an internet wide view of ics devices
play

An Internet-Wide View of ICS Devices A. Mirian, Zane Ma, D. Adrian, - PowerPoint PPT Presentation

Oct 25, 2022 •352 likes •729 views

An Internet-Wide View of ICS Devices A. Mirian, Zane Ma, D. Adrian, M. Tischer, T. Chuenchujit, T. Yardley, R. Berthier, J. Mason, Z. Durumeric, J. Halderman, M. Bailey Industrial Control Systems (ICS) Operational control and monitoring for

  1. An Internet-Wide View of ICS Devices A. Mirian, Zane Ma, D. Adrian, M. Tischer, T. Chuenchujit, T. Yardley, R. Berthier, J. Mason, Z. Durumeric, J. Halderman, M. Bailey

  2. Industrial Control Systems (ICS) Operational control and monitoring for industrial processes 1

  3. Industrial Control Systems (ICS) Operational control and monitoring for industrial processes ICS protocols 1

  4. Insecurity of ICS ICS protocols assume system isolation Evolution: analog wire → digital fieldbus → Ethernet µC Supervisory Computer µC 2

  5. Insecurity of ICS ICS protocols assume system isolation Evolution: analog wire → digital fieldbus → Ethernet µC Supervisory Computer µC 2

  6. Insecurity of ICS ICS protocols assume system isolation Evolution: analog wire → digital fieldbus → Ethernet µC Supervisory Computer µC 2

  7. Insecurity of ICS ICS protocols assume system isolation Evolution: analog wire → digital fieldbus → Ethernet µC Internet Supervisory Computer µC Internet connectivity allows remote control of multiple ICSes 2

  8. Insecurity of ICS ICS protocols assume system isolation Evolution: analog wire → digital fieldbus → Ethernet µC Internet Supervisory Computer µC Internet connectivity allows remote control of multiple ICSes Public Internet = exposure to malicious attackers 2

  9. Remote ICS attack December 2015 30 substations remotely disabled 225,000 people without power 3

  10. Research Questions Understanding the ICS security ecosystem: 1) Vulnerability assessment - What ICS protocols and devices are exposed on the public Internet? 2) Threat landscape - Who is actively scanning for these vulnerable devices? Why are they scanning? 4

  11. ZMap: Fast IPv4 Scanning Port scanning tool by Durumeric et. al in 2013 USENIX Security Symposium Fast : ZMap is 1300 times faster than NMap Single port IPv4 scan on one machine in under 45 mins Extensible : architecture for application-level protocol scanners (i.e. HTTP, SSH) Well-tooled : Censys scan database and querying infrastructure Used in hundreds of academic studies 5

  12. Detecting ICS Devices 1) Port scans - 10 most common ICS protocol ports Upper-bound : port overlap with non-ICS services 2) Protocol scans - Implemented 5 protocol parsers Modbus, BACnet, Tridium Fox, Siemens S7, DNP3 Lower-bound : only query common configs / protocol device addresses 6

  13. Ethical Scanning Reducing scan impact Scan in random order to avoid overwhelming networks Signal benign nature over HTTP and w/ DNS hostnames Honor all scan exclusion requests 7

  14. Ethical Scanning Reducing scan impact Scan in random order to avoid overwhelming networks Signal benign nature over HTTP and w/ DNS hostnames Honor all scan exclusion requests Special ICS considerations Extensive local testing prior to scanning Benign queries that do not alter device state 7

  15. Found: ICS Devices Full IPv4 scans between March 14-19, 2016 Upper bound: ~4 million devices Lower bound: 69,000 devices for 5 protocols 31.5% more devices found than previously reported by Matherly, J.C. Top protocols: 1) Tridium Fox 26,299 devices 2) Modbus 21,596 devices 3) BACnet 16,752 devices 4) Siemens S7 2,357 devices 5) DNP3 419 devices 8

  16. Tridium Fox Proprietary protocol for building automation Coordinates supervisory systems 9

  17. Modbus Designed in 1979! WHOIS lookups for Orange AS Master-slave architecture Limited to 247 devices on network 10

  18. Increasing ICS Exposure 11

  19. ICS Network Exposure 12

  20. ICS Network Exposure 37% 0.5% of ASes 12

  21. ICS Network Exposure 76% 5% of ASes 12

  22. ICS Network Exposure 32% Verizon Wireless 12

  23. Research Questions Understanding the ICS security ecosystem: 1) Vulnerability assessment - What ICS protocols and devices are exposed on the public Internet? 2) Threat landscape - Who is actively scanning for these vulnerable devices? Why are they scanning? 13

