CHAPTER 17: NETWORK SCANNING

‘Security vulnerabilities have been found in all types of webcams, cameras of all sorts, implanted medical devices, cars, and even smart toilets – not to mention yachts, ATM machines, industrial control systems and military drones.

All of these things have long been hackable.’²¹ – Bruce Schneier

When we discuss the security of critical infrastructure, people often say that their systems are secure because they are not connected to the Internet. They presume that this is both true and that they are therefore secure from all threats to their information systems.

However, search engines to find Internet-connected devices have been developed and implemented in recent years, and often find devices that you might not expect to need Internet connectivity. Different devices can be found by entering certain keywords in the relevant search engines. To complete searches more successfully, the user can enter specific keywords contained in the web interface banners of devices. Search engines also allow the user to specify a country, city, IP range, operating system, port, etc. as search criteria. Various filtering options make it possible to find very exciting things on the Internet.

What isn’t connected to the Internet nowadays? Skilful searches can find the air conditioning control systems of buildings, heating control systems, lift control systems, smart home appliances, medical equipment, security systems, boiler house systems, power station systems, water supply systems and much more.

Many of these systems that can be found on the Internet are protected with default passwords or passwords that are easy to figure out. Some systems need no authentication at all or allow you to try various passwords an infinite number of times.

When someone believes their systems should not be accessible from the Internet, they should make sure they really are inaccessible. People dealing with the information security of CII should therefore use different tools to determine whether their organisation’s systems can be found on the Internet. Security managers should know or find out the keywords used in the web interface banners of the organisation’s systems. They should use various search engines to find devices that are possibly connected to the Internet. External security experts should also be asked to search for the organisation’s systems.

If the searches reveal that systems that shouldn’t be accessible from the Internet are actually accessible, they should be disconnected from the Internet as soon as possible. When networks really need to be connected for some reason, the traffic between them, and the traffic between the networks and the wider Internet, should be strictly restricted and the risks associated with this explained to the persons involved.

When attackers gain access to the ICS network, they don’t need many skills to disturb or disrupt a system. Since it’s often impossible to add security to industrial control systems or to configure them to be more secure, the majority of security measures must be implemented at network level.

Lesson 17: Scan networks yourself and ask external experts to scan them as well to find the organisation’s systems that shouldn’t be connected to the Internet, but still are connected.