OT Hunt: Finding HMIs with Shodan

Welcome to the 13th installment of “OT Hunt”, a series that has become a beacon for those navigating the murky waters of Industrial Control Systems/Operational Technology (ICS/OT) security. Our journey is more than a quest; it’s a mission to illuminate the hidden corners of the internet where ICS/OT devices dwell, often unnoticed and vulnerable. This exploration is not just about discovery; it’s a clarion call to action for asset owners and ICS/OT vendors, emphasizing the paramount importance of fortifying their digital fortresses.

In this episode, my curiosity took me to the realm of Human-Machine Interfaces (HMIs), where humans and machines interact closely. Starting with a specific dork saved in my archive list of dorks on GitHub, I utilized:

screenshot.label:ics

This key resulted 551 devices. However, it’s crucial to note the diversity in this digital ecosystem; many of the findings came from different services such as VNC, RDP and some were images from cameras.Those digital cameras were monitoring and recording HMIs.

I tried to focus towards a specific target: Automation Direct (https://www.automationdirect.com) a company in the ICS/OT arena. I used the following dork:

screenshot.label:ics product:"Automation Direct"

The results were telling — most screenshots captured were indeed HMIs, offering a window into various processes across different plants and operational technologies.

Further refining my search, I employed another dork:

screenshot.label:ics product:"VNC"

, which unveiled 290 HMI interfaces connected to the internet via VNC. This method of connection, while facilitating remote access, also opens the door to potential unauthorized access, especially when security measures are lax.

Another finding was a product by Varicool (https://varicool.pk/), which featured both a PLC (Programmable Logic Controller) named PLC 12.00 Tandem and an HMI. Please note that this device looks like a building controller that manages a refrigerator temperature. The VNC connection to this device, alarmingly, had authentication disabled — a red flag waving vigorously for any passerby with malicious intent.

Checking RDP-connected devices, which displayed Windows login screens, offering no glimpse into the HMI or underlying processes. This observation points to a forgone opportunity to accumulate existing usernames for HMI machines, as each machine reveals the username and asks for a password.

Exploring ICS/OT security gets more exciting. Our project, ICSrank, is a unique tool for the ICS/OT world, showing our dedication to improving ICS/OT cybersecurity in this essential area. ICSrank isn’t just a tool; it’s a guide, providing crucial insights and assessments for stronger cyber defense.

Keep an eye out for more discoveries and insights as we navigate the unexplored areas of ICS/OT security. By identifying ICS/OT devices on the internet and addressing exposure issues, we can transform vulnerabilities into strongholds of digital secu