Wait, ICS d oesnt stand for "Internet-Connected Systems"? - - PowerPoint PPT Presentation

wait ics d oesn t stand for
SMART_READER_LITE
LIVE PREVIEW

Wait, ICS d oesnt stand for "Internet-Connected Systems"? - - PowerPoint PPT Presentation

Aug 23, 2023 205 likes •420 views

Wait, ICS d oesnt stand for "Internet-Connected Systems"? Jan Kopiva jan.kopriva@alef.com | @jak0pr ALEF CSIRT TLP: WHITE Are ICS connected to the internet common? Only few cases a year make it to mainstream media We

slide-1
SLIDE 1

Wait, ICS doesn’t stand for "Internet-Connected Systems"?

Jan Kopřiva

jan.kopriva@alef.com | @jak0pr ALEF CSIRT

TLP: WHITE

slide-2
SLIDE 2
  • Only few cases a year make it to mainstream media
  • We tend to assume there is a lot more, but very few studies on the topic

exist

Are ICS connected to the internet common?

slide-3
SLIDE 3

How would an attacker find connected ICS?

slide-4
SLIDE 4
  • Many industrial protocols lack any security functionalities…
  • …so the short answer is „yes“

Is ICS connected to the internet dangerous?

slide-5
SLIDE 5
  • 21st – 22nd October 2019
  • Look at commonly used industrial ports/protocols (mostly using using

TriOp toolkit)

  • Some limited manual verification of results

What did we do?

slide-6
SLIDE 6

10000 20000 30000 40000 50000 60000 United Kingdom Australia Sweden Russian Federation France Germany Spain Canada Italy United States 10 9 8 7 6 5 4 3 2 1

How many ICS are out there?

slide-7
SLIDE 7

500 1000 1500 2000 2500 3000 Hungary Norway Belgium Brazil Poland Austria Taiwan Turkey Netherlands Korea 20 19 18 17 16 15 14 13 12 11

How many ICS are out there?

slide-8
SLIDE 8

200 400 600 800 1000 1200 1400 1600 Lithuania China Portugal Greece Japan Romania Denmark Israel Switzerland Czech Republic 30 29 28 27 26 25 24 23 22 21

How many ICS are out there?

slide-9
SLIDE 9
  • If Shodan data were representative for all IPs in a country
  • Czech Republic ~ 0,1% IPs
  • Russia ~ 0,03% IPs
  • United States ~ 0,02% IPs
  • China ~ 0,002% IPs

That‘s not great…

slide-10
SLIDE 10

…but is this normal?

100 200 300 400 500 600 700 800

23.08.2019 25.08.2019 27.08.2019 29.08.2019 31.08.2019 02.09.2019 04.09.2019 06.09.2019 08.09.2019 10.09.2019 12.09.2019 14.09.2019 16.09.2019 18.09.2019 20.09.2019 22.09.2019 24.09.2019 26.09.2019 28.09.2019 30.09.2019 02.10.2019 04.10.2019 06.10.2019 08.10.2019 10.10.2019 12.10.2019 14.10.2019 16.10.2019 18.10.2019 20.10.2019 22.10.2019

IPs responding on port 502 (Modbus)

Australia Canada China Czech Republic Great Britain Poland Romaina Russia Slovakia

slide-11
SLIDE 11

Let‘s take a look at the Czech Republic…

50 100 150 200 250 300 350 400 450

23.08.2019 25.08.2019 27.08.2019 29.08.2019 31.08.2019 02.09.2019 04.09.2019 06.09.2019 08.09.2019 10.09.2019 12.09.2019 14.09.2019 16.09.2019 18.09.2019 20.09.2019 22.09.2019 24.09.2019 26.09.2019 28.09.2019 30.09.2019 02.10.2019 04.10.2019 06.10.2019 08.10.2019 10.10.2019 12.10.2019 14.10.2019 16.10.2019 18.10.2019 20.10.2019 22.10.2019 port 502 (Modbus) port 44818 (EtherNet/IP) port 47808 (BACnet/IP)

slide-12
SLIDE 12

What is/was out there?

S7comm (102) 4% Modbus (502) 30% EtherNet/IP (2222) CoDeSys (2455) 12% EIBnet (3671) 18% Moxa Nport (4800) 3% Lantronix Discovery (30718) 26% EtherNET/IP (44818) 1% BACnet/IP (47808) 6%

slide-13
SLIDE 13
  • HVAC and temperature controllers
  • „Smart“ buildings
  • Solar power plants
  • Biogas plant
  • Local power grid controller
  • General use PLCs
  • Elevator controller
  • Camera systems controller
  • Physical security systems
  • Industrial processes controllers
  • Industrial measuring equipment

What is/was (probably) out there?

slide-14
SLIDE 14

Some control panels required authentication…

slide-15
SLIDE 15

…others didn‘t

slide-16
SLIDE 16
  • Big help from (and big thanks to)
  • CZ.NIC – National Registrar for CZ TLD
  • NCISA/NÚKIB – National Cyber and Information Security Agency

Informing interested parties

slide-17
SLIDE 17

That was then…

1100 1150 1200 1250 1300 1350 1400 1450 24.10.2019 26.10.2019 28.10.2019 30.10.2019 01.11.2019 03.11.2019 05.11.2019 07.11.2019 09.11.2019 11.11.2019 13.11.2019 15.11.2019 17.11.2019 19.11.2019 21.11.2019 23.11.2019 25.11.2019 27.11.2019 29.11.2019 01.12.2019 03.12.2019 05.12.2019 07.12.2019 09.12.2019 11.12.2019 13.12.2019 15.12.2019 17.12.2019 19.12.2019 21.12.2019 23.12.2019 25.12.2019 27.12.2019 29.12.2019 31.12.2019 02.01.2020 04.01.2020 06.01.2020 08.01.2020 10.01.2020

slide-18
SLIDE 18
  • 122,784 ICS systems on Shodan - January 10th

…this is now

10000 20000 30000 40000 50000 60000 PL TW AU GB KR RU DE ES CA US

slide-19
SLIDE 19

A look at current situation in Spain

S7comm, 349 Modbus, 1333 CoDeSys, 127 EIBnet, 1890 Moxa Nport, 249 Lantronix Discovery, 77 EtherNET/IP, 194 BACnet/IP, 195 Rest, 929

slide-20
SLIDE 20

Thank you for your attention

TLP: WHITE