SCADACSSCADACSSCADA & Computer SecurityFind Them, Bind Them – Industrial Control Systems (ICS) on the InternetJohannes Kli...
OutlineIntroductionWhat is a SCADA system?Our playgroundExploits on the InternetStart/Stop ExploitHow to find ICS on the In...
OutlineIntroductionWhat is a SCADA system?Our playgroundExploits on the InternetStart/Stop ExploitHow to find ICS on the In...
IntroductionProf. Dr. Volker RothJan-Ole MalchowMateusz KhalilPhilipp LämmelSascha ZinkeRobert Fehrmann,SCADACS, ICS on th...
IntroductionFounded October 2012TestlabResearch onFinding ICS on the InternetMC7-Disassembler / binaryanalysisICS specific ...
OutlineIntroductionWhat is a SCADA system?Our playgroundExploits on the InternetStart/Stop ExploitHow to find ICS on the In...
What is a SCADA system?SCADA (Supervisory Control And Data Acquisition)Controls and monitors industrial (often critical) p...
OutlineIntroductionWhat is a SCADA system?Our playgroundExploits on the InternetStart/Stop ExploitHow to find ICS on the In...
Our playgroundSponsored bySiemens Simatic S7-300CPU - 313C 313-5BF03-0ABPNetwork module - CPC 3431GX30-0XE0Industrial grad...
Our playgroundSetup like described in W32.Stuxnet Dossier (Symantec 2010/2011),SCADACS, ICS on the Internet, PHDays 2013 10
Our playgroundSiemens Simatic S7-1200CPU - 1200 1212C212-1BE31-0XB0GSM Module - CP 1247-7GPRSHMI - KTP400 Basic color PNIn...
OutlineIntroductionWhat is a SCADA system?Our playgroundExploits on the InternetStart/Stop ExploitHow to find ICS on the In...
Exploits on the Internet,SCADACS, ICS on the Internet, PHDays 2013 13
ExploitsSearch tags e.g. simaticSearch on one of the following websitescve.mitre.org (Common Vulnerabilities and Exposures...
OutlineIntroductionWhat is a SCADA system?Our playgroundExploits on the InternetStart/Stop ExploitHow to find ICS on the In...
Start/Stop ExploitExample of public available exploitSiemens Simatic S7 300/400 CPU START/STOP ModuleMetasploit ModuleDill...
Exploits,SCADACS, ICS on the Internet, PHDays 2013 17
Exploits,SCADACS, ICS on the Internet, PHDays 2013 18
ExploitsWithout Metasploitlibnodave (libnodave.sourceforge.net)From Zottel (sps-forum.de) Great Work!Programs to demonstra...
ExploitsStop Exploit - Demo / Video,SCADACS, ICS on the Internet, PHDays 2013 20
OutlineIntroductionWhat is a SCADA system?Our playgroundExploits on the InternetStart/Stop ExploitHow to find ICS on the In...
How to find ICS on the Internet,SCADACS, ICS on the Internet, PHDays 2013 22
How to find ICS on the InternetSHODANshodanhq.comScans for HTTP(S), Telnet, SNMP, FTP and NetBios,SCADACS, ICS on the Inter...
How to find ICS on the Internetshodanhq.comScans for HTTP(S), Telnet, SNMP, FTP and NetBiosOldest results dating back to 20...
How to find ICS on the Internetshodanhq.comScans for HTTP(S), Telnet, SNMP, FTP and NetBiosOldest results dating back to 20...
How to find ICS on the InternetDevices found on SHODANType CountHuman Machine Interface 295Uninterruptible Power SupplyEnte...
How to find ICS on the InternetDevices found on SHODANType CountHuman Machine Interface 295Uninterruptible Power Supply 664...
How to find ICS on the InternetDevices found on SHODANType CountHuman Machine Interface 295Uninterruptible Power Supply 664...
How to find ICS on the InternetDevices found on SHODANType CountHuman Machine Interface 295Uninterruptible Power Supply 664...
How to find ICS on the InternetDevices found on SHODANType CountHuman Machine Interface 295Uninterruptible Power Supply 664...
How to find ICS on the InternetDevices found on SHODANType CountHuman Machine Interface 295Uninterruptible Power Supply 664...
How to find ICS on the InternetDevices found on SHODANType CountHuman Machine Interface 295Uninterruptible Power Supply 664...
How to find ICS on the Internet,SCADACS, ICS on the Internet, PHDays 2013 25
How to find ICS on the InternetProject SHINEinfracritical.orgRunning since 2012-04-14SCADACS, ICS on the Internet, PHDays 2...
How to find ICS on the Internetinfracritical.orgRunning since 2012-04-14Found over 500,000 ICS related entries on SHODAN(IC...
How to find ICS on the Internetinfracritical.orgRunning since 2012-04-14Found over 500,000 ICS related entries on SHODAN(IC...
