Vulnerabilities in Swedish Industrial Control Systems : An examination and classification of remotely discoverable ICS devices in Sweden, and an assessment of their vulnerability to cyber attacks

Abstract: Over the last couple of years, more and more industrial control systems (ICS) have been designed to be connected to the internet to allow for remote control and monitoring of industrial processes. This have opened a possibility for hackers to exploit weaknesses in such systems remotely through the internet. Such exploits could allow an attacker to steal sensitive information, make the system inaccessible, or even take control of critical infrastructure. It is therefore of great importance to know how easily these systems can be found on the internet and how vulnerable found devices would be to remote attacks. Learning these things have been the goal of this report. To accomplish this goal, we have sorted through every Swedish IP address on the IPv4 internet for services that run on ports and through protocols associated with known ICS devices. We fetched data about these IP addresses via the Shodan project and examined that data to determine how many ICS devices are in operation in Sweden, as well as the device models and manufacturers. Lastly, we cross-checked our list of found devices with the CVE database of publicly disclosed software vulnerabilities to learn how many of the devices had known exploits that could be used in an attack. Our findings are that there exist 2,237 Swedish ICS devices that can be easily found through the internet. Out of these, 244 devices had at least one known vulnerability. Most vulnerable devices had more than one known vulnerability, and about 77% had at least one exploit that was of medium, high, or critical severity as per the Common Vulnerability Scoring System. The oldest critical vulnerability found was publicly disclosed in 2011, meaning that some ICS devices in Sweden has been running with critical vulnerabilities for over 12 years. Our research shows that a significant number of Swedish industrial control systems run with unpatched vulnerabilities. This means that even an inexperienced attacker could perform targeted attacks against vulnerable Swedish systems from anywhere on the globe. Since we were unable to determine what kind of industrial processes are controlled by these ICS devices, we don’t know how damaging such an attack would be. However, since these devices can be part of the operation of critical infrastructure it is crucial that effort is made to minimize the vulnerabilities in these systems. We hope that our research motivates ICS operators and manufacturers to assess how vulnerable their systems are to these kinds of attacks, and that they implement strategies to minimize that vulnerability.