICSes: we choose the search engine Shodan as the most appropriate tool to discover the ICSes exposed over the 1https://csirt.gov.it/segnalazione, in Italian. Italian IP address space, we selected a list of features to fingerprint each ICS protocol, and we developed the software to automate the data gathering and the surveying. Specifically, we built the queries to interrogate Shodan’s database in order to identify the most commonly used ICS protocols. Each query was made of filters and keywords: the filters guided the search scope, while the keywords were the features that Shodan sought inside the content of the banners. A wise use of both filters and keywords enabled us to unequivocally identify the occurrences of the ICS protocols under analysis, to restrict the search scope to the Italian IP address space only, to remove any known honeypot and to limit the number of false positives. Precisely, in order to remove as many false positives as possible, the search was carried out only over the standard ports that pertain to the ICS protocols under analysis. Even though this constraint could have caused a possible failure to seize some findings, we ascertained this case to be a very low chance event. Table 1 collects the core parts of all the queries we used to interrogate Shodan’s database. To automate the process, we coded appropriate Python scripts for querying Shodan’s API. When queried, Shodan returns a JSON object containing all the matching services found online along with elements such as the IP address, the estimated location, the service banner, the last-seen timestamp and lots of other information related to any distinct service that matched the query. We further analyzed each IP address in order to discover the exposure of other services running on the same IP address (e.g., web server, remote desktop and so on).
In the fourth phase, we eventually performed the actual data gathering operations, querying Shodan’s database and collecting all the matches. In addition, we also performed some additional searches in order to detect any HMI exposed online over typical IT protocols like HTTP and VNC. The data collected and presented in this work was gathered during the first week of March 2020.
Lastly, in the fith phase we analyzed the data just obtained, we ascertained that the dataset was clear of any remaining inconsistent information, duplicates and honeypots, we extracted some statistics and we identified several noteworthy findings such as some management interfaces of devices belonging to ICSes used for the electric power generation.
As shown in Table 2, we detected 6038 ICS services exposed online over 5936 IP addresses belonging to the Italian IPv4 address space. It is important to highlight that the number of matching addresses varies and grows over time, therefore our results are to be intended as a reference value and a potential lower bound of the actual number of ICS services currently exposed over the Internet.
It is hard to understand the actual purpose of the services we found given that most of those can be employed in many diferent fields. As shown in Figure 1, without a doubt most of the ifndings are related to building automation systems belonging to industrial, commercial or domestic entities; examples of this are the high number of KNX gateways, widely used in home automation systems, or the high number of Fox and Bacnet interfaces, both employed in BASs and HVAC systems. The second most observed services are belonging to those industrial entities that make extensive use of automation systems (e.g., manufacturing but also energy industry), as evidenced by the high number of services like Modbus, Codesys, PCWorx, S7comm, Ethernet/IP, Fins, OPC UA, GE-SRTP, ProConOS, Crimson and Melsec-Q. About DNP3 and IEC-104, it is known that these protocols are employed almost exclusively in the power distribution field, therefore it goes without saying that their online exposure is highly risky. Finally, we can even pinpoint the online exposure of some gas stations, as shown by the ATG devices that are purposely designed to monitor fuel tanks. All 6038 services are to be considered vulnerable and at-risk simply because exposed online.
Table 3 shows the first 10 ISPs that serve the 82.61% of the 5936 total IP addresses found. First, it can be noticed that the 52.28% of the IP addresses refer to mobile customers (i.e. Telecom Italia Mobile, Vodafone Italia and Wind Tre); these kinds of subscription are typically more expensive and less performing than wired ones, suggesting that those systems are likely placed in areas that cannot be cabled and the only option for the owners was a mobile subscription line. Second, without a doubt at least 13.64% of the IP addresses belong to business entities due to the fact they are served by Telecom Italia Business. All remaining 1032 IP addresses belong to smaller ISPs or to other entities, among which we identified 109 IP addresses assigned to universities and research institutes. The sole analysis of the IP addresses did not enable us to achieve further information about the owners of the exposed devices.