  24. Network Telescope Darknet = large blocks of unused IP address space Any darknet traffic is attributable to: 1) misconfiguration 2) spoofed IP backscatter 3) active scanning Passively collect UDP/TCP traffic for all ports on a /8 subnet 14

  25. Network Telescope Scans during August 2015 15

  26. Network Telescope Scans during August 2015 15

  27. Network Telescope Scans during August 2015 15

  28. Network Telescope Scans during August 2015 15

  29. Network Telescope Scans during August 2015 15

  30. Conpot: ICS Honeypot Open source low-interaction honeypot Simulates protocol behavior of a real device Interactive traffic indicates live scanner Supports S7, Modbus, BACnet Actively collect interactive scanner behavior 16

  31. Conpot: ICS Honeypot 20 Conpot instances on Amazon EC2 Dec 4, 2015 - Feb 14, 2016 Protocol / scanner distribution consistent with network telescope Scanning is not correlated to the number of exposed devices 17

  32. Conpot: ICS Honeypot 20 Conpot instances on Amazon EC2 Dec 4, 2015 - Feb 14, 2016 Protocol / scanner distribution consistent with network telescope Scanning is not correlated to the number of exposed devices 17

  33. # ICS Devices Found Conpot: ICS Honeypot Modbus 21,596 devices (53%) BACnet 16,752 devices (41%) 20 Conpot instances on Amazon EC2 Siemens S7 2,357 devices (6%) Dec 4, 2015 - Feb 14, 2016 Protocol / scanner distribution consistent with network telescope Scanning is not correlated to number of exposed devices 17

  34. Scan Behaviors Modbus Master Relatively benign scanning Slave 0 Slave 1 Slave 2 Modbus example: 70% - Read device identification 30% - Report slave ID for slave address 0 or 255 (default if empty) No actuating commands or configuration enumeration 18

  35. Responsible Disclosure Part of a study by Li et. al in 2013 USENIX Security Symposium Vulnerability notifications for 79% of hosts with abuse WHOIS contacts ~7% of notified WHOIS contacts removed their ICS devices from Internet Still a large remainder of exposed devices - repeat notifications ineffective 19

  36. Recap ICS insecurity: ICS protocols were designed for isolated systems No built-in Internet security Vulnerability assessment: Found 69,000 Internet-exposed ICS devices Increasing over time Threat landscape: Majority of scanning is by researchers Some from suspicious bulletproof hosts 20 Questions? zanema2@illinois.edu

  37. An Internet-Wide View of ICS Devices A. Mirian, Zane Ma, D. Adrian, M. Tischer, T. Chuenchujit, T. Yardley, R. Berthier, J. Mason, Z. Durumeric, J. Halderman, M. Bailey

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

WIDE updates Kenjiro Cho IIJ/WIDE Project August 1, 2012 Understanding Internet Dynamics from a

WIDE updates Kenjiro Cho IIJ/WIDE Project August 1, 2012 Understanding Internet Dynamics from a

WIDE updates Kenjiro Cho IIJ/WIDE Project August 1, 2012 Understanding Internet Dynamics from a Global View the Internet is an evolving open system no central point, no typical network or user complexity everywhere: topology, usage

608 views • 13 slides
H Healing Heartbleed li H bl d Vulnerability Mitigation with Internet wide Scanning

H Healing Heartbleed li H bl d Vulnerability Mitigation with Internet wide Scanning

H Healing Heartbleed li H bl d Vulnerability Mitigation with Internet wide Scanning Vulnerability Mitigation with Internet wide Scanning J. Alex Halderman Mining Your Ps and Qs: Widespread Weak Keys in Network Devices Nadia Heninger, Zakir

640 views • 53 slides
1 What is is a page on the web? a page on the web? What a resource (i.e. a file),

1 What is is a page on the web? a page on the web? What a resource (i.e. a file),

Lecture 2. Lecture 2. Internet: Internet: who talks with whom? who talks with whom? An application layer view, An application layer view, with particular attention to the with particular attention to the World Wide Web World Wide Web G.

