Processing Magazine

Can Shodan search your site’s network for Internet devices?

A nearly 400% increase in infrastructure cyber-attacks in 2011

March 1, 2014

By Alan Grau

"Look at you, hacker: A pathetic creature of meat and bone. Panting and sweating as you run through my corridors. How can you challenge a perfect immortal machine?" – Shodan from System Shock.

While the Shodan search engine may not yet be a “perfect immortal machine,” it has been described as “the scariest search engine on the Internet,” according to CNN Money.

Google is a search engine for content. Shodan is a search engine for servers, webcams, printers and other devices connected to and making up the Internet of Things.

With Shodan, critical systems can be identified searching by city or GPS coordinates and vulnerable devices can be discovered. Having located such devices, would-be-hackers can quickly get a list of exposed ports and protocols.

This is information that could be used to disable security alarms, access control systems and devices and steal information. Using the SHODAN search engine, one researcher found about 20,000 Internet-accessible industrial control systems.

Many embedded devices found by Shodan are not secure because they rely on a host network or on “security by obscurity,” assuming no one will discover the device. Relying only on a host network for security is short sided, and with Shodan, it’s not acceptable to assume devices won’t be discovered. Additional security must be built into industrial-control and embedded devices. 

[Sidebar:]

Wikipedia says:
• SHODAN (Sentient Hyper-Optimized Data Access Network) is a fictional “artificial intelligence” and the main antagonist in the cyber punk-horror themed video game, System Shock.
• Shodan is a search engine that finds specific types of computers on the Internet. It collects information about server software, service options or anything else a client can find out from a server.

[end sidebar]

Securing industrial control

The Stuxnet worm, and its variants “duqu” and “flame,” were the first-known rootkit attacks against industrial-control systems. However, these are not the only reported attacks against industrial control systems. ICS-CERT reports a 383% jump in cyber-attacks against U.S. critical infrastructure in 2011.

Security for industrial process-control devices must control communications, detect and report attacks or suspicious traffic patterns, and allow centralized security policies. This is a much higher level of security than password-only security and protection from most cyber-attacks.

The security solution must include:

  • Packet filtering to control the packets processed by the device
  • Management of filtering policies
  • Protection from hackers and cyber-attacks from the Internet, inside the corporate network or compromised WiFi networks
  • Protection from DoS attacks and packet floods
  • Reporting of traffic abnormalities, probes or attacks

Given that many embedded devices don’t include any of these capabilities — and the growing risk of cyber-attack — it is clear a new approach is required.  

Security of a device

How can security be added to an industrial-control device?

Many devices are “special” and standard PC security solutions won’t work. To meet security guidelines requires an approach customized for devices.

To start, device manufacturers must build enhanced security into the device itself. It’s not enough to protect via a corporate firewall. The device may not be on a secure network, the corporate firewall could be breached, or attack could come from an insider within the network itself. Either a physical or a software layer of defense build into the device itself is critical.

An integrated firewall provides basic, critical security for networked devices by controlling what packets a device processes. Embedded firewall software can reside on the device itself, and is integrated into its communication stack. Device communication requirements are encoded into a set of policies defining allowable communication. The firewall enforces these polices, limiting communication to the policy-specified IP address, ports and protocols.

Since each packet or message received by the device is filtered by the firewall before passing from the protocol stack to the application, many attacks are blocked before a connection is even established, providing a simple, yet effective layer of protection missing from most devices.  

Detection and mitigation

Once deployed devices are protected, it’s critical to know about attacks and be able to mitigate them. This is achieved by integration with a security-management system. The firewall should include a management agent that enables:

  • Reporting of invalid login attempts and other security events
  • Reporting of packet floods and other suspicious traffic
  • Configuration of filtering policies

Security-system integration lets protected devices notify network management personnel of issues and attacks, allows mitigation and prevents network proliferation. This type of networked security management is standard for PCs and servers and is needed for industrial control systems as well. Integrated device security provides a critical, missing security layer.

However, many legacy devices and networks already deployed lack sufficient security. Upgrading in the field to improve security is difficult and expensive, and the device maker may not yet have a secure solution. Replacing with a new device can be even more expensive.

For systems not easily replaced or upgraded, a “bump-in-the-wire” appliance solution can do. Placed between device and network, this type solution cost effectively protects legacy devices by creating a “secure enclave” in which devices can operate. Only trusted devices are deployed within the secure enclave and these can freely communicate with each other. Communication outside the enclave is security-controlled. The “bump-in-the-wire” appliance enforces communication policies, ensuring only valid communication is allowed with the endpoints within the secure enclave.  

Final words

Shodan allows unsecured devices to be discovered, making them easy targets for hackers. Standard PC security solutions cannot protect industrial devices. Given a growing number of cyber-threats, it is critical to build security into the device. For installed bases, an embedded firewall solution can be used to add security, shield devices from Shodan and protect against cyber-attack. By controlling what the device talks with, most attacks are blocked before a connection is established. Enterprise security experts have used “defense-in-depth” strategies for a long time now. The cornerstone of this strategy is a firewall. This same strategy needs to be adopted to build secure industrial systems.

Alan Grau is the President and co-founder of Icon Labs, a leading provider of security solutions for embedded devices. You can reach him at alan.grau@iconlabs.com

Caption for Table: Integrating a firewall into an industrial control device provides a critical, missing layer of security.

Caption for Infographic: Built-in cyber security protects process control devices from discovery by Shodan, shielding them from hackers and possible cyber-attacks.

Caption for FG Defender photo: Legacy industrial systems can be protected with a “bump in the wire” security solution such as Icon Labs Floodgate defender appliance. This provides an easy to install and cost effective security solution for existing devices and systems.