Pandora’s Net


Google we know about. It’s a search engine for websites and individual web pages. Shodan, which calls itself “the world’s first search engine for Internet-connected devices,” promises to do the same thing for the so-called Internet of Things: the devices that are connected to and communicate with the rest of the world. Some of that stuff is small, like ink-jet printers and baby monitors. But other devices that appear on Shodan are part of the world’s most critical infra-structure, including parts of the U.S. electrical grid.

That accessibility has been portrayed as a boon to grid operators, who can monitor activity and control various systems remotely. But it also creates opportunities for hackers.

“All the stuff we’re doing in Western society in regards to cybersecurity is probably ten years or so behind the curve of what the bad guys are doing,” said Dan Tentler, founder of the San Diego-based information security consulting firm Atenlabs.

As a penetration tester, consultant, and former information security engineer at Twitter, Tentler knows a thing or two about information technology and cyber-security. During presentations at the 2014 and 2012 Def Con cybersecurity conferences, he conducted real-time scans on all the connected devices he could find through Internet scans and Shodan. When it comes to securing critical infrastructures online, Tentler said, the lines between control system security and information technology security have blurred.

“The trouble is that, up until recently, these systems weren’t considered IT’s problem,” Tentler said. “Gener-ally speaking, these things ended up online because there was no security oversight of a technical back-ground or nature looking at the concept of taking a giant 12,000 kV diesel generator behind the building and connecting it to the Internet.”

The most vulnerable parts of the electrical grid lie behind locked gates and razor wire-topped fences, but the Internet was not designed with security in mind. That means that operators who work with Internet-connected infrastructure have to play a never-ending game of catch-up with security measures.

Download the full article


January 2015