Trailrunner7 (1100399) writes "Never underestimate what you can do with a healthy list of advanced operator search terms and a beer budget. That’s mostly what comprises the arsenal of two critical infrastructure protection specialists who have spent close to nine months trying to paint a picture of the number of Internet-facing devices linked to critical infrastructure in the United States. It’s not a pretty picture.
The duo, Bob Radvanovsky and Jacob Brodsky of consultancy InfraCritical, have with some help from the Department of Homeland Security pared down an initial list of 500,000 devices to 7,200, many of which contain online login interfaces with little more than a default password standing between an attacker and potential havoc. DHS has done outreach to the affected asset owners, yet these tides turn slowly and progress has been slow in remedying many of those weaknesses.
Radvanovsky and Brodsky said they built a suite of scripts that includes 600 search terms for equipment built and managed by close to seven dozen manufacturers of SCADA equipment and support systems for SCADA. The pair found not only devices used for critical infrastructure such as energy, water and other utilities, but also SCADA devices for HVAC systems, building automation control systems, large mining trucks, traffic control systems, red-light cameras and even crematoriums. They initially approached DHS with a list of close to 500,000 devices; DHS helped pare the list down to search terms for 50 critical systems it believed were relevant. That eventually shrunk the list of devices to 7,200."
Link to Original Source