Evaluation of the ability of the Shodan search engine to identify Internet-facing industrial control devices

Abstract The Shodan computer search engine has received significant attention due to its ability to identify and index Internet-facing industrial control system components. Industrial control systems are employed in numerous critical infrastructure assets, including oil and gas pipelines, water distribution systems, electrical power grids, nuclear plants and manufacturing facilities. The ability of malicious actors to identify industrial control devices that are accessible over the Internet is cause for alarm. Indeed, Shodan provides attackers with a powerful reconnaissance tool for targeting industrial control systems. This paper investigates the functionality of the Shodan computer search engine. In the experiments, four Allen-Bradley ControlLogix programmable logic controllers were deployed in an Internet-facing configuration to evaluate the indexing and querying capabilities of Shodan: all four programmable logic controllers were indexed and identified by Shodan within 19 days. This paper also describes a potential mitigation strategy that employs service banner manipulation to limit the exposure to Shodan queries.