Dale Peterson of Digital Bond gathered reports and examples from Shodan researchers to quantify and describe ICS devices that are connected to the Internet in Japan. It is not a small number and some of the examples are compelling.
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Internet Accessible ICS in Japan (English)
1. Internet Accessible ICS in Japan
Dale Peterson
Digital Bond, Inc.
peterson@digitalbond.com
Twitter: @digitalbond
2. Is Internet Accessible ICS A Problem?
• To critical infrastructure and society in general?
– In the US, no
– In other countries, some yes and some no
• Hydroelectric Dam in France
– In Japan, needs further investigation, but likely no
• To individual companies
– Yes, clearly YES
– In the US, in Japan and everywhere in the world
– Insecure by design ICS connected to the Internet can
be exploited. Only limit is the input/output.
3. Scanning the Internet for ICS
• You can use or build your own scanner
– Example: Project Redpoint discussed yesterday
• You can use a search engine for Internet
connected devices … Shodan
– http://www.irongeek.com/i.php?page=videos/showme
con2014/1-10-inside-the-worlds-most-dangerous-search-
engine-john-matherly
– HD Moore’s Project Sonar
– Project Shine
– Private efforts
4. Shodan
“I crawl the Internet every month”
“Modeled the output after Google Maps”
“Tracking 550 million devices”
John Matherly
http://www.irongeek.com/i.php?page=videos/showmecon2
014/1-10-inside-the-worlds-most-dangerous-search-engine-john-
matherly
12. Searching Banners
• Many ICS devices have web, ftp, ssh, snmp and
other IT protocols that Shodan searches
• Create a search string and find devices
13.
14.
15.
16. Combining Search Techniques
• EtherNet/IP search identified a device in Japan
– But no useful information came back
• A secondary search of the IP address found an
FTP server and banner
– It’s a Yokogawa device, Data Management Device for
a paperless recorder
• The FTP server allowed anonymous FTP
– PERL Data Language file (PDL)
– Data Display File (DAD)
17. Further Analysis
• PDL files has names/email addresses
– Belongs to major energy and mining company
– Could use these emails in spear-phishing attack
• Tags / Points
– ST1,沈砂池川側水位
– ST2,沈砂池山側水位
– ST3,三号開渠水位
– ST4,川側レーキ電流
18. Let’s Find Some CC-Link
• CC-Link originally developed by Mitsubishi and is
widely deployed in Japan
– Now a standard run by the CC-Link Partner Association
• CC-Link IE does not use IP (or even Ethernet)
• So you can’t use Shodan to search directly for it
21. What Should You Do?
• Asset Owners
– Search Shodan for your IP address space
• Vendors
– Search Shodan for your products
– A nice service for your customer
• Industry Group(s) / CERTS / Others
– Find ICS assets on the Internet and notify owners
22. Thanks
• John Matherly and Shodan
• Eireann Leverett
– http://www.digitalbond.com/blog/2012/02/09/s4-
video-denial-of-surface-ics-on-the-internet/
• Stephen Hilt
• A number of anonymous researchers