Vulnerable industrial controls directly connected to Internet? Why not?
Yesterday, Siemens issued an update to a year-old product vulnerability warning for its SIMATIC S7-300 and S7-400 families of programmable logic controllers (PLCs)—industrial control systems used to remotely monitor and operate manufacturing equipment. The alert, originally issued in December of 2016, was updated on Wednesday to include another version of the S7-400 line. The Department of Homeland Security pushed out an alert through the Industrial Control Systems Computer Emergency Response Team (ICS-CERT) today. The systems in both device families are vulnerable to remote attacks that could allow someone to obtain login credentials to the system or reset it into a "defect" mode, shutting down the controller—essentially executing a denial-of-service attack on whatever equipment it is attached to.
You might not think that factory industrial controls would be directly accessible from the Internet. But a quick survey of devices open on the network port mentioned in the advisory (TCP port 102) using the Shodan search engine revealed over 1,000 Siemens devices directly accessible on the Internet (plus a certain number of honeypots set up to detect attacks).