Lastly, although Shodan claimed to be able of geolocating the IP addresses, we ascertained that the coordinates found by Shodan were very often incorrect; specifically, we tested Shodan’s geolocation functionality on some IP addresses of which we already knew the exact locations, leading to wide inconsistency in Shodan’s results. We believe that the causes behind this inconsistency might be the large number of mobile subscription lines already shown in Table 3 and the unknown identities of the assignees of the IP addresses (which are mainly assigned to the ISPs). Probably Shodan’s algorithm confuses the actual location of the device with the location of the ISP’s Point of Presence. It could also be that this simply represents a limit of Shodan and perhaps other paid services could better pinpoint the correct locations of the IP addresses.
As previously stated, starting from the data already collected and performing additional targeted searches, we conducted a survey about the exposure of ICS services over typical IT protocols like HTTP and VNC. Specifically, here we refer to HMIs and other management systems that were left reachable by anyone over the Internet. The variety of these systems which are often customized makes it dificult to quantify them in an automated fashion. However, they are extremely easy to find for someone who knows the right keywords. Many of such systems are protected by weak password-based authentication mechanisms, though the vast majority have no authentication at all: at the time of writing, the VNC servers in Italy that do not even ask for a password are 353.
Here we show some of the most noteworthy findings, properly anonymized and grouped by field of application. In full compliance with the Italian law, we state one more time that the services were lacking of any authentication mechanism, that we never even attempted to access any device that had any kind of authentication mechanism deployed, and that we simply browsed the services without executing any command nor modifying any setting. Despite what follows is serious, we decided to present it anyway because we believe that the reader might understand better the severity of this topic by looking at an actual graphical management interface exposed online than by simply looking at some cold cryptic banner of a random communication protocol. In any case, we want to stress that both cases are equally severe.
Thousands of web servers for managing diferent kinds of wind turbines and wind farms were found exposed over the Italian part of the Internet and the vast majority of those were protected by simple password-based authentication mechanisms. However, many web servers were still found totally unprotected. For instance, Figure 2 shows a web interface from where it seemed possible to alter the settings of a wind turbine belonging to a wind farm made of 11 more turbines. From the same web interface it was also possible to monitor the status of the wind turbine and apparently even to start or stop the turbine’s blades. This specific management software was found exposed on other 4 IP addresses connected to wind turbines belonging to wind farms all located in diferent places. Figure 2 shows another case of a wind turbine whose HMI was remotely controllable via VNC over the RFB protocol; apparently, it would have been possible to start or stop the turbine, or to press a bafling ”emergency” button. Further examining the services exposed by the IP address of the latter case, we also found a video stream over RTSP of the inside of the wind turbine and an SSH server. Knowing that the SSH public keys are often hardcoded in software and shared among similar devices of the same brand, we queried Shodan’s database for this specific SSH fingerprint and we found 30 more IP addresses connected to other remote management systems installed in solar and wind farms or hydro-power plants. However, this time all systems were implementing authentication via password.
As for Wind Power, over a thousand of diferent kinds of web platforms for managing solar farms were found exposed over the Italian IP address space and most of them were protected by simple password-based authentication mechanisms. It must be considered that, just like for the other renewable sources in Italy, the energy power generated in small solar plants contributes to a considerable extent to the fulfillment of the national energy demand, therefore a systematic cyber-attack against such infrastructures could potentially cause important impairments all over the Country. For instance, in Figure 4 we present an HMI that monitors a solar farm; this solar plant was composed of two modules that were monitored by two identical HMIs (both exposed) and each module was generating around 2000kW for an estimated total power of 4000 kW. It can be noticed that the solar plant under analysis appears to be somehow connected to the power supply grid of a well-known Italian power company, hence we should consider the possibility that any denial of service caused to the solar plant could afect the local power grid too.
For the sake of brevity, we present just a few of all the ICSes belonging to hydroelectric power plants that we discovered online. Figure 5 and Figure 6, Figure 7 and Figure 8, and Figure 9 respectively show 3 diferent hydroelectric power plants. Due to the fact that their HMIs were publicly exposed and lacking any kind of protection, we could have freely acted (but obviously we have not) on the water intake structures or on the turbines. Out of curiosity, we also searched the Web looking for some information about these plants and we found that they seem to be supplying energy to their respective local power grid. Moreover, we found that the realization of one of them apparently cost around 800.000€ and that it produces an estimated revenue of 100.000€ per year.
