Contact and Coil | Nearly In Control



Finding Internet-Connected Industrial Automation Devices

I think most people in our industry realize you shouldn’t connect industrial automation devices to the internet, but just in case you happen to think otherwise, here’s a quick explanation why (this is old news, by the way).

You may believe that things connected to the internet are relatively anonymous. There’s no web page linking to them, so how is Google going to find them, right?

It turns out it’s relatively easy to find devices connected to the internet, and it’s kind of like the old movie WarGames where the lead character, played by Matthew Broderick, programmed his computer to dial every phone number in a specific block (555-0001, 555-0002, etc.) and record any where a modem answered. That was called “war-dialing”. In the age of the internet, you just start connecting to common port numbers (web servers are on port 80, etc.) on one IP address at a time, and logging what you find. This is called port-scanning.

It turns out that you don’t even have to do this yourself. One free service called SHODAN does this for you, and records everything it finds at the common port numbers (web servers, FTP servers, SSH daemons, etc.) and lets you search it just like Google. It turns out that (a) most modern industrial equipment is including embedded web servers and/or FTP servers to allow remote maintenance, and (b) most web servers or FTP servers respond with some kind of unique “banner” when you connect to them, announcing who or what they are.

So, if you don’t believe that you shouldn’t be putting industrial automation equipment on the internet, here’s a little experiment you can run:

  1. Take a ControlLogix with an ENBT card and hook it directly to the internet, so it has a real IP address.
  2. Wait a couple of days.
  3. See if your IP address shows up on this SHODAN search page.

You could try the same thing with a Modicon M340.

This query for Phoenix Contact devices is particularly scary, as one of the links is a wind turbine! I was a bit scared once I opened it (it opens a publicly accessible Java applet that’s updating all the data in real-time), so I closed it. There was no password or anything required to open the page. At least the button that says “PLC Config.” appeared to be grayed out. Let’s hope that means it’s protected by some kind of password… and that it’s hardened better than every single major corporation’s website was this year.

Just want to say thanks to DigitalBond for pointing out this SHODAN search for all Advantech/Broadwin WebAccess deployments around the world too.



  • More Control Systems Found Attached to the Internet · Contact and Coil · June 9, 2012 at 10:06 am

    […] == "undefined"){ addthis_share = [];}Back in November I published a blog post about Finding Internet-Connected Industrial Automation Devices and one of the scariest things I found was a wind turbine in Oklahoma with no apparent […]

  • Brian · January 10, 2013 at 9:55 am

    A common mistake people make is thinking that PLC Ethernet is the same Ethernet their office PC uses. Ethernet/IP is a completely different animal, and it can wreak havoc on a corporate network. I think the problem is in the naming. People with a barely tenuous grasp of networking see “IP” and think “oh, it’s Internet Protocol, like an IP address.” They don’t realize it actually means “Industrial Protocol.”

    At my company when we started the switch from DH+ to Ethernet we put a few PLCs on the corporate network knowing this, thinking we’d be okay since it was only a few controllers without any remote IO or CIP messaging. Eventually our “fleet” grew to where it started causing problems. Controllers would just “fall off” the network for no apparent reason.

    Thankfully we installed several fiber-linked managed switches and created our own subnet without internet access for plant automation. Now we have no mysterious connection problems. The hardware really does make a difference.

Leave a Reply



Theme Design by