How to find ICS on the Internetinfracritical.orgRunning since 2012-04-14Found over 500,000 ICS related entries on SHODAN(IC...
OutlineIntroductionWhat is a SCADA system?Our playgroundExploits on the InternetStart/Stop ExploitHow to find ICS on the In...
Industrial Risk Assessment Map - IRAM,SCADACS, ICS on the Internet, PHDays 2013 28
Industrial Risk Assessment Map - IRAMData source: SHODAN,SCADACS, ICS on the Internet, PHDays 2013 29
Industrial Risk Assessment Map - IRAMData source: SHODAN83,541 devices,SCADACS, ICS on the Internet, PHDays 2013 29
Industrial Risk Assessment Map - IRAMData source: SHODAN83,541 devices83 SHODAN search terms e.g.SIMATICSoftPLCRockwell Au...
Industrial Risk Assessment Map - IRAMIRAM - 1. DEMO / VIDEO,SCADACS, ICS on the Internet, PHDays 2013 30
OutlineIntroductionWhat is a SCADA system?Our playgroundExploits on the InternetStart/Stop ExploitHow to find ICS on the In...
SCADACS Search Engine - SSE,SCADACS, ICS on the Internet, PHDays 2013 32
SCADACS Search Engine - SSESCADACS Search EngineC implementation using raw sockets,SCADACS, ICS on the Internet, PHDays 20...
SCADACS Search Engine - SSESCADACS Search EngineC implementation using raw socketsCurrently scanning at 2,500 IP / s ... (...
SCADACS Search Engine - SSESCADACS Search EngineC implementation using raw socketsCurrently scanning at 2,500 IP / s ... (...
SCADACS Search Engine - SSESCADACS Search EngineC implementation using raw socketsCurrently scanning at 2,500 IP / s ... (...
SCADACS Search Engine - SSES7 Communication (Siemens PLCs)Proprietary protocolModbusSCADACS, ICS on the Internet, PHDays 2...
SCADACS Search Engine - SSES7 Communication (Siemens PLCs)Proprietary protocolExisting code: libnodave and plcscanModbusSC...
SCADACS Search Engine - SSES7 Communication (Siemens PLCs)Proprietary protocolExisting code: libnodave and plcscanModbusOp...
SCADACS Search Engine - SSES7 Communication (Siemens PLCs)Proprietary protocolExisting code: libnodave and plcscanModbusOp...
SCADACS Search Engine - SSEThanks to SCADA StrangeLove for plcscan tool!,SCADACS, ICS on the Internet, PHDays 2013 35
SCADACS Search Engine - SSEFirst Scan Project - SetupSeeding with 7,000 whois queries on IPs found via SHODANSCADACS, ICS ...
SCADACS Search Engine - SSEFirst Scan Project - SetupSeeding with 7,000 whois queries on IPs found via SHODAN4,213 Europea...
SCADACS Search Engine - SSEFirst Scan Project - SetupSeeding with 7,000 whois queries on IPs found via SHODAN4,213 Europea...
SCADACS Search Engine - SSEFirst Scan Project - Results (Preview)10,266 ICS/BMS related answers,SCADACS, ICS on the Intern...
SCADACS Search Engine - SSEFirst Scan Project - Results (Preview)10,266 ICS/BMS related answers436 via S7 Communication,SC...
SCADACS Search Engine - SSEFirst Scan Project - Results (Preview)10,266 ICS/BMS related answers436 via S7 Communication257...
SCADACS Search Engine - SSEFirst Scan Project - Results (Preview)10,266 ICS/BMS related answers436 via S7 Communication257...
SCADACS Search Engine - SSEFirst Scan Project - Results (Preview)10,266 ICS/BMS related answers436 via S7 Communication257...
SCADACS Search Engine - SSE6 IP blocks owned by a big manufacturer6.25% of their IPs are answering to Modbus requests8 IP ...
SCADACS Search Engine - SSE6 IP blocks owned by a big manufacturer6.25% of their IPs are answering to Modbus requests8 IP ...
SCADACS Search Engine - SSEIRAM and SSE (green: Modbus, red: S7 communication),SCADACS, ICS on the Internet, PHDays 2013 39
OutlineIntroductionWhat is a SCADA system?Our playgroundExploits on the InternetStart/Stop ExploitHow to find ICS on the In...
Evaluation of SHODAN (Preview),SCADACS, ICS on the Internet, PHDays 2013 41
Evaluation of SHODAN (Preview)Scan of a SHODAN sample set (7,000 devices)Approx. 15 % of devices found on SHODAN are reach...
Evaluation of SHODAN (Preview)IPs crawled bySHODAN: Approx. 4,000,000,000 IPs (worldwide)Search time usedSCADACS, ICS on t...
