If you have not had a chance to take a look at Shodan, I would suggest that you do so in short order. Most hackers have been using Google Hacks for some time to find specific sites based on banner information. As reported in a ICS-CERT Alert released on October 28 (ICS-Alert-10-301-01), independent security researchers employ the SHODAN search engine to discover Internet facing SCADA systems using potentially insecure mechanisms for authentication and authorization. In most cases, the affected control system interfaces were designed to provide remote access for monitoring system status and/or certain asset management features.
This again demonstrates why asset-owners need to re-evaluate and implement improved defense-in-depth strategies when providing remote access to trusted control system networks to not only prevent authorized access, but provide notification when a breach occurs and minimize the negative consequences of such a break. I presented one such solution at the recent ICSJWG conference in Seattle (click here to view the presentation).
These vulnerable systems have been found to be readily accessible from the Internet and with tools, such as SHODAN, the resources required to identify them has been greatly reduced. In addition to the increased risk of account brute forcing from having these systems available on the Internet, some of the identify systems continue to use default user names and passwords and/or common vendor accounts for remote access into these systems. These default/common accounts can in many cases be easily found in online documentation and/or online default password repositories, such as those presented at this site.