ics accessible from the internet...ics accessible from the internet bad (and very common) practice...

$: ICS accessible from the Internet...ICS accessible from the Internet bad (and very common) practice Jan Kopřiva jan.kopriva @alef.com ALEF CSIRT TLP: GREEN Who we are\爀屲We‘re$
ICS accessible from the Internet bad (and very common) practice

Jan Kopřiva [email protected] ALEF CSIRT

TLP: GREEN

Předvádějící

Poznámky prezentace

Who we are We‘re constantly monitoring what‘s out there and hopefully this will give you a glimpse

• Only few cases a year make it to mainstream media

• We tend to assume there is a lot more, but very few studies on the topic

exist

Are ICS connected to the internet common?

Předvádějící


Can be quite dangerous Ukrainian energy sector Hypothesis of Iranian Oil Refinery (unsubstantiated) in Ábádán - we need to be sure that nothing we don‘t want connected is connected (Ukranian powerplant – news eralier this year)

How would an attacker find connected ICS?

Předvádějící


Active Scanning What is Shodan

• Many industrial protocols lack any security functionalities…

• …so the short answer is „yes“

Is ICS connected to the internet dangerous?

Předvádějící


Modbus – doesn‘t have authentication by itself - it may be added by TLS layer EIBnet/IP - does not have authentication Lantronix Discovery Protocol – has authentication, but by default can often be bypassed CoDeSys Digital Bond runtime – has authentication, but for older version bypass attacks are known S7comm – has authentication, but methods of bypass attacks are known BACnet/IP – has the possibility of authentication (not forced as some devices can‘t…)

• 21st – 22nd October 2019

• Look at commonly used industrial ports/protocols (mostly using using

TriOp toolkit)

• Some limited manual verification of results

What did we do?

Předvádějící


Besides the continual montoring, on 21st and 22nd October we took a closer look what was out there Using Shodan How – we automated

0 10000 20000 30000 40000 50000 60000

United KingdomAustraliaSweden

Russian FederationFrance

GermanySpain

CanadaItaly

United States

109

87

65

43

21

How many ICS are out there?

Předvádějící


21. October – Shodan Globally 137 478 (detection is not guaranteed, honeypots may be in there) Good news – we‘re not in the top 10 countries… 1 United States 53,850 2 Italy 7,404 3 Canada 6,925 4 Spain 6,378 5 Germany 6,116 6 France 5,514 7 Russian Federation 3,628 8 Sweden 2,934 9 Australia 2,896 10 United Kingdom 2,728

0 500 1000 1500 2000 2500 3000

HungaryNorway

BelgiumBrazil

PolandAustriaTaiwanTurkey

NetherlandsKorea

2019

1817

1615

1413

1211


Předvádějící


We‘re not here either… 11Korea2656 12Netherlands2521 13Turkey2492 14Taiwan2159 15Austria1840 16Poland1797 17Brazil1778 18Belgium1648 19Norway1460 20Hungary1402

0 200 400 600 800 1000 1200 1400 1600

LithuaniaChina

PortugalGreeceJapan

RomaniaDenmark

IsraelSwitzerland

Czech Republic

3029

2827

2625

2423

2221


Předvádějící


So we‘re 21st with 1400… SK is 32nd with 539 Czech Republic1400 22Switzerland1156 23Israel1030 24Denmark1008 25Romania962 26Japan955 27Greece823 28Portugal745 29China644 30Lithuania627

• If Shodan data were representative for all IPs in a country

• Czech Republic ~ 0,1% IPs

• Russia ~ 0,03% IPs

• United States ~ 0,02% IPs

• China ~ 0,002% IPs

That‘s not great…

Předvádějící


But what is worse – absolute numbers don‘t tell the whole story If we take a look at the number of IP addresses Shodan sees for each country… We have more than 8M IPs and Shodan only „sees“ 1,4M, but still…

…but is this normal?

010020030040050060070080023

.08.

2019

25.0

8.20

1927

.08.

2019

29.0

8.20

1931

.08.

2019

02.0

9.20

1904

.09.

2019

06.0

9.20

1908

.09.

2019

10.0

9.20

1912

.09.

2019

14.0

9.20

1916

.09.

2019

18.0

9.20

1920

.09.

2019

22.0

9.20

1924

.09.

2019

26.0

9.20

1928

.09.

2019

30.0

9.20

1902

.10.

2019

04.1

0.20

1906

.10.

2019

08.1

0.20

1910

.10.

2019

12.1

0.20

1914

.10.

2019

16.1

0.20

1918

.10.

2019

20.1

0.20

1922

.10.

2019IP

s re

spon

ding

on

port

502

(Mod

bus)

Australia Canada China Czech Republic Great BritainPoland Romaina Russia Slovakia

Předvádějící


Two month timespan can give us interesting results Let‘s look at port 502 – Modbus (countries with similar numbers) Not saying that all are ICS, but most are CZ, GB and Russia nearly the same

Let‘s take a look at the Czech Republic…

050

10015020025030035040045023

.08.

2019

25.0

8.20

1927

.08.

2019

29.0

8.20

1931

.08.

2019

02.0

9.20

1904

.09.

2019

06.0

9.20

1908

.09.

2019

10.0

9.20

1912

.09.

2019

14.0

9.20

1916

.09.

2019

18.0

9.20

1920

.09.

2019

22.0

9.20

1924

.09.

2019

26.0

9.20

1928

.09.

2019

30.0

9.20

1902

.10.

2019

04.1

0.20

1906

.10.

2019

08.1

0.20

1910

.10.

2019

12.1

0.20

1914

.10.

2019

16.1

0.20

1918

.10.

2019

20.1

0.20

1922

.10.

2019

port 502 (Modbus) port 44818 (EtherNet/IP) port 47808 (BACnet/IP)

Předvádějící


These are ports/services, some may not be ICS, some may be honeypots

What is/was out there? S7comm (102)

4%

Modbus (502) 30%

CoDeSys (2455) 12%

EIBnet (3671) 18%

Moxa Nport (4800) 3%

Lantronix Discovery (30718)

26%

EtherNET/IP (44818) 1%

BACnet/IP (47808) 6%

Předvádějící


1298 ICS we checked in more detail (the most common ports) - here is what had at least 1% - besides that there was DNP, ROC Plus

• HVAC and temperature controllers

• „Smart“ buildings

• Solar power plants

• Biogas plant

• Local power grid controller

• General use PLCs

• Elevator controller

• Camera systems controller

• Physical security systems

• Industrial processes controllers

• Industrial measuring equipment

What is/was (probably) out there?

Předvádějící


We didn‘t interact with these services, we only checked port 80 Which are based on reverse lookup of hostnames and which we saw

Some control panels required authentication…

Předvádějící


Of the 1298 ICS we checked in more detail, 724 had port 80 open and some of them had a console/control panel running

…others didn‘t

Předvádějící


Of the 1298 ICS we checked in more detail, 724 had port 80 open and some of them had a console Some let us just read, but some would have let us reconfigure anything

Předvádějící


Many, many solar powerplants – some with actually quite considerable output There is configuration option, some did protect it, most didnt…

• Big help from (and big thanks to)

• CZ.NIC – National Registrar for CZ TLD

• NCISA/NÚKIB – National Cyber and Information Security Agency

Informing interested parties

Předvádějící


What could be done through what we found? We don‘t know – we didn‘t try to do anything, but and attacker could certainly cause some mischief Based on a first cursory check from NCISA, it seems there was no National Critical Infrastructure found

Thank you for your attention

TLP: GREEN

ics accessible from the internet...ics accessible from the internet bad (and very common) practice...

Documents