Cyber search engine Shodan exposes industrial control systems to new risks

At first, the Shodan discoveries seemed trivial: devices commonly linked to networks such as printers and Web servers. But as queries became more sophisticated, troubling findings started emerging. One researcher using the system found that a nuclear particle accelerator at the University of California at Berkeley was linked to the Internet with virtually no security. Another identified thousands of data routers — the devices that make networks possible — open to anyone. Because they required no passwords, they could be taken over with ease.

“It was only after nearly a year that individual researchers began digging deeper through the Shodan data to locate devices that weren’t part of the known, discovered Internet,” Matherly said. “Water-treatment facilities, power plants, particle accelerators and other industrial control systems had been hidden from traditional search engines.”

As the dimensions of the challenge posed by Shodan became clear, the DHS Industrial Control Systems Cyber Emergency Response Team issued a stark warning in October 2010, noting “the increased risk” of brute-force attacks on “systems available on the Internet.”

The alert recommended placing all control system assets behind firewalls, using secure remote-access methods and disabling default passwords.

A researcher at Cambridge University, Eireann Leverett, used Shodan to identify more than 10,000 control computers linked to the Internet, many of them with known vulnerabilities. Leverett concluded that many operators had no idea how exposed they were — or even realized that their machines were online.

”This could be used to carry out remote attacks on selected devices or identify networks for further reconnaissance and exploitation,” Leverett wrote in a thesis, “Quantitatively Assessing and Visualising Industrial System Attack Surfaces,” published in June 2011. “Malicious actors might already be doing this.”

In the United States, security experts Billy Rios and Terry McCorkle said this spring that their research suggests the situation is worse than even Leverett demonstrated. Rios, who works for Google, and McCorkle, who works for Boeing, are both Shodan users who study control systems on their own time.

“The number of control systems on the Internet is far greater than anybody realizes,” said McCorkle, who along with Rios recently discussed control computer vulnerabilities at the National Defense University at Fort McNair. “These systems are insecure by their nature.”

Matherly said he wants his search engine used to improve security. But he said it can be used to shred it as well.

“Shodan has lifted the barrier. There’s no going back,” Matherly said. “Once you shed light on it, you can’t go back into hiding.”

A history of digital attacks

One story from the Cold War shows that cyberattacks on control systems have been in the imagination for a long time. Though some details are hard to confirm, it describes an attack that experts believe could happen today.

In 1981, a Soviet KGB colonel who became a spy for France, code name Farewell, shared Soviet plans to use a Canadian front company to secretly acquire technology to automate the Trans-Siberian gas pipeline, according to “At the Abyss: An Insider’s History of the Cold War,” by Thomas Reed, a former Pentagon official. Tipped off by the French, U.S. officials set up a front company to sell the technology, but only after they made some undetectable alterations to the computer code.