Who we are We‘re constantly monitoring what‘s out there and hopefully this will give you a glimpse
• Only few cases a year make it to mainstream media
• We tend to assume there is a lot more, but very few studies on the topic
exist
Are ICS connected to the internet common?
Předvádějící
Poznámky prezentace
Can be quite dangerous Ukrainian energy sector Hypothesis of Iranian Oil Refinery (unsubstantiated) in Ábádán - we need to be sure that nothing we don‘t want connected is connected (Ukranian powerplant – news eralier this year)
How would an attacker find connected ICS?
Předvádějící
Poznámky prezentace
Active Scanning What is Shodan
• Many industrial protocols lack any security functionalities…
• …so the short answer is „yes“
Is ICS connected to the internet dangerous?
Předvádějící
Poznámky prezentace
Modbus – doesn‘t have authentication by itself - it may be added by TLS layer EIBnet/IP - does not have authentication Lantronix Discovery Protocol – has authentication, but by default can often be bypassed CoDeSys Digital Bond runtime – has authentication, but for older version bypass attacks are known S7comm – has authentication, but methods of bypass attacks are known BACnet/IP – has the possibility of authentication (not forced as some devices can‘t…)
• 21st – 22nd October 2019
• Look at commonly used industrial ports/protocols (mostly using using
TriOp toolkit)
• Some limited manual verification of results
What did we do?
Předvádějící
Poznámky prezentace
Besides the continual montoring, on 21st and 22nd October we took a closer look what was out there Using Shodan How – we automated
0 10000 20000 30000 40000 50000 60000
United KingdomAustraliaSweden
Russian FederationFrance
GermanySpain
CanadaItaly
United States
109
87
65
43
21
How many ICS are out there?
Předvádějící
Poznámky prezentace
21. October – Shodan Globally 137 478 (detection is not guaranteed, honeypots may be in there) Good news – we‘re not in the top 10 countries… 1 United States 53,850 2 Italy 7,404 3 Canada 6,925 4 Spain 6,378 5 Germany 6,116 6 France 5,514 7 Russian Federation 3,628 8 Sweden 2,934 9 Australia 2,896 10 United Kingdom 2,728
0 500 1000 1500 2000 2500 3000
HungaryNorway
BelgiumBrazil
PolandAustriaTaiwanTurkey
NetherlandsKorea
2019
1817
1615
1413
1211
How many ICS are out there?
Předvádějící
Poznámky prezentace
We‘re not here either… 11Korea2656 12Netherlands2521 13Turkey2492 14Taiwan2159 15Austria1840 16Poland1797 17Brazil1778 18Belgium1648 19Norway1460 20Hungary1402
0 200 400 600 800 1000 1200 1400 1600
LithuaniaChina
PortugalGreeceJapan
RomaniaDenmark
IsraelSwitzerland
Czech Republic
3029
2827
2625
2423
2221
How many ICS are out there?
Předvádějící
Poznámky prezentace
So we‘re 21st with 1400… SK is 32nd with 539 Czech Republic1400 22Switzerland1156 23Israel1030 24Denmark1008 25Romania962 26Japan955 27Greece823 28Portugal745 29China644 30Lithuania627
• If Shodan data were representative for all IPs in a country
• Czech Republic ~ 0,1% IPs
• Russia ~ 0,03% IPs
• United States ~ 0,02% IPs
• China ~ 0,002% IPs
That‘s not great…
Předvádějící
Poznámky prezentace
But what is worse – absolute numbers don‘t tell the whole story If we take a look at the number of IP addresses Shodan sees for each country… We have more than 8M IPs and Shodan only „sees“ 1,4M, but still…
…but is this normal?
010020030040050060070080023
.08.
2019
25.0
8.20
1927
.08.
2019
29.0
8.20
1931
.08.
2019
02.0
9.20
1904
.09.
2019
06.0
9.20
1908
.09.
2019
10.0
9.20
1912
.09.
2019
14.0
9.20
1916
.09.
2019
18.0
9.20
1920
.09.
2019
22.0
9.20
1924
.09.
2019
26.0
9.20
1928
.09.
2019
30.0
9.20
1902
.10.
2019
04.1
0.20
1906
.10.
2019
08.1
0.20
1910
.10.
2019
12.1
0.20
1914
.10.
2019
16.1
0.20
1918
.10.
2019
20.1
0.20
1922
.10.
2019IP
s re
spon
ding
on
port
502
(Mod
bus)
Australia Canada China Czech Republic Great BritainPoland Romaina Russia Slovakia
Předvádějící
Poznámky prezentace
Two month timespan can give us interesting results Let‘s look at port 502 – Modbus (countries with similar numbers) Not saying that all are ICS, but most are CZ, GB and Russia nearly the same
Let‘s take a look at the Czech Republic…
050
10015020025030035040045023
.08.
2019
25.0
8.20
1927
.08.
2019
29.0
8.20
1931
.08.
2019
02.0
9.20
1904
.09.
2019
06.0
9.20
1908
.09.
2019
10.0
9.20
1912
.09.
2019
14.0
9.20
1916
.09.
2019
18.0
9.20
1920
.09.
2019
22.0
9.20
1924
.09.
2019
26.0
9.20
1928
.09.
2019
30.0
9.20
1902
.10.
2019
04.1
0.20
1906
.10.
2019
08.1
0.20
1910
.10.
2019
12.1
0.20
1914
.10.
2019
16.1
0.20
1918
.10.
2019
20.1
0.20
1922
.10.
2019
port 502 (Modbus) port 44818 (EtherNet/IP) port 47808 (BACnet/IP)
Předvádějící
Poznámky prezentace
These are ports/services, some may not be ICS, some may be honeypots
What is/was out there? S7comm (102)
4%
Modbus (502) 30%
CoDeSys (2455) 12%
EIBnet (3671) 18%
Moxa Nport (4800) 3%
Lantronix Discovery (30718)
26%
EtherNET/IP (44818) 1%
BACnet/IP (47808) 6%
Předvádějící
Poznámky prezentace
1298 ICS we checked in more detail (the most common ports) - here is what had at least 1% - besides that there was DNP, ROC Plus
• HVAC and temperature controllers
• „Smart“ buildings
• Solar power plants
• Biogas plant
• Local power grid controller
• General use PLCs
• Elevator controller
• Camera systems controller
• Physical security systems
• Industrial processes controllers
• Industrial measuring equipment
What is/was (probably) out there?
Předvádějící
Poznámky prezentace
We didn‘t interact with these services, we only checked port 80 Which are based on reverse lookup of hostnames and which we saw
Some control panels required authentication…
Předvádějící
Poznámky prezentace
Of the 1298 ICS we checked in more detail, 724 had port 80 open and some of them had a console/control panel running
…others didn‘t
Předvádějící
Poznámky prezentace
Of the 1298 ICS we checked in more detail, 724 had port 80 open and some of them had a console Some let us just read, but some would have let us reconfigure anything
Předvádějící
Poznámky prezentace
Many, many solar powerplants – some with actually quite considerable output There is configuration option, some did protect it, most didnt…
• Big help from (and big thanks to)
• CZ.NIC – National Registrar for CZ TLD
• NCISA/NÚKIB – National Cyber and Information Security Agency
Informing interested parties
Předvádějící
Poznámky prezentace
What could be done through what we found? We don‘t know – we didn‘t try to do anything, but and attacker could certainly cause some mischief Based on a first cursory check from NCISA, it seems there was no National Critical Infrastructure found