Shodan is a well-known security hacking tool that has even been showcased on the popular Mr. Robot TV show. While Shodan can potentially be used by hackers, it can also be used for good to help protect critical infrastructure, including energy utilities.
At the RSA Conference in San Francisco, Michael Mylrea, Director of Cybersecurity R&D (ICS, IoT, IIoT) at GE Global Research, led a session titled "Shodan 2.0: The World’s Most Dangerous Search Engine Goes on the Defensive," where he outlined how Shodan has been enabled to help utilities identify risks in critical energy infrastructure. Shodan, to the uninitiated, is a publicly available search engine tool that crawls the internet looking for publicly exposed devices.
Mylrea explained that utilities are often resource constrained when it comes to cybersecurity and are typically unaware of their risk. In recent years, there have been a number of publicly disclosed incidents involving utilities. To help solve that challenge, Mylrea proposed a project to the US Department of Energy (DoE) to enhance Shodan for utilities so they could use the tool to find risks quickly.
The initial response from the DoE was that they didn't want to invest in a hacking tool. Mylrea's team responded that adversaries don't need Shodan to find vulnerabilities and have their own tools already. An initial proof of concept was also conducted that was able to find vulnerable utilities, which convinced the DoE to move forward on the effort.
"Cyber-threats are evolving faster than systems defenses," Mylrea said. "Bad configuration and asset management leaves devices vulnerable and exposed."
Shodan 2.0
Over a period of a year the publicly available version of Shodan has been enhanced with features to help improve the identification of vulnerable energy utilities. A private version of Shodan has also been developed just to help small utilities.
"Utilities need to really understand how to prioritize their resources in order to reduce risk," Mylrea said. "Shodan is a great way to quickly understand what's publicly exposed and vulnerable, so you can prioritize those resources and take steps to secure those critical cyber-assets."
As part of the effort to improve Shodan for utilities, a simple pull-down to enable search queries to identify exposed energy delivery systems was added. To help find those systems, Shodan was updated with new energy-specific protocols, ports, and vulnerabilities. Mylrea noted that improved visualizations and mapping were key parts of the effort making it easier for utilities to understand risk.
Recommendations and Lessons Learned
Through the process of surveying utilities and understanding their deployments and needs, there have been multiple lessons learned by Mylrea.
His top recommendation is for utilities to have a communications and recovery plan, so that if an incident occurs staff know how to react. He also recommends that utilities not run what is known as a "flat network," where everything runs in the same network segment. Rather, he suggested that utilities should run segregated networks where operational and IT technologies are separated and secured from one another.
Perhaps most importantly though, Mylrea advised the audience that utilities should use Shodan, setting up automated queries to search for bad configuration, exposed services, and potential vulnerabilities.