Skip to main content


This project was subset to Project SHINE (SHodan Intelligence Extraction), providing one example of what would happen if a device was to be directly connected to the Internet.


The objective of the project was to substantiate that directly connecting an ICS device onto the Internet could have consequences. As such, the premise of this project was to:

  • Obtain current ICS equipment through public sources (eBay), and deploy this equipment as actual cyber assets controlling perceived critical infrastructure environments;
  • Ascertain any pertinent threat or attack vectors, as well as scope and magnitude of any attacks against the perceived critical infrastructure environments;
  • Record network access attempts, and analyze captured packets for any patterns; and,
  • Report redacted findings for public awareness to governments and media outlets.

Device Specification / Configuration

The manufacturer of the device used was Siemens RuggedCom, programmed intentionally with an outdated and highly vulnerable version of the device’s firmware.

The device was portrayed and configured as an access-point controlling a water pump to a wellhead for a local municipality’s water system.

The contact name was fictitious; any resemblance to any individuals with a similar name is entirely coincidental. A screen shot of the redacted web interface is shown below:

Experiment Execution

The device was placed online 14-Oct-2014 (Tuesday), and taken out of service 27-Dec-2014 (Saturday). Once placed directly on the Internet, the device was monitored closely for any activity. In less than 2 hours, the device was actively probed.


Based on the data examined, it appeared that the majority of the access attempts originated from IP addresses belonging to the country of China. The originating IP addresses may have been proxied in an effort to mask the originating IP address sources.

First Observed Attack from Logs < 2 hours
First Observed on SHODAN ~ 2 days
Total number of access attempts 140,430
Total number of unique IP addresses 651

As this experiment was conducted for only 75 days (roughly 2.5 months), this demonstrated the intensity by which these probes were performed.