On Saturday Jake Brodsky (a frequent commenter, an ICS manager, and a person with his fingers in lots of ICS security projects) left a comment on my blog post on the ICS-CERT Nordex Alert. Jake used my mention of the missed SHODAN angle for the vulnerability discovery as a spring board to mention Project Shine that he and Bob Radvanovsky have been working on. I’m glad he did because I have only mentioned this project in passing.
Project Shine (SHodan INtelligence Extraction) is an ongoing project that uses the SHODAN search engine to identify industrial control systems that are facing the internet. To date they have found well over 1,000,000 systems (that number was bandied about back in the middle of September and they are adding a couple of thousand new systems every week) that look like control systems.
Now this includes building environmental control system, security systems and the like, but there are enough industrial control systems involved to kill the idea that these systems are not connected to the internet. This point is emphatically made by Eric Byres in his blog post.
Now I am not going to get involved in a technical discussion of how these two are using SHODAN to discover potential ICS systems facing the internet. Dale Peterson’s podcast conversation with Bob does that well enough. But I do want to talk about some interesting implications that Bob and Jake have not talked about.
First off, you have to understand that Project Shine is not a professional job (though both Bob and Jake are certainly professionals). As I understand it it is being run out of the basement laboratory in Bob’s home. I don’t suspect that Bob’s basement is really very normal, but this is a project running on a private system with limited resources. Think of a super geeks version of Gibb’s basement boat building; professionally, even painstakingly, done in the spare time of a very busy team.
So what would a Project Shine executed by a professional organization with extensive time, resources and expertise (say the NSA? Or its Russian or Chinese or Israeli counterparts) look like? Well it wouldn’t use a limited search engine like SHODAN. It would custom design a program using high-speed computational assets that geeks like Bob and Jake can only dream about. They would have a team of engineers and analysts working the project around the clock. And they would not be afraid to reach out and gently touch the systems so that they could determine exactly where and what they were.
Why would they do that? Let’s face it; if you want to be able to conduct cyber-war (and you have to because the other guy is) then you have to understand the battlefield and you have to have a target list. Remember, since WWII modern warfare has not been about destroying the other guy’s military (those are hard targets), it has been about destroying his will and ability to conduct war. You do that by targeting his critical infrastructure. And if you are really smart, you might consider weakening his CI well before you go to war.
If you don’t think that this is happening right now, then you haven’t been paying attention to the news. Now does this put cybersecurity for control systems into a different perspective? For most people (and certainly for politicians) probably not; if nothing has happened, then nothing will happen.
Except when it does happen, the Washington political establishment will make Chicken Little look like an over-sedated octogenarian. Just look at what happened when two buildings were destroyed and a couple of thousand people killed. What happens when we are really attacked?