Understanding whether the devices found exposed online were for domestic or industrial use was a very dificult task due to the presence of several limitations typical of the approach we pursued in this work, yet the only one we could follow to the extent permissible by the Italian law. While performing the survey no active port scanning was done, instead we fully relied on Shodan’s indexing in order to not fall into potential technical or legal issues: from a technical perspective, the devices under analysis are notoriously delicate and they can accidentally break even after basic network scans; from a legal perspective, the Italian penal code punishes with imprisonment who disrupts the availability of public or private services or who illegally commits unauthorized access to computer systems (especially those of public or military interest), regardless of the quality of the protective measures. [20]
For the reasons above, it was not possible to evaluate the type or the number of vulnerabilities (i.e. CVE ) on our findings. Anyway, the very act of estimating such vulnerabilities could have been misleading: the message we want to express is not about the presence or absence of known and unknown vulnerabilities, rather the fact that ICSes should not be exposed at all. In other words, the purpose of this work is to highlight the wrong posture of many systems with regard to the proper implementation of the cybersecurity best practices.
Also, the list of protocols used to estimate the exposure surface of the Italian ICSes is not to be considered exhaustive, although it already gathers the most used ICS protocols; therefore, because this study did not cover every existing ICS protocol, the actual number of exposed devices could be higher, making the number of devices found in this work a lower bound.
Finally, the next step we plan to take is to extend our research to consider all the Internet address space, scanning the worldwide ICS landscape in a continuous monitoring approach instead of performing a single survey.
In this work we assessed the online exposure of the Italian ICSes. To this end, after having identified the most used ICS protocols, we proceeded to detect the presence of such systems over the Italian IPv4 address space. We found that more than 6.000 Italian ICSes are exposed over the Internet. The fields of application are various: we found home automation systems, building automation systems and industrial automation systems. We also found devices belonging to power grids and to gas stations. Lastly, we found many unprotected HMIs accessible via web or via remote desktop applications, mainly related to renewable power generation plants and to HVAC systems.
These results suggest that the real number of unprotected ICSes on the Italian IP space could be even larger; it is safe to assume that a motivated and economically supported attacker, who would carry out his actions outside the law, could achieve better results than the ones presented in this work. Nonetheless, we believe that what we achieved is enough to prove that the online exposure of ICSes is a widespread problem that potentially afects all industrial sectors. The causes are without a doubt the digital illiteracy and the negligence of the operators (both technicians and executives) who, willingly or not, often left their systems unguarded.
It is important to underline that we cannot exclude that among what we found there could be something of strategic value; however, the limitations of our approach did not enable us to investigate this possibility. Also, we believe that a successful attack even against the ICSes of a small enterprise could afect bigger enterprises too and have severe impacts over the whole national context, given that the Italian industrial landscape is made of a vast amount of small and medium-sized enterprises which are often links of the national supply chain. Besides, given that smaller ICSes might share common technology with critical ICSes, we must take into account that smaller ICSes might be perfect cyber shooting ranges that the threat actors could use to validate their attack strategies before targeting actual critical systems.
This work has been partially supported by the IoT-STYLE project RG12117A7CE68848. [14] Anonymous, Ethernet/ip oficial website, 2020. URL: https://www.odva.org/ technology-standards/key-technologies/ethernet-ip/. [15] Anonymous, Omron’s fins oficial website, 2020. URL: http://www.ia.omron.com/support/ glossary/meaning/168.html. [16] Anonymous, Iec 60870-5-104 international standard, 2020. URL: https://webstore.iec.ch/ publication/25035. [17] Anonymous, Knxnet/ip oficial website, 2020. URL: https://support.knx.org/hc/en-us/ articles/360000040999-KNX-Specifications. [18] Anonymous, Modbus oficial website, 2020. URL: https://modbus.org/. [19] Anonymous, Opc unified architecture oficial website, 2020. URL: https://opcfoundation.
org/about/opc-technologies/opc-ua/. [20] Anonymous, artt. 615-ter, 635-bis, 635-ter, 635-quater, 635-quinquies, 2020. Https://www.cyberlaws.it/2019/codice-penale/.