Wednesday, November 3, 2010

More Info on SHODAN ‘Vulnerability’

Last week I did a blog post about the DHS ICS-CERT alert about how the SHODAN search engine can be used to allow cyber criminals and terrorists to identify vulnerable control systems. Yesterday Jason Holcomb over at provided a more detailed description of how the relatively new search engine works. More importantly he explains how facility system security engineers can use the same search engine to evaluate their system exposure to an internet based attack.

Now exposure to the Internet is certainly not the only factor that could make a high-risk chemical facility’s control system vulnerable to attack; Stuxnet showed how an attack could be engineered without such exposure. System exposure to the Internet, especially if easily identified with a publicly available tool like SHODAN, will certainly make it easier to conduct a cyber attack on a high-risk control system.

I certainly think that it would be reasonable for the chemical facility inspection team to have information about the potential Internet exposure of control systems at facilities they are planning to inspect. I’m not sure if ISCD currently has the manpower or skill sets to accomplish such SHODAN searches. If not they need to consider adding that capability, perhaps establishing a small cyber-security staff to provide general support to the inspection teams.

Another alternative would be to work out an understanding with the folks in DHS that are the experts in control system security, ICS-CERT. Now the ICS-CERT people are not anymore over-staffed than ISCD, but they do have the internal expertise to conduct such searches is an effective manner. It might be valuable for ISCD to request ICS-CERT to do these SHODAN searches of each facility as part of the Security Vulnerability Assessment review process. That way, if a vulnerable system is detected, DHS could include that fact in their Site Security Plan notification letter as an issue that must be addressed in the SSP.

Of course, facilities should not rely on DHS to do this search for them. The facility security team working on the CFATS process should do this as part of their assessment process. Facilities lacking the internal resources to conduct such a search should ensure that what ever security consultant they use to help them work their way through the CFATS process has such capability.


Anonymous said...

Good points in this article.

However, as for ISCD not having the manpower or skill sets to do Shodan...well, that's just plain scary, imho.

Further, Shodan is just the tip of the iceberg. Bear in mind the fact that SCADA systems are discoverable using the classic GoogleDorks types of searches (or BING, etc.).

Finally, more attention needs to be given to the incorporation of SCADA attacks into the Metasploit framework, as noted here:

PJCoyle said...

For my response to the comments made by Anonymous see:

/* Use this with templates/template-twocol.html */