In case you missed it, ICS-CERT issued an advisory about using SHODAN for identifying SCADA components connected to the Internet. The advisory covers the issues and the IT news outlets are picking up the story as well. Rather than echo that information or complain about the awful combination of poor security hardening practices and Internet connectivity, I thought we’d cover two things in this post: 1.) What you need to know about SHODAN; and 2.) How you can proactively use SHODAN to help verify that you are not exposing control system components to the Internet.

So here’s the quick background: SHODAN is a search engine. It’s just like Google except that, instead of indexing web page content,  it indexes banner information. It indexes data on HTTP, SSH, FTP, and SNMP services for a good portion of the IP net blocks that make up the Internet. You can find it at http://www.shodanhq.com and even change it to your preferred search provider in some browsers. You can do basic searching for free. An account is required for some features, and others require the purchase of credits. For more information, check out Michael Schearer’s presentation given at several conferences this year.

The basic SHODAN search filters are country, net, os, and port. There are others but these will get you started. So let’s say an attacker wants to identify all Siemens Simatic devices in the US by their SNMP banner. The search looks like this:

port:161 country:US simatic

This search returns about 25 results. Hopefully that helps to start understanding the SCADA implications. There are a lot of simple searches that yield interesting results like “PLC” and various vendor and product names. It doesn’t take much creativity or skill to identify juicy and/or vulnerable SCADA targets.

The net filter allows you to search by an IP range, which is important for using SHODAN from a defense perspective. We may not care about all the other people exposing their PLCs to the Internet, but we do want to verify that we are not.

So the first step in the process of using SHODAN from a defense perspective is arguably the most critical: identify your public IP address space. One place to start is with the Regional Internet Registry (RIR) for your region. There you can perform a WHOIS search for your organization. In North America, ARIN is our RIR and you can find the advanced WHOIS search page here. You may not own all your IP space, however, so the identification process should not stop there. Make sure you identify and include all IP ranges for public carrier lines, leased circuits, wireless communication, etc… Hopefully internal documentation and diagrams will help with this task as well.

Another note about attacks: a traditional, targeted attack may follow a similar identification process and then scan your IP ranges to look for interesting or vulnerable targets. SHODAN doesn’t really change anything with this approach. What it does change is the ability for someone to find vulnerable or interesting targets in a non-targeted manner and makes the process quick and easy. Hence the concern and advisory from ICS-CERT, especially when combined with default passwords and other problems with control system servers and devices. But I said I wasn’t going to complain about that… at least not in this post.

Once you have a list of your public IP address ranges compiled, you can use this information to filter your SHODAN search. So you could search like this using CIDR notation:

net:123.123.0.0/16

Note: you do have to create a SHODAN account (or login with other accounts such as Google, Twitter, OpenID, etc…) to use the net filter.

You can then sort through the results to verify that only those components that should be Internet-accessible actually are. If your organization has a large IP space, you can use some of the other filters to help narrow down the results. You can use generic search terms like PLC, control system vendor names, etc… If you happen to have banner information for all your assets catalogued, the searches will be more effective. Just be careful because you may miss something. It’s probably best to look at the complete list. Of course another option is to perform your own scans of your address space on a periodic basis.

SHODAN has some export features you could use to do comparisons over time. This option will cost you a few dollars and some may object to giving money to support a tool that helps enable attacks. The same could be said for any search engine, though. For what it’s worth, it appears that the original creator of SHODAN never intended it to be used for attack or other InfoSec-related purposes. And, again, you could perform your own scans instead of using SHODAN but extra verification never hurts.

So what do you do if you find something? If you have control system components that require Internet connectivity, the ICS-CERT Advisory recommends the following:

  • Placing all control systems assets behind firewalls, separated from the business network
  • Deploying secure remote access methods such as Virtual Private Networks (VPNs) for remote access
  • Removing, disabling, or renaming any default system accounts (where possible)
  • Implementing account lockout policies to reduce the risk from brute forcing attempts
  • Implementing policies requiring the use of strong passwords
  • Monitoring the creation of administrator level accounts by third-party vendors

This is good advice. If it were me, I would want to manage remote access in such a way that my control system components’ banner information would never be accessible from the Internet, which generally means placing them behind another device of some type. If this is not possible for whatever reason, you could also consider changing the banner information so an attacker looking for targets wouldn’t be able to easily identify your equipment.

Like most attack tools, if used proactively, SHODAN can be used as part of a defense strategy. Here’s hoping you haven’t accidentally exposed any SCADA devices to the Internet, and if you have, that this post helps you identify them quickly and remedy the situation. If you have devices exposed intentionally, take time to reevaluate the requirements because SHODAN makes it easier than ever for an attacker to find them.