Firewalls are basic tools of internet security, but an I-Team investigation found major corporate and government actors with computers connected directly to the Internet without those protections, potentially making themselves vulnerable to hackers.
Using a search engine called Shodan, the I-Team found hundreds of entities across the country, including a busy commuter railroad and a Long Island nuclear lab, with computer devices that are publicly visible on the web.
Some of the exposed computer devices appeared to be used for supervisory control and data acquisition, known as SCADA systems. Experts say SCADA systems are especially attractive to hackers because they are often used to remotely monitor and control sensitive infrastructure like power grids and transit networks.
One exposed SCADA system discovered by the I-Team was a server used to monitor infrastructure along the rail lines of the Massachusetts Bay Transportation Authority, Boston's major commuter rail operator.
The server was used to keep track of communication lines along the rails but it also contained phone numbers and email addresses for rail employees responsible for fixing infrastructure problems.
Joe Pesaturo, an MBTA spokesman, described the server as a backup system used by Keolis, the private company hired to operate the commuter system.
"Keolis was using the system for redundant monitoring of the MBTA commuter rail signal system. It was not connected to Keolis' internal network infrastructure and hence could not be used to access any internal signal or corporate networks," Pesaturo said.
Shortly after the I-Team informed MBTA of the exposed server, it was disconnected from the public Internet.
Keolis did not respond to the I-Team's request for comment.
Computer servers aren’t the only types of hardware that could be hacked if connected to the Internet outside firewalls. Industrial controllers are among the most vulnerable SCADA devices. They are relatively primitive computers that act as switches -- turning components of infrastructure on and off.
For example, an industrial controller may communicate with valves at a water filtration plant to increase or decrease levels of chlorine. Other industrial controllers allow for remote access to dams, traffic signal networks and electrical grids.
Tom Parker, chief technology officer of Fusion X, another cyber security firm, said many industrial controllers are decades-old modules that were not originally designed to be accessed over the Internet and may not have default password protection, making them easy targets for hackers.
"If they're able to keep the power off for a month, people are going to start asking questions," Parker said. "Can I trust my government to keep me secure?"
Shodan allows users to search not just for exposed SCADA systems but for all sorts of devices connected directly to the public Internet. The search engine cover page says, “Websites are just one part of the Internet. There are power plants, Smart TVs, refrigerators and much more that can be found with Shodan.”
Sebastian Jeanquier, head of technical services at the cyber security firm Nettitude, said even more vanilla systems that show up on Shodan -- like email servers -- could provide hackers with an entry point if they are directly accessible from the Internet. He pointed to a cyber attack last year on a steel plant in Germany whereby hackers shut down a blast furnace and caused extensive damage.
"Attackers were able to get into that organization’s network through a fishing attack, sending in an email containing either a malicious link or a malicious attachment and someone within the organization would have executed that and visited the link, which allowed the attackers onto the organization’s network,” Jeanquier said.
The German government has not named the plant that was targeted.
Jeanquier also said file transfer protocol (FTP) servers -- where people exchange documents and data -- could be vulnerable to hackers if they are connected directly to the Internet.
“There could absolutely be sensitive information on any FTP server and it’s not uncommon to find sensitive information being made accessible online inadvertently,” Jeanquier said.
On Shodan, the I-Team found an FTP server connected to Long Island's Brookhaven National Laboratory, a nuclear research facility. Tom Schlagel, the lab’s chief information officer, said his personnel would never connect a SCADA system directly to the Internet, but making the FTP server publicly visible was an acceptable risk, because it allows for a more free flow of information between researchers across the globe.
"There is the potential that somebody uploads malware or something but typically the scientists know what they are looking for," Schlagel said.