Dale Peterson of Digital Bond gathered reports and examples from Shodan researchers to quantify and describe ICS devices that are connected to the Internet in Japan. It is not a small number and some of the examples are compelling.

1. Internet Accessible ICS in Japan
Dale Peterson
Digital Bond, Inc.
peterson@digitalbond.com
Twitter: @digitalbond

2. Is Internet Accessible ICS A Problem?
• To critical infrastructure and society in general?
– In the US, no
– In other countries, some yes and some no
• Hydroelectric Dam in France
– In Japan, needs further investigation, but likely no
• To individual companies
– Yes, clearly YES
– In the US, in Japan and everywhere in the world
– Insecure by design ICS connected to the Internet can
be exploited. Only limit is the input/output.

3. Scanning the Internet for ICS
• You can use or build your own scanner
– Example: Project Redpoint discussed yesterday
• You can use a search engine for Internet
connected devices … Shodan
– http://www.irongeek.com/i.php?page=videos/showme
con2014/1-10-inside-the-worlds-most-dangerous-search-
engine-john-matherly
– HD Moore’s Project Sonar
– Project Shine
– Private efforts

4. Shodan
“I crawl the Internet every month”
“Modeled the output after Google Maps”
“Tracking 550 million devices”
John Matherly
http://www.irongeek.com/i.php?page=videos/showmecon2
014/1-10-inside-the-worlds-most-dangerous-search-engine-john-
matherly

5. https://ics-radar.shodan.io/

7. https://www.shodan.io/report/wKyGlXWq

12. Searching Banners
• Many ICS devices have web, ftp, ssh, snmp and
other IT protocols that Shodan searches
• Create a search string and find devices

16. Combining Search Techniques
• EtherNet/IP search identified a device in Japan
– But no useful information came back
• A secondary search of the IP address found an
FTP server and banner
– It’s a Yokogawa device, Data Management Device for
a paperless recorder
• The FTP server allowed anonymous FTP
– PERL Data Language file (PDL)
– Data Display File (DAD)

17. Further Analysis
• PDL files has names/email addresses
– Belongs to major energy and mining company
– Could use these emails in spear-phishing attack
• Tags / Points
– ST1,沈砂池川側水位
– ST2,沈砂池山側水位
– ST3,三号開渠水位
– ST4,川側ﾚｰｷ電流

18. Let’s Find Some CC-Link
• CC-Link originally developed by Mitsubishi and is
widely deployed in Japan
– Now a standard run by the CC-Link Partner Association
• CC-Link IE does not use IP (or even Ethernet)
• So you can’t use Shodan to search directly for it

19. Maybe There Is A CC-Link Gateway
Anybus

20. https://www.shodan.io/search?query=Anybus+country%3Ajp

21. What Should You Do?
• Asset Owners
– Search Shodan for your IP address space
• Vendors
– Search Shodan for your products
– A nice service for your customer
• Industry Group(s) / CERTS / Others
– Find ICS assets on the Internet and notify owners

22. Thanks
• John Matherly and Shodan
• Eireann Leverett
– http://www.digitalbond.com/blog/2012/02/09/s4-
video-denial-of-surface-ics-on-the-internet/
• Stephen Hilt
• A number of anonymous researchers

23. Questions