ICS accessible from the Internet...ICS accessible from the Internet bad (and very common) practice...
Transcript of ICS accessible from the Internet...ICS accessible from the Internet bad (and very common) practice...
![Page 1: ICS accessible from the Internet...ICS accessible from the Internet bad (and very common) practice Jan Kopřiva jan.kopriva @alef.com ALEF CSIRT TLP: GREEN Who we are\爀屲We‘re](https://reader033.fdocuments.us/reader033/viewer/2022041801/5e5164dd22b99a24f423024d/html5/thumbnails/1.jpg)
ICS accessible from the Internet bad (and very common) practice
Jan Kopřiva [email protected] ALEF CSIRT
TLP: GREEN
![Page 2: ICS accessible from the Internet...ICS accessible from the Internet bad (and very common) practice Jan Kopřiva jan.kopriva @alef.com ALEF CSIRT TLP: GREEN Who we are\爀屲We‘re](https://reader033.fdocuments.us/reader033/viewer/2022041801/5e5164dd22b99a24f423024d/html5/thumbnails/2.jpg)
• Only few cases a year make it to mainstream media
• We tend to assume there is a lot more, but very few studies on the topic
exist
Are ICS connected to the internet common?
![Page 3: ICS accessible from the Internet...ICS accessible from the Internet bad (and very common) practice Jan Kopřiva jan.kopriva @alef.com ALEF CSIRT TLP: GREEN Who we are\爀屲We‘re](https://reader033.fdocuments.us/reader033/viewer/2022041801/5e5164dd22b99a24f423024d/html5/thumbnails/3.jpg)
How would an attacker find connected ICS?
![Page 4: ICS accessible from the Internet...ICS accessible from the Internet bad (and very common) practice Jan Kopřiva jan.kopriva @alef.com ALEF CSIRT TLP: GREEN Who we are\爀屲We‘re](https://reader033.fdocuments.us/reader033/viewer/2022041801/5e5164dd22b99a24f423024d/html5/thumbnails/4.jpg)
• Many industrial protocols lack any security functionalities…
• …so the short answer is „yes“
Is ICS connected to the internet dangerous?
![Page 5: ICS accessible from the Internet...ICS accessible from the Internet bad (and very common) practice Jan Kopřiva jan.kopriva @alef.com ALEF CSIRT TLP: GREEN Who we are\爀屲We‘re](https://reader033.fdocuments.us/reader033/viewer/2022041801/5e5164dd22b99a24f423024d/html5/thumbnails/5.jpg)
• 21st – 22nd October 2019
• Look at commonly used industrial ports/protocols (mostly using using
TriOp toolkit)
• Some limited manual verification of results
What did we do?
![Page 6: ICS accessible from the Internet...ICS accessible from the Internet bad (and very common) practice Jan Kopřiva jan.kopriva @alef.com ALEF CSIRT TLP: GREEN Who we are\爀屲We‘re](https://reader033.fdocuments.us/reader033/viewer/2022041801/5e5164dd22b99a24f423024d/html5/thumbnails/6.jpg)
0 10000 20000 30000 40000 50000 60000
United KingdomAustraliaSweden
Russian FederationFrance
GermanySpain
CanadaItaly
United States
109
87
65
43
21
How many ICS are out there?
![Page 7: ICS accessible from the Internet...ICS accessible from the Internet bad (and very common) practice Jan Kopřiva jan.kopriva @alef.com ALEF CSIRT TLP: GREEN Who we are\爀屲We‘re](https://reader033.fdocuments.us/reader033/viewer/2022041801/5e5164dd22b99a24f423024d/html5/thumbnails/7.jpg)
0 500 1000 1500 2000 2500 3000
HungaryNorway
BelgiumBrazil
PolandAustriaTaiwanTurkey
NetherlandsKorea
2019
1817
1615
1413
1211
How many ICS are out there?
![Page 8: ICS accessible from the Internet...ICS accessible from the Internet bad (and very common) practice Jan Kopřiva jan.kopriva @alef.com ALEF CSIRT TLP: GREEN Who we are\爀屲We‘re](https://reader033.fdocuments.us/reader033/viewer/2022041801/5e5164dd22b99a24f423024d/html5/thumbnails/8.jpg)
0 200 400 600 800 1000 1200 1400 1600
LithuaniaChina
PortugalGreeceJapan
RomaniaDenmark
IsraelSwitzerland
Czech Republic
3029
2827
2625
2423
2221
How many ICS are out there?
![Page 9: ICS accessible from the Internet...ICS accessible from the Internet bad (and very common) practice Jan Kopřiva jan.kopriva @alef.com ALEF CSIRT TLP: GREEN Who we are\爀屲We‘re](https://reader033.fdocuments.us/reader033/viewer/2022041801/5e5164dd22b99a24f423024d/html5/thumbnails/9.jpg)
• If Shodan data were representative for all IPs in a country
• Czech Republic ~ 0,1% IPs
• Russia ~ 0,03% IPs
• United States ~ 0,02% IPs
• China ~ 0,002% IPs
That‘s not great…
![Page 10: ICS accessible from the Internet...ICS accessible from the Internet bad (and very common) practice Jan Kopřiva jan.kopriva @alef.com ALEF CSIRT TLP: GREEN Who we are\爀屲We‘re](https://reader033.fdocuments.us/reader033/viewer/2022041801/5e5164dd22b99a24f423024d/html5/thumbnails/10.jpg)
…but is this normal?
010020030040050060070080023
.08.
2019
25.0
8.20
1927
.08.
