Wait, ICS d oesn’t stand for "Internet-Connected Systems"? Jan Kopřiva jan.kopriva@alef.com | @jak0pr ALEF CSIRT TLP: WHITE
Are ICS connected to the internet common? • Only few cases a year make it to mainstream media • We tend to assume there is a lot more, but very few studies on the topic exist
How would an attacker find connected ICS?
Is ICS connected to the internet dangerous? • Many industrial protocols lack any security functionalities … • …so the short answer is „ yes “
What did we do? • 21st – 22nd October 2019 • Look at commonly used industrial ports/protocols (mostly using using TriOp toolkit) • Some limited manual verification of results
How many ICS are out there? United States 1 Italy 2 Canada 3 Spain 4 Germany 5 France 6 Russian Federation 7 Sweden 8 Australia 9 10 United Kingdom 0 10000 20000 30000 40000 50000 60000
How many ICS are out there? 20 19 18 17 16 15 14 13 12 11 Korea Netherlands Turkey Taiwan Austria Poland Brazil Belgium Norway Hungary 0 500 1000 1500 2000 2500 3000
How many ICS are out there? 30 29 28 27 26 25 24 23 22 21 Czech Republic Switzerland Israel Denmark Romania Japan Greece Portugal China Lithuania 0 200 400 600 800 1000 1200 1400 1600
That‘s not great … • If Shodan data were representative for all IPs in a country • Czech Republic ~ 0,1% IPs • Russia ~ 0,03% IPs • United States ~ 0,02% IPs • China ~ 0,002% IPs
…but is this normal? IPs responding on port 502 (Modbus) 100 200 300 400 500 600 700 800 0 Poland Australia 23.08.2019 25.08.2019 27.08.2019 29.08.2019 31.08.2019 02.09.2019 Romaina Canada 04.09.2019 06.09.2019 08.09.2019 10.09.2019 12.09.2019 14.09.2019 Russia China 16.09.2019 18.09.2019 20.09.2019 22.09.2019 24.09.2019 26.09.2019 28.09.2019 Slovakia Czech Republic 30.09.2019 02.10.2019 04.10.2019 06.10.2019 08.10.2019 10.10.2019 Great Britain 12.10.2019 14.10.2019 16.10.2019 18.10.2019 20.10.2019 22.10.2019
100 150 200 250 300 350 400 450 Let‘s take a look at the Czech Republic… 50 0 23.08.2019 25.08.2019 27.08.2019 port 502 (Modbus) 29.08.2019 31.08.2019 02.09.2019 04.09.2019 06.09.2019 08.09.2019 10.09.2019 12.09.2019 port 44818 (EtherNet/IP) 14.09.2019 16.09.2019 18.09.2019 20.09.2019 22.09.2019 24.09.2019 26.09.2019 28.09.2019 30.09.2019 02.10.2019 port 47808 (BACnet/IP) 04.10.2019 06.10.2019 08.10.2019 10.10.2019 12.10.2019 14.10.2019 16.10.2019 18.10.2019 20.10.2019 22.10.2019
What is/was out there? S7comm (102) BACnet/IP (47808) EtherNET/IP (44818) 4% 6% 1% Lantronix Discovery Modbus (502) (30718) 30% 26% Moxa Nport (4800) 3% EtherNet/IP (2222) CoDeSys (2455) 12% EIBnet (3671) 18%
What is/was (probably) out there? • HVAC and temperature controllers • Elevator controller • „Smart“ buildings • Camera systems controller • Solar power plants • Physical security systems • Biogas plant • Industrial processes controllers • Local power grid controller • Industrial measuring equipment • General use PLCs
Some control panels required authentication …
… others didn‘t
Informing interested parties • Big help from (and big thanks to) • CZ.NIC – National Registrar for CZ TLD • NCISA/NÚKIB – National Cyber and Information Security Agency
1100 1150 1200 1250 1300 1350 1400 1450 That was then … 24.10.2019 26.10.2019 28.10.2019 30.10.2019 01.11.2019 03.11.2019 05.11.2019 07.11.2019 09.11.2019 11.11.2019 13.11.2019 15.11.2019 17.11.2019 19.11.2019 21.11.2019 23.11.2019 25.11.2019 27.11.2019 29.11.2019 01.12.2019 03.12.2019 05.12.2019 07.12.2019 09.12.2019 11.12.2019 13.12.2019 15.12.2019 17.12.2019 19.12.2019 21.12.2019 23.12.2019 25.12.2019 27.12.2019 29.12.2019 31.12.2019 02.01.2020 04.01.2020 06.01.2020 08.01.2020 10.01.2020
… this is now • 122,784 ICS systems on Shodan - January 10th US CA ES DE RU KR GB AU TW PL 0 10000 20000 30000 40000 50000 60000
A look at current situation in Spain S7comm, 349 Rest, 929 Modbus, 1333 BACnet/IP, 195 EtherNET/IP, 194 Lantronix Discovery, 77 Moxa Nport, 249 CoDeSys, 127 EIBnet, 1890
Thank you for your attention TLP: WHITE
Recommend
More recommend
