Updated: Feb 5
One question Systems and Cyber Security Engineers get asked is if the companies assets are secure. It sounds like a straight forward question right?
There are several ways to check and know but one way to check is by hacking your own devices - but this is not always allowed. The technical reason it may not be allowed is you don't want to risk causing problems on the system and a legal reason why is because you actually need permission to access the system.
While it may seem silly to be stopped by a "rule" while potential hackers are allowed to break that rule, it is a reality that companies have to deal with. The preferred case is to use passive means of checking. This could be documentation based, observations any tools you have available. For IT environments, this is less of an issue but in an OT environment there are differences to IT environments that make passive means of checking a need.
Is there another way?
Well you may not be able to actively scan your systems at this point in time but if someone had already? Can we check their results?
Online databases as a passive check of your system
There are many online databases with internet accessible devices already scanned for you. They will typically scan for devices on the internet and store what information they could find readily available.
While this may not mean anything bad, you should at least investigate if any of your devices on your systems come up on these sites. You might think that all of your systems are isolated and it is likely true, but sometimes a development system is on there or you find a temporary commissioning link was setup in the past that never got removed.
Whatever the case may be you are hoping not to appear on one of these lists.
The beauty of some of these websites are they are mostly free or low cost and you can even get a nice map showing where these devices are.
OT Engineers can Check their Assets
A superficial check is still a nice peace of mind thing you can do for free with 0 impacts on your operational technology. The general process I will outline for each of these websites is how I have used them just to get a brief idea of what PLC or other Critical Infrastructure technologies that are exposed on the Internet - and confirm they aren't any in my care.
You may not know there are these databases are available for Operational Technology but here are our top 3 sites that you should check out.
Attack Surface management using a data driven approach. While they have many awesome products that may be relevant to your business I'll only be mentioning the search capability you can use right on their website. Once you land on the homepage you can click on the Search IPv4 under Search Censys Data, here's a direct link for your convenience.
Then what you do is you type in the vendor of some of the equipment you have. For all the examples we will use "rockwell automation". The fastest is to then switch to "map" view and scroll to an area where you know you have equipment. Go through each device shown as their associated IP address will be shown as well as what ports were found to be internet facing.
In this example I check for equipment in NSW, Australia.
Utilizing a map google maps plugin you can see the results, zoom in and click a host to get some detail. We see a few results with this basic query (feel free to do more, but this exercise will just see what automatically is offered) is pretty simple but might feel a little limited when comparing with the other tools on this list.
A cyberspace Search Engine that records information of devices and their associated ports and services with the purpose of its website for security research only. Their interface straight on the home page has a search bar. Here we typed in "Rockwell Automation" again which takes us straight to the result page. You can then click the Maps tab and again scroll to the same geographical area.
ZoomEye appears to show alot more results by default and also aggregates them so you can expand and get the list of IP addresses scanned.
It has some Top Countries and Top Services to give you some context which is nice and I quite like the interface. The UX would score higher if the filtering and search was a little easier to work with.
An IoT (Internet of Things) focused online database that crawls for 200+ different services that the other ones don't. They also offer API's and encourage developing with their data it could be interesting to see what starts to become the needs in the OT cyber security space and maybe we will try to develop something for Engineering IRL.
While we won't see the map here you can get a whole bunch of awesome data which you can see above. In your query in addition to "Rockwell Automation" you add country:"[Country Code]" in our case AU.
The awesome thing here is you can see the detail of the Product Name / model number and even the Serial Number. Another nice piece is you can also see the underlying Device IP on the Internal network side too.
Awesome - or scary depending on your view point.
In either case if you are looking through this article that's an overall win for Operational Technology Cyber Security as a whole. Awareness is one of the first steps and then being a little proactive by checking some of these services is not a bad practice by any means.
I will have articles, guides and books available for Engineering IRL members soon that will let you know what you should do if one of your devices appear in one of these databases, how you can prevent them ever being on there without you knowing and by protecting our OT environments we are actually protecting human lives.
Side by Side Comparison of OT Search Engines
Please note that this comparison is what you get with minimal effort but you may find these tools have different pros and cons for your specific needs. For the most part I encourage you to comb through these sites as I have described in this article and just get a sense of what is happening around you so you can increase awareness for your businesses.
Which should you use?
Shodan is the preferred choice for me but honestly I use all of them for completeness regardless. I recommend all 3 (sorry for the cop out) but the practical reason is the fact that you have the data available from multiple sources in many cyber security practices you want to be in tune to more than one source. Several standards and cyber guidelines recommend this and we are too.
Hopefully I've opened your eyes a little bit and shown what is currently available to you Engineers in the Operational Technology space.
For more resources on operational technology please visit our resources page and become a member to get access to all the free member resources that will be made available.