An Internet scan of the IPv4 address space uncovered more than 100 critical facilities exposed to the public Internet, including hydropower plants in Germany and Italy.

An Internet scan of the IPv4 address space uncovered more than 100 critical facilities exposed to the public Internet, including hydropower plants in Germany and Italy, and a smart building in Israel hosting luxury apartments.

The investigation, conducted by researchers at Internet Wache of Berlin, started in the fall of 2015 as a search for specific routers used by industrial control systems. Researcher Tim Philipp Schafers found more than he bargained for when unauthenticated web applications for ICS management interfaces began coming up in searches. The researchers noticed a pattern in the HTTP headers that were turning up and wrote a Python script that was fed into the ZMap and scans.io tools in order to search for the pattern in the IPv4 public space.

More than 100 systems turned up, including the hydropower plants. The researchers informed the respective operators who removed the systems from the public Internet. Not all operators were as cooperative, some dismissing the risk altogether, or passing the buck along to vendors and customers who had implemented the devices and software.

“It’s possible to access the web applications that control processes in these plants; you don’t need to know a special configuration,” Schafers told Threatpost. “Some cases require authentication. We found more than 100 systems, and about half required authentication, while some were without any and were administrator accessible.”

This is not a new problem. Researchers for years have been publishing advisories about serious vulnerabilities in control systems for energy, wastewater and manufacturing for years. A simple Shodan or custom search is used to uncover offending systems, and is often used to highlight a bigger problem around the lack of security in SCADA and ICS systems. Schafers said that process control systems such as these are usually the dominion of engineers rather than IT people, who have much stricter security in place.

“In general, they have to work together better,” he said. “IT security has so many guidelines. There are so many security policies and procedures that don’t apply to critical infrastructure or ICS. A really good question is why we don’t step into this field as IT. We all want things to be functional, but it has to be really secure as well, especially when it comes to smart factories. More and more of them are on the internet and not on a protected network.”

The most discerning finds of the Internet Wache scan were the hydropower facilities. Four HMI, or human machine interface, systems were discovered that monitor control systems and processes such as pump management. Three of the HMIs uncovered were in Germany, including one near Munich servicing 80,000 people with drinking water.

Internet Wache’s report said its researchers would have been able to read data from sensors on water consumption and other plant-related values. Those values could also be manipulated, they said, so that operators would believe processes were running normally when in fact the opposite may be true. At one of the plants, access to pumps was possible that could disrupt a city’s water supply.

All four of the plants’ systems were no longer reachable from the Internet, Schafers said. The findings were also reported to the BSI, Germany’s federal office for IT security and CERT_Bund, which reported the vulnerabilities to plant operators.

The scan also found a wide open building automation system for The Tower luxury apartments in Israel that included firewall misconfigurations and logic errors plaguing web application management interfaces. An attacker could exploit these to control anything from lighting in the building, to heating and air conditioning systems.

Internet Wache also reported a number of software errors, including common cross-site scripting bugs that would allow for web-based manipulation of HMIs and HTTP injection flaws that could be abused to force downloads of malware and exploits.

Schafers says awareness about security in ICS and SCADA systems remains low.

“So many people visit Facebook, you can be sure Facebook is secure,” Schafers said. “We often don’t think about these systems running in the background. The connection between the real and smart world is increasing and we’re not thinking about security.”