an internet wide view of ics devices
play

An Internet-Wide View of ICS Devices A. Mirian, Zane Ma, D. Adrian, - PowerPoint PPT Presentation

Oct 25, 2022 •352 likes •729 views

An Internet-Wide View of ICS Devices A. Mirian, Zane Ma, D. Adrian, M. Tischer, T. Chuenchujit, T. Yardley, R. Berthier, J. Mason, Z. Durumeric, J. Halderman, M. Bailey Industrial Control Systems (ICS) Operational control and monitoring for

  1. An Internet-Wide View of ICS Devices A. Mirian, Zane Ma, D. Adrian, M. Tischer, T. Chuenchujit, T. Yardley, R. Berthier, J. Mason, Z. Durumeric, J. Halderman, M. Bailey

  2. Industrial Control Systems (ICS) Operational control and monitoring for industrial processes 1

  3. Industrial Control Systems (ICS) Operational control and monitoring for industrial processes ICS protocols 1

  4. Insecurity of ICS ICS protocols assume system isolation Evolution: analog wire → digital fieldbus → Ethernet µC Supervisory Computer µC 2

  5. Insecurity of ICS ICS protocols assume system isolation Evolution: analog wire → digital fieldbus → Ethernet µC Supervisory Computer µC 2

  6. Insecurity of ICS ICS protocols assume system isolation Evolution: analog wire → digital fieldbus → Ethernet µC Supervisory Computer µC 2

  7. Insecurity of ICS ICS protocols assume system isolation Evolution: analog wire → digital fieldbus → Ethernet µC Internet Supervisory Computer µC Internet connectivity allows remote control of multiple ICSes 2

  8. Insecurity of ICS ICS protocols assume system isolation Evolution: analog wire → digital fieldbus → Ethernet µC Internet Supervisory Computer µC Internet connectivity allows remote control of multiple ICSes Public Internet = exposure to malicious attackers 2

  9. Remote ICS attack December 2015 30 substations remotely disabled 225,000 people without power 3

  10. Research Questions Understanding the ICS security ecosystem: 1) Vulnerability assessment - What ICS protocols and devices are exposed on the public Internet? 2) Threat landscape - Who is actively scanning for these vulnerable devices? Why are they scanning? 4

  11. ZMap: Fast IPv4 Scanning Port scanning tool by Durumeric et. al in 2013 USENIX Security Symposium Fast : ZMap is 1300 times faster than NMap Single port IPv4 scan on one machine in under 45 mins Extensible : architecture for application-level protocol scanners (i.e. HTTP, SSH) Well-tooled : Censys scan database and querying infrastructure Used in hundreds of academic studies 5

  12. Detecting ICS Devices 1) Port scans - 10 most common ICS protocol ports Upper-bound : port overlap with non-ICS services 2) Protocol scans - Implemented 5 protocol parsers Modbus, BACnet, Tridium Fox, Siemens S7, DNP3 Lower-bound : only query common configs / protocol device addresses 6

  13. Ethical Scanning Reducing scan impact Scan in random order to avoid overwhelming networks Signal benign nature over HTTP and w/ DNS hostnames Honor all scan exclusion requests 7

  14. Ethical Scanning Reducing scan impact Scan in random order to avoid overwhelming networks Signal benign nature over HTTP and w/ DNS hostnames Honor all scan exclusion requests Special ICS considerations Extensive local testing prior to scanning Benign queries that do not alter device state 7

  15. Found: ICS Devices Full IPv4 scans between March 14-19, 2016 Upper bound: ~4 million devices Lower bound: 69,000 devices for 5 protocols 31.5% more devices found than previously reported by Matherly, J.C. Top protocols: 1) Tridium Fox 26,299 devices 2) Modbus 21,596 devices 3) BACnet 16,752 devices 4) Siemens S7 2,357 devices 5) DNP3 419 devices 8

  16. Tridium Fox Proprietary protocol for building automation Coordinates supervisory systems 9

  17. Modbus Designed in 1979! WHOIS lookups for Orange AS Master-slave architecture Limited to 247 devices on network 10

  18. Increasing ICS Exposure 11

  19. ICS Network Exposure 12

  20. ICS Network Exposure 37% 0.5% of ASes 12

  21. ICS Network Exposure 76% 5% of ASes 12

  22. ICS Network Exposure 32% Verizon Wireless 12

  23. Research Questions Understanding the ICS security ecosystem: 1) Vulnerability assessment - What ICS protocols and devices are exposed on the public Internet? 2) Threat landscape - Who is actively scanning for these vulnerable devices? Why are they scanning? 13