478 views • 12 slides
OLSR for InternetCAR system Kouji Okada(okada @sfc.wide.ad.jp) Ryuji

OLSR for InternetCAR system Kouji Okada(okada @sfc.wide.ad.jp) Ryuji

OLSR for InternetCAR system Kouji Okada(okada @sfc.wide.ad.jp) Ryuji Wakikawa(ryuji@sfc.wide.ad.jp) Keio University , Japan http://www.wide.ad.jp/ Introduction Spread of internet connectivity Non-computer devices have IPv6 protocol

243 views • 20 slides
4. The Internet and the World Wide Web 4.1 History of the Internet 4.2 The World Wide Web and

4. The Internet and the World Wide Web 4.1 History of the Internet 4.2 The World Wide Web and

4. The Internet and the World Wide Web 4.1 History of the Internet 4.2 The World Wide Web and the Browser 4.3 What Browsers Can Do for Us 4.4 What is a Website? 4.5 Website Design 4.6 Other Creatures on the Web 4.7 Key Web Software

1.02k views • 97 slides
From a World-Wide Web of Pages to a World-Wide Web of Things Interoperability for Connected

From a World-Wide Web of Pages to a World-Wide Web of Things Interoperability for Connected

From a World-Wide Web of Pages to a World-Wide Web of Things Interoperability for Connected Devices Dave Raggett 16 March2016 The Internet of Things Still very immature, but with massive potential Lack of interoperability at the application

440 views • 31 slides
1 The Internet of Things (IoT) - expansion of the Internet to include physical devices; thereby

1 The Internet of Things (IoT) - expansion of the Internet to include physical devices; thereby

1 The Internet of Things (IoT) - expansion of the Internet to include physical devices; thereby bridging the divide between the physical world and cyberspace. These devices or \things" are uniquely identifiable, fitted with sensors and

640 views • 41 slides
Internet-Wide Network Studies Previous research has shown promise of Internet-wide surveys Mining

Internet-Wide Network Studies Previous research has shown promise of Internet-wide surveys Mining

Fast Internet-Wide Scanning, ZMap Weak Keys and the HTTPS Certificate Ecosystem Zakir Durumeric Michael Bailey University of Michigan ZMap: Fast Internet-Wide Scanning, Weak Keys, and the HTTPS Certificate Ecosystem Zakir Durumeric

491 views • 46 slides
Programmers View of Internet Programmers View of Internet CS 105 Tour of the Black

Programmers View of Internet Programmers View of Internet CS 105 Tour of the Black

Programmers View of Internet Programmers View of Internet CS 105 Tour of the Black Holes of Computing 1. Hosts are mapped to a set of 32-bit IP(v4) addresses or 128-bit IP(v6)

314 views • 12 slides
wide side of the Internet why 1/x distribu4on is so

wide side of the Internet why 1/x distribu4on is so

wide side of the Internet why 1/x distribu4on is so prevalent in Internet data? the spo:er team S. Laki Physics of Complex Systems P.

360 views • 24 slides
Internet Observation with N-TAP: how it works and what it does Kenji Masui

Internet Observation with N-TAP: how it works and what it does Kenji Masui

10th CAIDA/WIDE Workshop - 1st CAIDA/WIDE/CASFI Workshop (2008-08-16) Internet Observation with N-TAP: how it works and what it does Kenji Masui kmasui@gsic.titech.ac.jp WIDE Project / Tokyo Institute of Technology Internet Observation with

309 views • 17 slides
Wide Bandgap Semiconductors for Microwave Power Devices Dr. C. E. Weitzel Consultant: Wide

Wide Bandgap Semiconductors for Microwave Power Devices Dr. C. E. Weitzel Consultant: Wide

Wide Bandgap Semiconductors for Microwave Power Devices Dr. C. E. Weitzel Consultant: Wide Bandgap Power Devices Presentation Outline Why Wide Bandgap Semiconductors? SiC Microwave Power Devices What are FET FieldPlates?

778 views • 41 slides
Mobile Ad-hoc Network WIDE project/KEIO University ryuji@sfc.wide.ad.jp ToC Global Internet

Mobile Ad-hoc Network WIDE project/KEIO University ryuji@sfc.wide.ad.jp ToC Global Internet

Mobile Ad-hoc Network WIDE project/KEIO University ryuji@sfc.wide.ad.jp ToC Global Internet Connectivity MANET/NEMO integration IPv6 Support on MANET MANET on the Internet Where can MANET be deployed in our daily life?

