internet accessible ics in japan (english)
DESCRIPTION
Dale Peterson of Digital Bond gathered reports and examples from Shodan researchers to quantify and describe ICS devices that are connected to the Internet in Japan. It is not a small number and some of the examples are compelling.TRANSCRIPT
Is Internet Accessible ICS A Problem?
• To critical infrastructure and society in general?– In the US, no– In other countries, some yes and some no
• Hydroelectric Dam in France– In Japan, needs further investigation, but likely
no• To individual companies
– Yes, clearly YES– In the US, in Japan and everywhere in the world– Insecure by design ICS connected to the
Internet can be exploited. Only limit is the input/output.
Scanning the Internet for ICS
• You can use or build your own scanner– Example: Project Redpoint discussed yesterday
• You can use a search engine for Internet connected devices … Shodan– http://www.irongeek.com/i.php?page=videos/
showmecon2014/1-10-inside-the-worlds-most-dangerous-search-engine-john-matherly
– HD Moore’s Project Sonar– Project Shine– Private efforts
Shodan
“I crawl the Internet every month”
“Modeled the output after Google Maps”
“Tracking 550 million devices”John Matherly
http://www.irongeek.com/i.php?page=videos/showmecon2014/1-10-inside-the-worlds-most-
dangerous-search-engine-john-matherly
https://ics-radar.shodan.io/
https://www.shodan.io/report/wKyGlXWq
Searching Banners
• Many ICS devices have web, ftp, ssh, snmp and other IT protocols that Shodan searches
• Create a search string and find devices
Combining Search Techniques
• EtherNet/IP search identified a device in Japan– But no useful information came back
• A secondary search of the IP address found an FTP server and banner– It’s a Yokogawa device, Data Management
Device for a paperless recorder• The FTP server allowed anonymous FTP
– PERL Data Language file (PDL)– Data Display File (DAD)
Further Analysis
• PDL files has names/email addresses– Belongs to major energy and mining company– Could use these emails in spear-phishing attack
• Tags / Points– ST1, 沈砂池川側水位 – ST2, 沈砂池山側水位 – ST3, 三号開渠水位– ST4, 川側 電流レーキ
Let’s Find Some CC-Link
• CC-Link originally developed by Mitsubishi and is widely deployed in Japan– Now a standard run by the CC-Link Partner
Association• CC-Link IE does not use IP (or even Ethernet)• So you can’t use Shodan to search directly
for it
Maybe There Is A CC-Link Gateway
Anybus
https://www.shodan.io/search?query=Anybus+country%3Ajp
What Should You Do?
• Asset Owners– Search Shodan for your IP address space
• Vendors– Search Shodan for your products– A nice service for your customer
• Industry Group(s) / CERTS / Others– Find ICS assets on the Internet and notify
owners
Thanks
• John Matherly and Shodan• Eireann Leverett
– http://www.digitalbond.com/blog/2012/02/09/s4-video-denial-of-surface-ics-on-the-internet/
• Stephen Hilt • A number of anonymous researchers
Questions