  24. Network Telescope Darknet = large blocks of unused IP address space Any darknet traffic is attributable to: 1) misconfiguration 2) spoofed IP backscatter 3) active scanning Passively collect UDP/TCP traffic for all ports on a /8 subnet 14

  25. Network Telescope Scans during August 2015 15

  26. Network Telescope Scans during August 2015 15

  27. Network Telescope Scans during August 2015 15

  28. Network Telescope Scans during August 2015 15

  29. Network Telescope Scans during August 2015 15

  30. Conpot: ICS Honeypot Open source low-interaction honeypot Simulates protocol behavior of a real device Interactive traffic indicates live scanner Supports S7, Modbus, BACnet Actively collect interactive scanner behavior 16

  31. Conpot: ICS Honeypot 20 Conpot instances on Amazon EC2 Dec 4, 2015 - Feb 14, 2016 Protocol / scanner distribution consistent with network telescope Scanning is not correlated to the number of exposed devices 17

  32. Conpot: ICS Honeypot 20 Conpot instances on Amazon EC2 Dec 4, 2015 - Feb 14, 2016 Protocol / scanner distribution consistent with network telescope Scanning is not correlated to the number of exposed devices 17

  33. # ICS Devices Found Conpot: ICS Honeypot Modbus 21,596 devices (53%) BACnet 16,752 devices (41%) 20 Conpot instances on Amazon EC2 Siemens S7 2,357 devices (6%) Dec 4, 2015 - Feb 14, 2016 Protocol / scanner distribution consistent with network telescope Scanning is not correlated to number of exposed devices 17

  34. Scan Behaviors Modbus Master Relatively benign scanning Slave 0 Slave 1 Slave 2 Modbus example: 70% - Read device identification 30% - Report slave ID for slave address 0 or 255 (default if empty) No actuating commands or configuration enumeration 18

  35. Responsible Disclosure Part of a study by Li et. al in 2013 USENIX Security Symposium Vulnerability notifications for 79% of hosts with abuse WHOIS contacts ~7% of notified WHOIS contacts removed their ICS devices from Internet Still a large remainder of exposed devices - repeat notifications ineffective 19

  36. Recap ICS insecurity: ICS protocols were designed for isolated systems No built-in Internet security Vulnerability assessment: Found 69,000 Internet-exposed ICS devices Increasing over time Threat landscape: Majority of scanning is by researchers Some from suspicious bulletproof hosts 20 Questions? zanema2@illinois.edu

  37. An Internet-Wide View of ICS Devices A. Mirian, Zane Ma, D. Adrian, M. Tischer, T. Chuenchujit, T. Yardley, R. Berthier, J. Mason, Z. Durumeric, J. Halderman, M. Bailey

Recommend

WIDE updates Kenjiro Cho IIJ/WIDE Project August 1, 2012 Understanding Internet Dynamics from a

WIDE updates Kenjiro Cho IIJ/WIDE Project August 1, 2012 Understanding Internet Dynamics from a

WIDE updates Kenjiro Cho IIJ/WIDE Project August 1, 2012 Understanding Internet Dynamics from a Global View the Internet is an evolving open system no central point, no typical network or user complexity everywhere: topology, usage

608 views • 13 slides
H Healing Heartbleed li H bl d Vulnerability Mitigation with Internet wide Scanning

H Healing Heartbleed li H bl d Vulnerability Mitigation with Internet wide Scanning

H Healing Heartbleed li H bl d Vulnerability Mitigation with Internet wide Scanning Vulnerability Mitigation with Internet wide Scanning J. Alex Halderman Mining Your Ps and Qs: Widespread Weak Keys in Network Devices Nadia Heninger, Zakir

640 views • 53 slides
1 What is is a page on the web? a page on the web? What a resource (i.e. a file),

1 What is is a page on the web? a page on the web? What a resource (i.e. a file),

Lecture 2. Lecture 2. Internet: Internet: who talks with whom? who talks with whom? An application layer view, An application layer view, with particular attention to the with particular attention to the World Wide Web World Wide Web G.

