Impact of the Shodan Computer Search Engine on Internet-facing Industrial Control System Devices

Bodenheim, Roland C.

Impact of the Shodan Computer Search Engine on Internet-facing Industrial Control System Devices

Active / Technical Report | Accession Number: ADA601219 |

Open PDF

Abstract:

The Shodan computer search engine crawls the Internet attempting to identify any connected device. Using Shodan, researchers identified thousands of Internet-facing devices associated with industrial controls systems ICS. This research examines the impact of Shodan on ICS security, evaluating Shodans ability to identify Internet-connected ICS devices and assess if targeted attacks occur as a result of Shodan identification. In addition, this research evaluates the ability to limit device exposure to Shodan through service banner manipulation. Shodans impact was evaluated by deploying four high-interaction, unsolicited honeypots over a 55 day period, each configured to represent Allen-Bradley programmable logic controllers PLC. All four honeypots were successfully indexed and identifiable via the Shodan web interface in less than 19 days. Despite being indexed, there was no increased network activity or targeted ICS attacks. Although results indicate Shodan is an effective reconnaissance tool, results contrast claims of its use to broadly identify and target Internet-facing ICS devices. Additionally, the service banner for two PLCs were modified to evaluate the impact on Shodan indexing capabilities. Findings demonstrated service banner manipulation successfully limited device exposure from Shodan queries.

Author(s):

Bodenheim, Roland C.

Author Organization(s):

AIR FORCE INSTITUTE OF TECHNOLOGY WRIGHT-PATTERSON AFB OH GRADUATE SCHOOL OF ENGINEERING AND MANAGEMENT

Descriptive Note:

Master's thesis

Supplementary Note:

The original document contains color images.

Pagination:

0121

Security Markings

DOCUMENT & CONTEXTUAL SUMMARY

Distribution:

Approved For Public Release

Distribution Statement:

Approved For Public Release; Distribution Is Unlimited.

RECORD

Collection: TR

Identifying Numbers

Report Number(s):

AFIT-ENG-14-M-14

Monitor Series:

DHS ICS-CERT

Subject Terms

Joint Capability Areas:

JCA_5_Command and Control; JCA_5.3_Planning; JCA_6_Net Centric; JCA_6.4.1_Secure Information Exchange; JCA_6.1.2_Wireless Transmission; JCA_6.1.3_Switching and Routing; JCA_6.1.1_Wired Transmission; JCA_6.1_Information Transport; JCA_4.7.2_Installation Services; JCA_4.7_Base and Installations Support; JCA_6.4.2_Protect Data and Networks; JCA_6.4_Information Assurance; JCA_5.3.2_Apply Situational Understanding; JCA_5.4_Decide; JCA_5.4.3_Establish Rule Sets; JCA_4.6_Engineering; JCA_4.6.1_General Engineering; JCA_4.1_Deployment and Distribution; JCA_4.2.1_Manage Supplies and Equipment; JCA_4.2_Supply; JCA_5.3.4_Develop Courses of Action

Modernization Areas:

Cyber

Communities of Interest:

Cyber

Descriptor(s):

*COMPUTER NETWORK SECURITY, COMPUTER PROGRAMS, INDUSTRIAL PLANTS, INFRASTRUCTURE, INTERNET, THESES

Field(s)/Group(s):

Computer Systems Management and Standards

Keyword(s):

SHODAN(SEARCH ENGINE), ICS(INDUSTRIAL CONTROL SYSTEMS), PLC(PROGRAMMABLE LOGIC CONTROLLERS), CRITICAL INFRASTRUCTURE PROTECTION

Report Date:

2014 Mar 27

Creation Date:

2014 Jun 23