2019
29.0
8.20
1931
.08.
2019
02.0
9.20
1904
.09.
2019
06.0
9.20
1908
.09.
2019
10.0
9.20
1912
.09.
2019
14.0
9.20
1916
.09.
2019
18.0
9.20
1920
.09.
2019
22.0
9.20
1924
.09.
2019
26.0
9.20
1928
.09.
2019
30.0
9.20
1902
.10.
2019
04.1
0.20
1906
.10.
2019
08.1
0.20
1910
.10.
2019
12.1
0.20
1914
.10.
2019
16.1
0.20
1918
.10.
2019
20.1
0.20
1922
.10.
2019IP
s re
spon
ding
on
port
502
(Mod
bus)
Australia Canada China Czech Republic Great BritainPoland Romaina Russia Slovakia
![Page 11: ICS accessible from the Internet...ICS accessible from the Internet bad (and very common) practice Jan Kopřiva jan.kopriva @alef.com ALEF CSIRT TLP: GREEN Who we are\爀屲We‘re](https://reader033.fdocuments.us/reader033/viewer/2022041801/5e5164dd22b99a24f423024d/html5/thumbnails/11.jpg)
Let‘s take a look at the Czech Republic…
050
10015020025030035040045023
.08.
2019
25.0
8.20
1927
.08.
2019
29.0
8.20
1931
.08.
2019
02.0
9.20
1904
.09.
2019
06.0
9.20
1908
.09.
2019
10.0
9.20
1912
.09.
2019
14.0
9.20
1916
.09.
2019
18.0
9.20
1920
.09.
2019
22.0
9.20
1924
.09.
2019
26.0
9.20
1928
.09.
2019
30.0
9.20
1902
.10.
2019
04.1
0.20
1906
.10.
2019
08.1
0.20
1910
.10.
2019
12.1
0.20
1914
.10.
2019
16.1
0.20
1918
.10.
2019
20.1
0.20
1922
.10.
2019
port 502 (Modbus) port 44818 (EtherNet/IP) port 47808 (BACnet/IP)
![Page 12: ICS accessible from the Internet...ICS accessible from the Internet bad (and very common) practice Jan Kopřiva jan.kopriva @alef.com ALEF CSIRT TLP: GREEN Who we are\爀屲We‘re](https://reader033.fdocuments.us/reader033/viewer/2022041801/5e5164dd22b99a24f423024d/html5/thumbnails/12.jpg)
What is/was out there? S7comm (102)
4%
Modbus (502) 30%
CoDeSys (2455) 12%
EIBnet (3671) 18%
Moxa Nport (4800) 3%
Lantronix Discovery (30718)
26%
EtherNET/IP (44818) 1%
BACnet/IP (47808) 6%
![Page 13: ICS accessible from the Internet...ICS accessible from the Internet bad (and very common) practice Jan Kopřiva jan.kopriva @alef.com ALEF CSIRT TLP: GREEN Who we are\爀屲We‘re](https://reader033.fdocuments.us/reader033/viewer/2022041801/5e5164dd22b99a24f423024d/html5/thumbnails/13.jpg)
• HVAC and temperature controllers
• „Smart“ buildings
• Solar power plants
• Biogas plant
• Local power grid controller
• General use PLCs
• Elevator controller
• Camera systems controller
• Physical security systems
• Industrial processes controllers
• Industrial measuring equipment
What is/was (probably) out there?
![Page 14: ICS accessible from the Internet...ICS accessible from the Internet bad (and very common) practice Jan Kopřiva jan.kopriva @alef.com ALEF CSIRT TLP: GREEN Who we are\爀屲We‘re](https://reader033.fdocuments.us/reader033/viewer/2022041801/5e5164dd22b99a24f423024d/html5/thumbnails/14.jpg)
Some control panels required authentication…
![Page 15: ICS accessible from the Internet...ICS accessible from the Internet bad (and very common) practice Jan Kopřiva jan.kopriva @alef.com ALEF CSIRT TLP: GREEN Who we are\爀屲We‘re](https://reader033.fdocuments.us/reader033/viewer/2022041801/5e5164dd22b99a24f423024d/html5/thumbnails/15.jpg)
…others didn‘t
![Page 16: ICS accessible from the Internet...ICS accessible from the Internet bad (and very common) practice Jan Kopřiva jan.kopriva @alef.com ALEF CSIRT TLP: GREEN Who we are\爀屲We‘re](https://reader033.fdocuments.us/reader033/viewer/2022041801/5e5164dd22b99a24f423024d/html5/thumbnails/16.jpg)
![Page 17: ICS accessible from the Internet...ICS accessible from the Internet bad (and very common) practice Jan Kopřiva jan.kopriva @alef.com ALEF CSIRT TLP: GREEN Who we are\爀屲We‘re](https://reader033.fdocuments.us/reader033/viewer/2022041801/5e5164dd22b99a24f423024d/html5/thumbnails/17.jpg)
• Big help from (and big thanks to)
• CZ.NIC – National Registrar for CZ TLD
• NCISA/NÚKIB – National Cyber and Information Security Agency
Informing interested parties
![Page 18: ICS accessible from the Internet...ICS accessible from the Internet bad (and very common) practice Jan Kopřiva jan.kopriva @alef.com ALEF CSIRT TLP: GREEN Who we are\爀屲We‘re](https://reader033.fdocuments.us/reader033/viewer/2022041801/5e5164dd22b99a24f423024d/html5/thumbnails/18.jpg)
Thank you for your attention
TLP: GREEN