Evaluation of SHODAN (Preview)IPs crawled bySHODAN: Approx. 4,000,000,000 IPs (worldwide)SSE: 283,000,000 IPs (Europe)Sear...
Evaluation of SHODAN (Preview)IPs crawled bySHODAN: Approx. 4,000,000,000 IPs (worldwide)SSE: 283,000,000 IPs (Europe)Sear...
Evaluation of SHODAN (Preview)IPs crawled bySHODAN: Approx. 4,000,000,000 IPs (worldwide)SSE: 283,000,000 IPs (Europe)Sear...
Evaluation of SHODAN (Preview)S7 devices foundSHODAN: 444Overlap of SHODAN and SSESCADACS, ICS on the Internet, PHDays 201...
Evaluation of SHODAN (Preview)S7 devices foundSHODAN: 444SSE: 436Overlap of SHODAN and SSESCADACS, ICS on the Internet, PH...
Evaluation of SHODAN (Preview)S7 devices foundSHODAN: 444SSE: 436Overlap of SHODAN and SSE125 S7 devices~28%SCADACS, ICS o...
OutlineIntroductionWhat is a SCADA system?Our playgroundExploits on the InternetStart/Stop ExploitHow to find ICS on the In...
Outlook,SCADACS, ICS on the Internet, PHDays 2013 46
OutlineIntroductionWhat is a SCADA system?Our playgroundExploits on the InternetStart/Stop ExploitHow to find ICS on the In...
Joint Data Integration and InformationCombine the presented results into one toolIndustrial Risk Assessment Map - IRAMWhat...
Joint Data Integration and InformationCombine the presented results into one toolIndustrial Risk Assessment Map - IRAMSCAD...
Joint Data Integration and InformationCombine the presented results into one toolIndustrial Risk Assessment Map - IRAMSCAD...
Joint Data Integration and InformationEasy to use point and click interfaceWhat could it look like?SCADACS, ICS on the Int...
Joint Data Integration and InformationEasy to use point and click interfaceSophisticated target selection (per country, ow...
Joint Data Integration and InformationEasy to use point and click interfaceSophisticated target selection (per country, ow...
Joint Data Integration and InformationEasy to use point and click interfaceSophisticated target selection (per country, ow...
Joint Data Integration and InformationEasy to use point and click interfaceSophisticated target selection (per country, ow...
Joint Data Integration and InformationEasy to use point and click interfaceSophisticated target selection (per country, ow...
Joint Data Integration and InformationEasy to use point and click interfaceSophisticated target selection (per country, ow...
Joint Data Integration and InformationEasy to use point and click interfaceSophisticated target selection (per country, ow...
Joint Data Integration and InformationEasy to use point and click interfaceSophisticated target selection (per country, ow...
Joint Data Integration and InformationEasy to use point and click interfaceSophisticated target selection (per country, ow...
Joint Data Integration and InformationEasy to use point and click interfaceSophisticated target selection (per country, ow...
Joint Data Integration and Information,SCADACS, ICS on the Internet, PHDays 2013 50
The EndThank you for your attention.,SCADACS, ICS on the Internet, PHDays 2013 51
Upcoming SlideShare
Loading in …5
×

Johannes Klick, Daniel Marzin. Find Them, Bind Them - Industrial Control Systems (ICS) on the Internet

1,644 views

Published on

Published in: Technology, Business
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,644
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
0
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Johannes Klick, Daniel Marzin. Find Them, Bind Them - Industrial Control Systems (ICS) on the Internet

  1. 1. SCADACSSCADACSSCADA & Computer SecurityFind Them, Bind Them – Industrial Control Systems (ICS) on the InternetJohannes Klick Daniel MarzinSecure Identity Research Group - Freie Universität BerlinPHDays - may 2013 - Moscow Russia
  2. 2. OutlineIntroductionWhat is a SCADA system?Our playgroundExploits on the InternetStart/Stop ExploitHow to find ICS on the InternetIndustrial Risk Assessment Map - IRAMSCADACS Search Engine - SSEEvaluation of SHODAN (Preview)OutlookJoint Data Integration and Information,SCADACS, ICS on the Internet, PHDays 2013 2
  3. 3. OutlineIntroductionWhat is a SCADA system?Our playgroundExploits on the InternetStart/Stop ExploitHow to find ICS on the InternetIndustrial Risk Assessment Map - IRAMSCADACS Search Engine - SSEEvaluation of SHODAN (Preview)OutlookJoint Data Integration and Information,SCADACS, ICS on the Internet, PHDays 2013 3
