Cyber Search Engine Shodan Exposes Industrial Control Systems to New Risks
Actual physical damage caused by malware and malicious software is becoming an increasing reality and one that insurers need to consider. Make no mistake, this exposure has already left the realm of hypothetical. The most recent reported danger comes in the form of malicious software.
The Shodan software, developed in 2009 by one young man - a project he started as a teen - has over the past two years gathered data on nearly 100 million devices, recording their exact locations and the software systems that run them.This, again, belies the fact that only nation states have the where-with-all to develop cyber malware that can sabotage "uncounted numbers of industrial control computers, the systems that automate such things as water plants and power grids..."These control computers were built to run behind the safety of brick walls. But such security is rapidly eroded by links to the Internet." And he's not alone. A hacker/security consultant from Texas was able to hack into Siemen's industrial controllers after working on it for only two months, and 'an anonymous hacker who calls himself “pr0f”, is a bright, unemployed 22-year-old who favors hoodie sweatshirts and lives in his parents' home somewhere overseas.' He is among the growing numbers of Shodan users. He hacked into a Texas municipal water supply system allowing him to control a system that provides water to 16,000. According to the article below, it took the 22-year-old hacker less than 10 minutes to gain control of the system. "This required almost no skill," the young man wrote online a short time later.
It is apparent that it is far easier for individuals to cause physical damage to properties through use of malicious malware and/or software than anyone contemplated. Those who may have taken some comfort that it would take the resources of a nation state or other large organization to pull these attacks off have been mistaken. According to the DHS there have been 17 such attacks per month in the US over the past seven months. Vandalism, fire, and other types of first party property damages caused by these attacks would likely be covered under most all-risk property policies in use today. Damage or destruction to machinery and equipment would also be covered under Boiler & Machinery policies. Damages to third party properties, injuries to third parties and even to workers may also be covered under other insurance. Exposure is increasing. The excerpts below are from the article which you can find in the link at the end of my blog.
- "The rise of Shodan illuminates the rapid convergence of the real world and cyberspace, and the degree to which machines that millions of people depend on every day are becoming vulnerable to intrusion and digital sabotage. It also shows that the online world is more interconnected and complex than anyone fully understands, leaving us more exposed than we previously imagined...The number of intrusions and attacks in the United States is rising fast. From October to April, the DHS received 120 incident reports, about the same as for all of 2011. But no one knows how often breaches have occurred or how serious they have been. Companies are under no obligation to report such intrusions to authorities... A recent examination of major control systems by six hacker-researchers working with the security firm Digital Bond found that six of seven devices in the study were riddled with hardware and software flaws. Some included back doors that enabled the hackers to download passwords or sidestep security completely. Researchers found that one machine made by General Electric, the D-20...The company that made its operating software stopped updating it in 1999. It is often shipped to customers with no meaningful security. "Security is disabled by default," the manual says. "To log in, enter any name; you do not need a password." Other machines had flaws that enabled the researchers to take control through electronic back doors...even an employee passing through a plant with a wireless connection on a laptop can create a temporary data link that exposes control systems to intruders... "Water-treatment facilities, power plants, particle accelerators and other industrial control systems had been hidden from traditional search engines (are vulnerable to Shodan, as are)... thousands of data routers - the devices that make networks possible - open to anyone. Because they required no passwords, they could be taken over with ease. ."
- Another "...researcher at Cambridge University... used Shodan to identify more than 10,000 (industrial) control computers linked to the Internet, many of them with known vulnerabilities...'Malicious actors might already be doing this.'..."