View
145
Download
1
Category
Tags:
Preview:
DESCRIPTION
Dale Peterson of Digital Bond gathered reports and examples from Shodan researchers to quantify and describe ICS devices that are connected to the Internet in Japan. It is not a small number and some of the examples are compelling.
Citation preview
Internet Accessible ICS in Japan
Dale PetersonDigital Bond, Inc.
peterson@digitalbond.comTwitter: @digitalbond
Is Internet Accessible ICS A Problem?
• To critical infrastructure and society in general?– In the US, no– In other countries, some yes and some no
• Hydroelectric Dam in France– In Japan, needs further investigation, but likely
no• To individual companies
– Yes, clearly YES– In the US, in Japan and everywhere in the world– Insecure by design ICS connected to the
Internet can be exploited. Only limit is the input/output.
Scanning the Internet for ICS
• You can use or build your own scanner– Example: Project Redpoint discussed yesterday
• You can use a search engine for Internet connected devices … Shodan– http://www.irongeek.com/i.php?page=videos/
showmecon2014/1-10-inside-the-worlds-most-dangerous-search-engine-john-matherly
– HD Moore’s Project Sonar– Project Shine– Private efforts
Shodan
“I crawl the Internet every month”
“Modeled the output after Google Maps”
“Tracking 550 million devices”John Matherly
http://www.irongeek.com/i.php?page=videos/showmecon2014/1-10-inside-the-worlds-most-
dangerous-search-engine-john-matherly
https://ics-radar.shodan.io/
https://www.shodan.io/report/wKyGlXWq
Searching Banners
• Many ICS devices have web, ftp, ssh, snmp and other IT protocols that Shodan searches
• Create a search string and find devices
Combining Search Techniques
• EtherNet/IP search identified a device in Japan– But no useful information came back
• A secondary search of the IP address found an FTP server and banner– It’s a Yokogawa device, Data Management
Device for a paperless recorder• The FTP server allowed anonymous FTP
– PERL Data Language file (PDL)– Data Display File (DAD)
Further Analysis
• PDL files has names/email addresses– Belongs to major energy and mining company– Could use these emails in spear-phishing attack
• Tags / Points– ST1, 沈砂池川側水位 – ST2, 沈砂池山側水位 – ST3, 三号開渠水位– ST4, 川側 電流レーキ
Let’s Find Some CC-Link
• CC-Link originally developed by Mitsubishi and is widely deployed in Japan– Now a standard run by the CC-Link Partner
Association• CC-Link IE does not use IP (or even Ethernet)• So you can’t use Shodan to search directly
for it
Maybe There Is A CC-Link Gateway
Anybus
https://www.shodan.io/search?query=Anybus+country%3Ajp
What Should You Do?
• Asset Owners– Search Shodan for your IP address space
• Vendors– Search Shodan for your products– A nice service for your customer
• Industry Group(s) / CERTS / Others– Find ICS assets on the Internet and notify
owners
Thanks
• John Matherly and Shodan• Eireann Leverett
– http://www.digitalbond.com/blog/2012/02/09/s4-video-denial-of-surface-ics-on-the-internet/
• Stephen Hilt • A number of anonymous researchers
Questions
Recommended