Digital Bond

For Secure & Robust ICS

Unsolicited Response Podcast Is Back … With John Matherly of Shodan

by 1 Comment

Rebooting the Unsolicited Response Podcast was one of my 2017 goals, and I didn’t want it to be one and done. So I recorded a number of them before issuing this first episode so you can expect at least one a month. (Episode 2 is with Joel Langill, aka SCADAhacker).

If you have any suggestions for guests or topics please send them to s4@digitalbond.com.

In Episode 1 I interviewed John Matherly, the creator of Shodan, in Kuwait. Lots of good content with the breakdown of highlights and times below.

3:10 What is Shodan?

4:45 John’s background and why he started Shodan

9:10 Adding ICS to Shodan … originally John  thought it was too risky

10:45 How fast he can add new ICS protocol support (less than a day)

13:00 Looking to add more support for medical devices

16:00 How are the customers using Shodan, external network monitoring is most common use case … but few ICS related customers … more ICS vendors

19:30 Does John see Shodan ever scanning an internal network?

21:00 Shodan does legitimate request scanning … a proper handshake

24:45 What does he do when someone doesn’t want Shodan to scan their address space?

27:30 What has been the industry impact of his Internet connected ICS map?

29:20 The number of Internet connected ICS has only increased since he has been tracking

32:15 The Omron example

35:00 What else are you going to do with all this data, the real value of Shodan’s database

38:15 John’s request of the ICS Community

And at the end we get a bit into the weeds about what Shodan can and should do with various ICS protocol examples.

Shodan for Rocket Scientists

by Leave a Comment

shodan_pasukaru76Shodan is a really useful tool for, well, all sorts of research.  Not only can you quickly determine what the public-facing security impact of a new vulnerability is going to be, you can find all sorts of control systems attached to the Internet that shouldn’t be. Searching for random control-systems related terms sometimes even steers a researchers towards new and interesting equipment to test.

John Matherly, who runs Shodan, is constantly tweaking settings and adding features (and new scan types) to help the security community. [On a personal level I can’t thank him enough for teaching me all of the tricks that I’m writing about here].

Two of the recent changes made ended up being really helpful for finding some of the most vulnerable ICS systems: telnet options searching and bannerless telnet searching.  The latter of these is only available to folks who pay for API access, but it opens up some rather interesting critical infrastructure to locatability.

Way back in 2012 we did Project Basecamp.  The ‘Biggest Loser’ of Project Basecamp, purely on the number of red ‘X’ security failures, was General Electric’s D20ME RTU.  (I should mention that GE has made strides in improving the line with the release of their D20MX, but the D20ME line will remain forever vulnerable).  Back then, I really wanted to be able to search for the D20 on Shodan but couldn’t.  This was because the D20 only supports Telnet, and it supports it in a way that Shodan didn’t support.  Until now.

[Read more…]

Unsolicited Response Podcast #2 – Bob Radvanovsky on Project Shine

by Leave a Comment

Project ShineThe Unsolicited Response Podcast occurs whenever events warrant. Late last week I recorded an interview with Bob Radvanovsky who is the owner of SCADASEC and one of the leaders of Project Shodan Intelligence Extraction (Project Shine).

Project Shine has found over 500,000 Internet accessible devices that can be loosely classified as SCADA, DCS or other control system devices. We covered a lot of ground from the motivation of the project, project team, how they identify devices, how they create search terms, what this data means and what they are going to do with the data.

The part I found most interesting was Project Shine’s interaction with DHS. DHS took the 500,000 devices and pulled out 100,000 that fit their criteria as ICS devices and then further used some methodology to reduce this down to 20,000 devices. Bob and the Project Shine team don’t plan on handing the data over to PACS-WG or other efforts outside of DHS due to their perceived privacy of this information.

Related Links:

SCADASEC Mailing List

SCADASEC Archives

Related ICS-CERT Alert

Eireann Leverett’s S4 Video: Denial of Surface – Shodan and ICS

Image by M. Keefe

Focus on Critical Infrastructure ICS?

by 2 Comments

SCADA ShodanAll ICS are not created equal — at least not from an impact to the critical infrastructure. There is a tendency to treat every ICS vulnerability or ICS security issue as a dire impact to a nation’s critical infrastructure. Those responsible for securing the critical infrastructure don’t have the bandwidth to address every ICS security issue and probably shouldn’t unless a government believes they are an adjunct to every companies’ security department.

