US Cities Exposed: Industries and ICS security
Today, 54% of the world’s population lives in urban areas, a proportion that is expected to increase to 66% by 2050. [2] According to the 2010 US Census, that number is even higher in the US, with 81% of the country’s population living in urban areas. [3] The largest metropolitan statistical areas in the US are home to between 5 and 20 million residents. [4] Big cities require an extensive array of goods, services, and facilities for the daily operations of financial service providers, healthcare facilities, educational institutions (primary, secondary, and tertiary), government offices (federal, state, and municipal), retail networks, agricultural suppliers, utilities (power, water, gas, sanitation, etc.) providers, transportation networks, manufacturing facilities, communication infrastructure, security and policing service providers, and so on. These critical sectors are the organs of the modern metropolis.
There is a significant overlap between a city’s critical and national critical infrastructure. Whether we are studying the urban problem from a national or municipal level, what remains constant are the mutual interdependencies between critical infrastructure, which guarantee that any disruption in one will have several orders of impact in others. For instance, a computer intrusion in the energy sector causing service disruption will likely impact several other sectors, which may eventually impact the delivery of life-sustaining services in hospitals. Mutual interdependencies between critical infrastructure is a very important and complex topic that is not very well understood and can have a perceptible effect on many if not all residents.
Using Shodan* data, Trend Micro researchers Numaan Huq, Stephen Hilt, and Natasha Hellberg assess which devices, servers, and critical sectors in the US are the most exposed. Affected parties can use this information when implementing the necessary security measures that will better protect their data and assets from future compromise.
In this article, the Shodan US scan data is for February 2016 and this is an excerpt from the US Cities Exposed: Industries and ICS white paper. The paper profiled exposed cyber assets in organizations from six critical sectors – government, emergency services, healthcare, utilities, financial, and education. The results are for all US cities. The critical sectors are essential in daily city operations and can perceptibly affect many if not all residents.
In this article, we will focus only on the utilities sector. Organizations that belong to the utilities sector were identified in the Shodan US scan data using keywords such as “power,” “water,” “electricity,” and so on. Please note that it is not possible to get 100% coverage of all organizations that belong to the target sector using keyword search alone. Our observations on exposed cyber assets in the utilities sector are:
- Exposed cyber assets are mostly located in small cities and towns; not in big cities.
- Firewalls, WAPs, webcams, and routers make up the bulk of exposed devices.
- Linux is the most commonly used OS.
- Organizations run a wide variety of Web servers; most are probably embedded.
- Web servers that communicate over ports 80 (HTTP) and 443 (HTTPS) are commonplace.
- Shodan found multiple unpatched vulnerable servers running in these organizations.
*Shodan is an online search engine that catalogs cyber assets or internet-connected devices. Many cyber assets are exposed in Shodan for a number of reasons, including poor configuration. This level of exposure can become a serious security concern when hackers take advantage of them to steal data, launch ransomware or distributed denial-of-service (DDoS) attacks, or gain entry into networks.
Download the full white paper “US Cities Exposed: Industries and ICS. A Shodan-Based Security Study of Exposed Systems and Infrastructure in the US” to find out more about the other critical sectors.
References
- United Nations (UN). (10 July 2014). United Nations. “World’s Population Increasingly Urban with More Than Half Living in Urban Areas.” Last accessed on 25 September 2016, http://www.un.org/en/development/desa/news/population/world- urbanization-prospects-2014.html.
- US Department of Commerce. (2017). US Census Bureau. “US Census Bureau: FAQs.” Last accessed on 25 September 2016,https://ask.census.gov/faq.php?id=5000&faqId=5971.
- Wikimedia Foundation Inc. (4 January 2017). Wikipedia. “List of Metropolitan Statistical Areas.” Last accessed on 25 September2016, https://en.wikipedia.org/wiki/List_of_Metropolitan_Statistical_Areas.