Thursday, January 10, 2013

Security Double Dutch: Shodan Points out Critical Infrastructure Gaps in the Netherlands


Hat tip to friend and colleague Steve D for shooting this my way.
Security researcher Oscar Koeroo, working for the Dutch nuclear physics institute NIKHEF, found out that national infrastructural systems were listed on Shodan, (a database of cyber security vulnerabilities) and could be easily accessed remotely. Those systems, controlling pumping stations and sluices, are vital for the water management of a large part of the Netherlands. Because a large part of the country lies below sea-level, those systems keep the Dutch feet dry!
I've been to the Netherlands several times and saw the country in the news a lot recently when UberStorm Sandy raised concerns that New York City should perhaps get similar types of protective systems. I can assure you that this is about much more than a preference for dry feet.

Read on to find out how control system search engine Shodan once again reveals what systems are directly connected to the Internet. Warning, it paints a full picture, but it's not a pretty picture, and hopefully you won't find systems in your charge popping up in the findings window!

Here's the complete article from Tofino, replete with lurid details of password mismanagement, accusations, denials and counter-accusations, and that sort of thing. Best keep a Heineken or two handy.

Photo credit: nrc.nl

6 comments:

Floris said...

Hi Andy, the discoveries of Oscar that you point to are from february 2012(see below). I believe there were some improvements since then :)

Regards
Floris (from the Netherlands)

ps, keep up de good work, like to read your blog.

Unfortunately in Dutch: http://www.eenvandaag.nl/binnenland/39770/sluizen_gemalen_en_bruggen_slecht_beveiligd

Oscar said...

Could you correct the spelling of my surname, it's "Koeroo". The original publication was to the Dutch television on this topic: http://www.eenvandaag.nl/binnenland/39770/sluizen_gemalen_en_bruggen_slecht_beveiligd

The article mentions my name and I'm part of the video item.

If you desire more (technical) background information about this particular case, how I plotted the network of this SCADA installation from the other side of the internet and how this is repeatable. Then I'm available for more comments. I hope people will learn to understand what they share, how people share technical details and what a rogue person could do with this.

Oscar said...

Ow and I forgot to add. Shodan was is the first generic tip/hint towards a system, but that's not the entire story. There's more to it :-)

Andy Bochman said...

Thanks for your feedback Oscar and Floris ... and great work too. Spelling updated ... sorry for original mis-spell. Andy

Ute Tray said...

Netherlands is a world leader in the field of art and culture. It was my first time visited this country and I was amazed at the number of bicycles. Great people!

ICS/SCADA said...

Really it was good news for ICS/SCADA cyber security. I am bit relaxed after reading your post. Thanks for sharing.