The latest and largest example are the worthy efforts by Project SHINE, Eireann Leverett (see his S4 presentation) and other researchers to highlight the problem that a large number of insecure ICS devices are accessible from the Internet. Project SHINE has found over 500,000 Internet accessible ICS devices in six months, so there is no disputing this is a security issue for a large number of companies and organizations.

The question is what should be done about this? Particularly what should a government organization responsible for homeland security, such as DHS, do about this? Finding who owns these devices is not easy and the numbers would require either staffing up or allocating a significant percentage of ICS-CERT or other DHS resources to this problem.

Almost all of these systems are not what the US Government would label as critical infrastructure ICS (let’s say the top 1000 if such a list exists). This is self evident in that even if all 1000 had Internet accessible connections it would only amount to .2% of the SHINE findings. In our experience, which admittedly is limited based on our size and working with ICS that pay for security consultants, ICS that a consensus would consider critical infrastructure are not Internet accessible. This has been true for about five years now. I’m not arguing that critical infrastructure ICS are adequately secured, but their being Internet accessible is not one of the significant problems. Therefore if DHS is focused on securing ICS that run the critical infrastructure than tracking down the SHINE identified devices would be highly inefficient risk reduction.

DHS or other government organizations can and are doing a good job highlighting this widespread problem and the risk associated with it. These organizations are well suited for this security awareness role because of the respect and attention they garner from the media and business. I’d argue this is efficient risk reduction if Alerts and presentations raise awareness and result in thousands of ICS owner/operators looking for Internet accessible ICS devices.

[Read more…]

Get Your ICS Off The Internet!

by 1 Comment

Shodan and SCADA

A number of loyal readers have been sending in examples of vulnerable, Internet accessible control systems. The example below from Patrick Stave of Norway is representative of what we are receiving. In this case, I 100% agree with ICS-CERT that if you have your SCADA or DCS on the Internet, you are facing an increased risk.

Check out Shodan for “NS web interface”.
This is a HMI-panel with remote operation from Omron.
Runs on 1980s Microware OS9 operating system.

Default user details (actually they are difficult to change!):
Username: default
Password default

Only operation mode requires authentication.
All panels where the password has been changed can still be monitored on URL /monitor.htm

Also some of theese can be altered with the engineering software  CX-designer over web without authentication (of course a result of port forwarding from the user).
Also the panel can be used as a gateway to connect to the PLC and visa-versa.

Have found several examples of PLCs directly configurable / controlled over internet without authentication.

Patrick then provided some screenshots showing some displays:

SCADA on Internet

British monitoring and water feed control for a hydroelectric power plant. Accessible / controllable / programmable over the Internet, with no password.

DCS on the Internet

A large water/sewage monitoring system for a county. [Read more…]

S4 Video: Denial of Surface – ICS on the Internet

by 1 Comment

This is the presentation to watch if you want to learn about Shodan finding ICS components on the Internet. It spawned a few articles including Wired’s 10K Reasons To Worry About Critical Infrastructure.

[vimeo http://vimeo.com/36494103]

Eireann Leverett’s presentation is based on his dissertation for a Masters in Advanced Computer Science under Dr. Ross Anderson at Cambridge University. The hard statistics and visualization of the ICS components connected to the Internet begin at the 18 minute mark. Here are a small number of the interesting stats:

  • $2.18 cost per Internet node discovered
  • Scanned for 33 different banners (products)
  • Found 10,358 ICS devices around the world
  • Visualization tool shows what is found where on a map

[Read more…]

About Us

Digital Bond was founded in 1998 and performed our first control system security assessment in the year 2000. Over the last sixteen years we have helped many asset owners and vendors improve the security and reliability of their ICS, and our S4 events are an opportunity for technical experts and thought leaders to connect and move the ICS community forward.

Recent Comments