How to Find Water Systems on the Internet: A Guide to ICS/OT OSINT
Welcome to the 19th installment of “OT Hunt” where we delve into the world of ICS/OT devices connected to the internet. The primary aim of this series is to raise awareness within the ICS community and serve as a wake-up call for both asset owners and ICS/OT vendors to fortify their assets against potential cyber threats.
OT OSINT Research: Behind the Devices
Today, I will show you how I perform OT OSINT research and utilize different search engines and techniques to discover internet-connected ICS devices. As promised in previous articles, this time I’ll attempt to uncover what lies behind these devices. Please note, this is my personal effort and could be flawed — but I’ve provided some proofs to back up my findings.
For today’s experiment, we’ll focus on VTScada, a SCADA and HMI software developed by a Canadian company, Trihedral. You can check them out at vtscada.com. VTScada’s “Anywhere Client” is primarily used in the water industry and has a global footprint. This type of research directly feeds into our platform, ICSRank.com, an ongoing project that updates regularly with more information, aiming to automate the defense efforts for ICS defenders, pentesters, and researchers.
Let’s jump in and see if we can find VTScada online using a variety of search engines and techniques. Below, I will walk you through how I craft and use specific filters (dorks) to track these systems.
Shodan:
- Filter 1:
vtscada
- Filter 2:
http.favicon.hash:1796018699
Censys:
- Filter 1:
vtscada
- Filter 2:
services.software.product=VTScada
ZoomEye:
- Filter 1:
app:"VTScada"
- Filter 2:
iconhash:"8b0a996f749fd47307057a543a2389ab"
Google:
- Filter 1:
intitle:"VTScada Anywhere login"
Web Interface and Exposed Technology
VTScada exposes its web interface to the internet. As shown in the image, I found port 102, which is commonly used for the Siemens S7 protocol. The protocol banner information revealed a model number — ”6ES7 214–1HG40–0XB0.” A quick Google search confirmed it as a Siemens Simatic S7–1200 PLC. Could VTScada be managing this Siemens PLC, or are they just connected?
In addition to this, many hosts running VTScada have open ports such as FTP (port 21), SSH (port 22), and RDP (port 3389), which are used for remote management.
One interesting find was a host with router port 8080 open, identified as “NetCloud” by Cradlepoint. Does this router manage a cloud service? The details remain unclear.
What Industry or Process is Running Behind this Software?
By analyzing the URL paths of the web interfaces, you can often deduce key details. For example, URLs may contain terms like:
/wastewater
/BaddWater
/Grandlake
/lakewod
/scada
/water
/CCityWater
From these, we can extract useful information such as:
- ICS Device Type: SCADA or similar systems.
- Location: Potential city or state names, often around lakes or water bodies.
- Industry: Most of these instances are related to water or wastewater facilities.
Vulnerabilities
VTScada, like any other ICS software, is not immune to vulnerabilities. During my research, I found several existing vulnerabilities listed by CISA, including:
- ICSA-14–343–02
- ICSA-17–164–01
- ICSA-22–300–04
- ICSA-17–304–02
- ICSA-16–159–01
These vulnerabilities highlight the persistent risk associated with improperly secured systems.
Analysis
It’s no surprise that the water industry has become a frequent target of cyberattacks. As demonstrated in this article, water systems are exposed on the internet with numerous open ports, accessible web interfaces, and misconfigurations. Hundreds of these systems, which manage water facilities, are vulnerable to attack.
What I’ve shown here is just a surface-level analysis — I haven’t even covered all hosts or vendors. The scale of the problem is likely much larger.
Conclusion
In closing, I encourage you to explore ICSRank, our unique tool designed for the ICS/OT domain. ICSRank exemplifies our commitment to enhancing ICS/OT cybersecurity. With its ability to Discover, Assess, and Secure, ICSRank is a vital resource for fortifying ICS/OT environments against cyber threats.
Stay tuned for more insights in future installments of OT Hunt, and remember — our shared vigilance is key to defending critical infrastructure.