478 views • 12 slides
OLSR for InternetCAR system Kouji Okada(okada @sfc.wide.ad.jp) Ryuji

OLSR for InternetCAR system Kouji Okada(okada @sfc.wide.ad.jp) Ryuji

OLSR for InternetCAR system Kouji Okada(okada @sfc.wide.ad.jp) Ryuji Wakikawa(ryuji@sfc.wide.ad.jp) Keio University , Japan http://www.wide.ad.jp/ Introduction Spread of internet connectivity Non-computer devices have IPv6 protocol

243 views • 20 slides
4. The Internet and the World Wide Web 4.1 History of the Internet 4.2 The World Wide Web and

4. The Internet and the World Wide Web 4.1 History of the Internet 4.2 The World Wide Web and

4. The Internet and the World Wide Web 4.1 History of the Internet 4.2 The World Wide Web and the Browser 4.3 What Browsers Can Do for Us 4.4 What is a Website? 4.5 Website Design 4.6 Other Creatures on the Web 4.7 Key Web Software

1.02k views • 97 slides
From a World-Wide Web of Pages to a World-Wide Web of Things Interoperability for Connected

From a World-Wide Web of Pages to a World-Wide Web of Things Interoperability for Connected

From a World-Wide Web of Pages to a World-Wide Web of Things Interoperability for Connected Devices Dave Raggett 16 March2016 The Internet of Things Still very immature, but with massive potential Lack of interoperability at the application

440 views • 31 slides
1 The Internet of Things (IoT) - expansion of the Internet to include physical devices; thereby

1 The Internet of Things (IoT) - expansion of the Internet to include physical devices; thereby

1 The Internet of Things (IoT) - expansion of the Internet to include physical devices; thereby bridging the divide between the physical world and cyberspace. These devices or \things" are uniquely identifiable, fitted with sensors and

640 views • 41 slides
Internet-Wide Network Studies Previous research has shown promise of Internet-wide surveys Mining

Internet-Wide Network Studies Previous research has shown promise of Internet-wide surveys Mining

Fast Internet-Wide Scanning, ZMap Weak Keys and the HTTPS Certificate Ecosystem Zakir Durumeric Michael Bailey University of Michigan ZMap: Fast Internet-Wide Scanning, Weak Keys, and the HTTPS Certificate Ecosystem Zakir Durumeric

491 views • 46 slides
Programmers View of Internet Programmers View of Internet CS 105 Tour of the Black

Programmers View of Internet Programmers View of Internet CS 105 Tour of the Black

Programmers View of Internet Programmers View of Internet CS 105 Tour of the Black Holes of Computing 1. Hosts are mapped to a set of 32-bit IP(v4) addresses or 128-bit IP(v6)

314 views • 12 slides
wide side of the Internet why 1/x distribu4on is so

wide side of the Internet why 1/x distribu4on is so

wide side of the Internet why 1/x distribu4on is so prevalent in Internet data? the spo:er team S. Laki Physics of Complex Systems P.

360 views • 24 slides
Internet Observation with N-TAP: how it works and what it does Kenji Masui

Internet Observation with N-TAP: how it works and what it does Kenji Masui

10th CAIDA/WIDE Workshop - 1st CAIDA/WIDE/CASFI Workshop (2008-08-16) Internet Observation with N-TAP: how it works and what it does Kenji Masui kmasui@gsic.titech.ac.jp WIDE Project / Tokyo Institute of Technology Internet Observation with

309 views • 17 slides
Wide Bandgap Semiconductors for Microwave Power Devices Dr. C. E. Weitzel Consultant: Wide

Wide Bandgap Semiconductors for Microwave Power Devices Dr. C. E. Weitzel Consultant: Wide

Wide Bandgap Semiconductors for Microwave Power Devices Dr. C. E. Weitzel Consultant: Wide Bandgap Power Devices Presentation Outline Why Wide Bandgap Semiconductors? SiC Microwave Power Devices What are FET FieldPlates?

778 views • 41 slides
Mobile Ad-hoc Network WIDE project/KEIO University ryuji@sfc.wide.ad.jp ToC Global Internet

Mobile Ad-hoc Network WIDE project/KEIO University ryuji@sfc.wide.ad.jp ToC Global Internet

Mobile Ad-hoc Network WIDE project/KEIO University ryuji@sfc.wide.ad.jp ToC Global Internet Connectivity MANET/NEMO integration IPv6 Support on MANET MANET on the Internet Where can MANET be deployed in our daily life?

564 views • 27 slides
INTRODUCTION TO WEB DESIGN EHIMA PRINCE THE INTERNET AND THE WORLD WIDE WEB The Internet is the

INTRODUCTION TO WEB DESIGN EHIMA PRINCE THE INTERNET AND THE WORLD WIDE WEB The Internet is the

INTRODUCTION TO WEB DESIGN EHIMA PRINCE THE INTERNET AND THE WORLD WIDE WEB The Internet is the collection of huge network that is accessible to everyone and everywhere across the world. It connects millions of computers together globally,

338 views • 8 slides
The Internet and World Wide Web CSE 190 M (Web Programming), Spring 2007 University of Washington

The Internet and World Wide Web CSE 190 M (Web Programming), Spring 2007 University of Washington