564 views • 27 slides
INTRODUCTION TO WEB DESIGN EHIMA PRINCE THE INTERNET AND THE WORLD WIDE WEB The Internet is the

INTRODUCTION TO WEB DESIGN EHIMA PRINCE THE INTERNET AND THE WORLD WIDE WEB The Internet is the

INTRODUCTION TO WEB DESIGN EHIMA PRINCE THE INTERNET AND THE WORLD WIDE WEB The Internet is the collection of huge network that is accessible to everyone and everywhere across the world. It connects millions of computers together globally,

338 views • 8 slides
The Internet and World Wide Web CSE 190 M (Web Programming), Spring 2007 University of Washington

The Internet and World Wide Web CSE 190 M (Web Programming), Spring 2007 University of Washington

CSE 190 M Slides: Internet/WWW Page 1 The Internet and World Wide Web CSE 190 M (Web Programming), Spring 2007 University of Washington Reading: Sebesta Ch. 1 sections 1.1 - 1.5.2, 1.7 - 1.8.5, 1.8.8, 1.9 What is the Internet? A "series

451 views • 6 slides
Web Programming Pingmei Xu World Wide Web Wikipedia definition: a system of interlinked

Web Programming Pingmei Xu World Wide Web Wikipedia definition: a system of interlinked

Web Programming Pingmei Xu World Wide Web Wikipedia definition: a system of interlinked hypertext documents accessed via the Internet. image from http://www.syslog.cl.cam.ac.uk/ Web Internet World Wide Web : a collection Internet : a

876 views • 65 slides
Clusters Running Hadoop Dr. Renato Figueiredo ACIS Lab - University of Florida Advanced

Clusters Running Hadoop Dr. Renato Figueiredo ACIS Lab - University of Florida Advanced

Plug-and-play Virtual Appliance Clusters Running Hadoop Dr. Renato Figueiredo ACIS Lab - University of Florida Advanced Computing and Information Systems laboratory Introduction You have so far learned about how to use Hadoop clusters

642 views • 45 slides
Aging in Place with an Internet of Things CCC Aging in Place Workshop

Aging in Place with an Internet of Things CCC Aging in Place Workshop

Images: Clker.com, Junklads.com Aging in Place with an Internet of Things CCC Aging in Place Workshop September, 2014 Howard Wactlar Computer Science Department Carnegie

279 views • 11 slides
SoK: Security Evaluation of Home-based IoT Deployments Omar Alrawi , Chaz Lever, Fabian

SoK: Security Evaluation of Home-based IoT Deployments Omar Alrawi , Chaz Lever, Fabian

SoK: Security Evaluation of Home-based IoT Deployments Omar Alrawi , Chaz Lever, Fabian Monrose, Manos Antonakakis 1 2 Alexa, unlock the front door. 3 Internet of Things 4 Internet of Things 4 Internet of Things 4 Internet of Things

1.12k views • 77 slides
Authorizing network access for IoT devices Mohit Sethi Tuomas Aura Outline Authorizing

Authorizing network access for IoT devices Mohit Sethi Tuomas Aura Outline Authorizing

Authorizing network access for IoT devices Mohit Sethi Tuomas Aura Outline Authorizing local network and Internet access for IoT devices Cloud-managed network-access authoriza=on Bootstrapping security between device and cloud

328 views • 20 slides
Chapter 5 Local Area Networks Computer Concepts 2013 5 Chapter Contents Section A: Network

Chapter 5 Local Area Networks Computer Concepts 2013 5 Chapter Contents Section A: Network

13-10-11 Chapter 5 Local Area Networks Computer Concepts 2013 5 Chapter Contents Section A: Network Building Blocks Section B: Wired and Wireless Technologies Section C: Network Setup Section D: Sharing Files Section

357 views • 16 slides
Embedded Operating Systems and Linux Amir Hossein Payberah payberah@gmail.com 1 Agenda

Embedded Operating Systems and Linux Amir Hossein Payberah payberah@gmail.com 1 Agenda

Embedded Operating Systems and Linux Amir Hossein Payberah payberah@gmail.com 1 Agenda Embedded Systems Real Time Systems Who Are The Players? Linux As An Embedded OS Kernel 2.4 vs. 2.6 Applications And Products The

865 views • 64 slides
Simple building blocks 2 taken to the extreme! Lego house built for Top Gear's James May

Simple building blocks 2 taken to the extreme! Lego house built for Top Gear's James May

Rise of the Appliances How purpose built hardware is enabling the next generation of massive scale infrastructure Hans Jespersen Principal Systems Engineer Solace Systems Inc. hans.jespersen@solacesystems.com Simple building blocks 2

673 views • 46 slides
Future Internet Chapter 5: Network Function Virtualization 5a: Basics Holger Karl Computer

Future Internet Chapter 5: Network Function Virtualization 5a: Basics Holger Karl Computer

Future Internet Chapter 5: Network Function Virtualization 5a: Basics Holger Karl Computer Networks Group Universitt Paderborn Overview Technical trends & motivation Reference architectures: ETSI, IETF Problems to solve

647 views • 47 slides

More recommend