How Shodan helps identify ICS cybersecurity vulnerabilities

What is Shodan?

Shodan is a search engine for devices connected to the internet. It is not the same as popular search engines like Google or Bing; these common search engines focus on the content of a website exposed to the public internet.

Shodan scans ports on internet-connected devices to enable searches for specific types of devices -- such as IoT surveillance cameras or network-attached storage (NAS) devices -- and searches for specific network services that are accessible on internet-connected devices. For example, Shodan can be used to search for a particular type of NAS that accepts Telnet session requests or an IoT baby monitor that enables remote access to its file system.

Shodan searches for open ports rather than publicly accessible websites. With Shodan, a user can search for specific services running on a host. As a result, if a single IP address hosts more than one service, Shodan will list all the open services at that address.

One example of an HTTP banner from The Complete Guide to Shodan by John Matherly can be seen below:

HTTP/1.1 200 OK
Server: nginx/1.1.19
Date: Sat, 03 Oct 2015 06:09:24 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 6466
Connection: keep-alive

Here, we can see that the device is running the Nginx web server software version 1.1.19. Most application protocols return similar headers when a connection is initiated, with specific information about the services provided.

However, these banner capture results can vary substantially. Some protocols are configured to deliver significant data about a service by default, though system administrators can configure their servers to limit that information. For instance, servers supporting the Siemens S7 protocol -- which was a key target of the Stuxnet attack -- can include information about the firmware, its serial number, its module name, its hardware serial number and its version in its banner.

The data collected by Shodan includes metadata such as the host name, server properties, operating system, geographic location, as well as properties related to the application or transport layer protocols, such as the server message block, the SSH protocol, TLS and SSL, and information about how the data was gathered by Shodan.

To a hacker, the more information Shodan provides, the better it is for the enumeration and identification of possible vulnerabilities and attack vectors. To a defender, Shodan searches emphasize the need to disable application protocols that are not required and to configure the application protocols that are necessary to limit the amount of data accessible by Shodan.

There are four levels of Shodan user accounts and they range from free with limited access to about $900 for unlimited access at the time of this writing.

Using Shodan as a network vulnerability self-check

Shodan can only grab protocol banner information from services that run on devices directly connected to the internet -- those services and devices should be invisible if they are situated behind properly configured firewalls. This means a network security engineer -- or hacker -- can use Shodan to identify all the devices -- and all the internet-facing vulnerabilities -- in an organization or IP range.

Searching Shodan with selected filters or search terms, it's possible to identify the total number of banners Shodan gathers for a selected range of IP addresses, the number of ports on the network exposed in the banners gathered, and the different versions of SSL and TLS in use on the exposed systems.

Shodan can also identify how many devices in a company's public network range are running a Telnet server. Telnet is a notoriously weak protocol because it does not require authentication, and it is ordinarily replaced with the more secure SSH service.

The results of a Shodan search for open Telnet services is shown in the screenshot below. Shodan found over 4 million devices touching the internet that have enabled client requests on the port used by Telnet, port 23.

This can be helpful if, for example, a consultant is ready to conduct a security assessment of a company or if a network security engineer checks a company's internet-facing security.

Shodan and ICS cybersecurity

For better ICS cybersecurity, Shodan can be used to easily identify those devices that directly connect to the internet with open application ports. One way is by using Shodan to scan for ICS-specific protocols such as the following:

• Modbus port 502
• DNP3 port 20000
• Fieldbus ports 1089 through 1091
• Profinet ports 34962 through 34964
• EtherNet/IP port 2222

Project Shine

Beginning in 2008 and continuing through January 2014, Bob Radvanovosky and Jake Brodsky of Infracritical ran a project called Project Shine -- Shodan Intelligence Extraction. They used the Shodan API and more than 700 specific queries to identify internet-facing ICS devices that could be vulnerable to attack or compromise.

Radvanovosky and Brodsky also partnered with the U.S. Department of Homeland Security (DHS) to identify over 500,000 internet-facing, ICS-related devices globally. Then, with further work with DHS ICS experts and the DHS ICS-Cyber Emergency Response Team, they were able to narrow the results to 7,200 devices -- with many lacking even basic security precautions and using weak, default or no authentication.

In an article published in 2013, Eric Byres observed that the Project Shine results revealed lists of traditional SCADA/ICS equipment. However, the work also uncovered additional device types with weak security or authentication that are not traditionally thought of as SCADA or ICS tools that faced the internet. These included medical devices, CCTV cameras, environmental controls and others. They also found odd things, such as off-road mining trucks and crematoriums connected to the internet.

Project Shine uncovered more than 65 different manufacturers of these devices ranging from Siemens to Motorola to Caterpillar.

Protecting systems from exploits

DHS ICS-CERT released an alert entitled "Alert (ICS-ALERT-11-343-01A): Control System Internet Accessibility (Update A)" in 2012, which it updated in 2018. The authors observed in this alert:

Internet facing control systems have been identified in several critical infrastructure sectors. The systems vary in their deployment footprints, ranging from stand-alone workstation applications to larger distributed control systems (DCS) configurations. In many cases, these control systems were designed to allow remote access for system monitoring and management. All too often, remote access has been configured with direct Internet access (no firewall) and/or default or weak user names and passwords. In addition, those default/common account credentials are often readily available in public space documentation.

The ICS-CERT alert lists several actions that should be taken by ICS device owners to reduce and preferably eliminate these vulnerabilities. These actions include the following:

• audit control systems whether or not they are connected to the internet to find and get rid of any default, administrator-level user names and passwords;
• implement defensive security measures to minimize the risk of exploits;
• control network exposure for all ICS devices and make sure they do not face the internet directly;
• locate and isolate ICS networks and devices behind firewalls;
• implement virtual private networks that use two-factor authentication for remote access;
• eradicate default system accounts;
• put account lockout policies in place;
• require the use of strong passwords and multifactor authentication; and
• limit the number of administrator-level accounts, particularly by third-party vendors.

Although CNN called Shodan "the scariest search engine on the internet," it is an amazing tool that can help network security engineers and CISOs identify their weak points with internet-connected devices -- hopefully, before the bad guys do.