CSE 190 M Slides: Internet/WWW Page 1 The Internet and World Wide Web CSE 190 M (Web Programming), Spring 2007 University of Washington Reading: Sebesta Ch. 1 sections 1.1 - 1.5.2, 1.7 - 1.8.5, 1.8.8, 1.9 What is the Internet? A "series

451 views • 6 slides
Web Programming Pingmei Xu World Wide Web Wikipedia definition: a system of interlinked

Web Programming Pingmei Xu World Wide Web Wikipedia definition: a system of interlinked

Web Programming Pingmei Xu World Wide Web Wikipedia definition: a system of interlinked hypertext documents accessed via the Internet. image from http://www.syslog.cl.cam.ac.uk/ Web Internet World Wide Web : a collection Internet : a

876 views • 65 slides
Overview/Questions Is it the Internet or the World Wide Web. Whats the difference? How

Overview/Questions Is it the Internet or the World Wide Web. Whats the difference? How

CS120 Lecture 17: The World Wide Web and HTML Web Publishing John Magee 9 November 2012 1 Overview/Questions Is it the Internet or the World Wide Web. Whats the difference? How do you visit a web site? How does your browser know

319 views • 21 slides
CMPT 165 CMPT 165 INTRODUCTION TO THE INTERNET INTRODUCTION TO THE INTERNET AND THE WORLD WIDE

CMPT 165 CMPT 165 INTRODUCTION TO THE INTERNET INTRODUCTION TO THE INTERNET AND THE WORLD WIDE

CMPT 165 CMPT 165 INTRODUCTION TO THE INTERNET INTRODUCTION TO THE INTERNET AND THE WORLD WIDE WEB AND THE WORLD WIDE WEB By Hassan S. Shavarani UNIT1: THE INTERNET AND THE WORLD WIDE WEB UNIT1: THE INTERNET AND THE WORLD WIDE WEB 1

1.02k views • 34 slides
Overview/Questions Is it the Internet or the World Wide Web. Whats the difference?

Overview/Questions Is it the Internet or the World Wide Web. Whats the difference?

CS101 Lecture 02: The World Wide Web and HTML Aaron Stevens 16 January 2009 1 Overview/Questions Is it the Internet or the World Wide Web. Whats the difference? How do you visit a web site? How does your browser know what to

158 views • 11 slides
Overview/Questions Is it the Internet or the World Wide Web. Whats the difference? How

Overview/Questions Is it the Internet or the World Wide Web. Whats the difference? How

CS101 Lecture 02: The World Wide Web and HTML John Magee 2 July 2013 1 Overview/Questions Is it the Internet or the World Wide Web. Whats the difference? How do you visit a web site? How does your browser know what to do? How

531 views • 20 slides
2.2 Internet Basics Objectives Describe the difference between Internet and World Wide Web.

2.2 Internet Basics Objectives Describe the difference between Internet and World Wide Web.

2.2 Internet Basics Objectives Describe the difference between Internet and World Wide Web. Describe web browsers and their uses. Identify screen components of Internet Explorer. Objectives Identify the basic parts of the World

529 views • 49 slides
Implementation and Operation of Mobility in WIDE The 14th Korea Internet Conference June 28,

Implementation and Operation of Mobility in WIDE The 14th Korea Internet Conference June 28,

Implementation and Operation of Mobility in WIDE The 14th Korea Internet Conference June 28, 2006 Keiichi Shima <keiichi@iijlab.net> Internet Initiative Japan Inc. / WIDE project Contents Background Implementation Operation

741 views • 55 slides
CMPT 165 CMPT 165 INTRODUCTION TO THE INTERNET INTRODUCTION TO THE INTERNET AND THE WORLD WIDE

CMPT 165 CMPT 165 INTRODUCTION TO THE INTERNET INTRODUCTION TO THE INTERNET AND THE WORLD WIDE

CMPT 165 CMPT 165 INTRODUCTION TO THE INTERNET INTRODUCTION TO THE INTERNET AND THE WORLD WIDE WEB AND THE WORLD WIDE WEB By Hassan S. Shavarani UNIT5: GRAPHICS UNIT5: GRAPHICS 1 TOPICS TOPICS 1. Using Images on Web Pages 2. Image

636 views • 28 slides
Internet of things: Next evolution of the Internet Cisco blog quotes: The number of devices

Internet of things: Next evolution of the Internet Cisco blog quotes: The number of devices

6PANview : A Network Monitoring System for the Internet of Things 23-August-2011 Lohith Y S, Brinda M C, Anand SVR, Malati Hegde Department of ECE Indian Institute of Science Bangalore Funded by DIT, Government of India Internet of

520 views • 20 slides

More recommend