  4. 4. IntroductionProf. Dr. Volker RothJan-Ole MalchowMateusz KhalilPhilipp LämmelSascha ZinkeRobert Fehrmann,SCADACS, ICS on the Internet, PHDays 2013 4
  5. 5. IntroductionFounded October 2012TestlabResearch onFinding ICS on the InternetMC7-Disassembler / binaryanalysisICS specific communicationprotocolsExploitsStay tuned!,SCADACS, ICS on the Internet, PHDays 2013 5
  6. 6. OutlineIntroductionWhat is a SCADA system?Our playgroundExploits on the InternetStart/Stop ExploitHow to find ICS on the InternetIndustrial Risk Assessment Map - IRAMSCADACS Search Engine - SSEEvaluation of SHODAN (Preview)OutlookJoint Data Integration and Information,SCADACS, ICS on the Internet, PHDays 2013 6
  7. 7. What is a SCADA system?SCADA (Supervisory Control And Data Acquisition)Controls and monitors industrial (often critical) processesCommon system componentsProgrammable logic controllers (PLCs)Read sensorsControl actuatorsRemote terminal units (RTU)PLC to SCADA bridgeHuman machine interface (HMI),SCADACS, ICS on the Internet, PHDays 2013 7
  8. 8. OutlineIntroductionWhat is a SCADA system?Our playgroundExploits on the InternetStart/Stop ExploitHow to find ICS on the InternetIndustrial Risk Assessment Map - IRAMSCADACS Search Engine - SSEEvaluation of SHODAN (Preview)OutlookJoint Data Integration and Information,SCADACS, ICS on the Internet, PHDays 2013 8
  9. 9. Our playgroundSponsored bySiemens Simatic S7-300CPU - 313C 313-5BF03-0ABPNetwork module - CPC 3431GX30-0XE0Industrial grade PLC(midrange)Programmable e.g. with STLBinary language MC7,SCADACS, ICS on the Internet, PHDays 2013 9
  10. 10. Our playgroundSetup like described in W32.Stuxnet Dossier (Symantec 2010/2011),SCADACS, ICS on the Internet, PHDays 2013 10
  11. 11. Our playgroundSiemens Simatic S7-1200CPU - 1200 1212C212-1BE31-0XB0GSM Module - CP 1247-7GPRSHMI - KTP400 Basic color PNIndustrial grade PLC (lowerend)Programmable e.g. with STL,SCADACS, ICS on the Internet, PHDays 2013 11
  12. 12. OutlineIntroductionWhat is a SCADA system?Our playgroundExploits on the InternetStart/Stop ExploitHow to find ICS on the InternetIndustrial Risk Assessment Map - IRAMSCADACS Search Engine - SSEEvaluation of SHODAN (Preview)OutlookJoint Data Integration and Information,SCADACS, ICS on the Internet, PHDays 2013 12
  13. 13. Exploits on the Internet,SCADACS, ICS on the Internet, PHDays 2013 13
  14. 14. ExploitsSearch tags e.g. simaticSearch on one of the following websitescve.mitre.org (Common Vulnerabilities and Exposures)www.osvdb.org (Open Source Vulnerability Database)www.exploit-db.com (Exploit Database)packetstormsecurity.com (Packet Storm Security)www.metasploit.com (Metasploit),SCADACS, ICS on the Internet, PHDays 2013 14
  15. 15. OutlineIntroductionWhat is a SCADA system?Our playgroundExploits on the InternetStart/Stop ExploitHow to find ICS on the InternetIndustrial Risk Assessment Map - IRAMSCADACS Search Engine - SSEEvaluation of SHODAN (Preview)OutlookJoint Data Integration and Information,SCADACS, ICS on the Internet, PHDays 2013 15
  16. 16. Start/Stop ExploitExample of public available exploitSiemens Simatic S7 300/400 CPU START/STOP ModuleMetasploit ModuleDillon Beresford (Black Hat US 2011)FunctionSend start commandSend a sequence of stop commandsOur analysisIt works nowIdentified the packetsRemoved unnecessary packets (two thirds),SCADACS, ICS on the Internet, PHDays 2013 16
  17. 17. Exploits,SCADACS, ICS on the Internet, PHDays 2013 17
  18. 18. Exploits,SCADACS, ICS on the Internet, PHDays 2013 18
  19. 19. ExploitsWithout Metasploitlibnodave (libnodave.sourceforge.net)From Zottel (sps-forum.de) Great Work!Programs to demonstrate the functionalityIncluding start/stop tests,SCADACS, ICS on the Internet, PHDays 2013 19
  20. 20. ExploitsStop Exploit - Demo / Video,SCADACS, ICS on the Internet, PHDays 2013 20
  21. 21. OutlineIntroductionWhat is a SCADA system?Our playgroundExploits on the InternetStart/Stop ExploitHow to find ICS on the InternetIndustrial Risk Assessment Map - IRAMSCADACS Search Engine - SSEEvaluation of SHODAN (Preview)OutlookJoint Data Integration and Information,SCADACS, ICS on the Internet, PHDays 2013 21
  22. 22. How to find ICS on the Internet,SCADACS, ICS on the Internet, PHDays 2013 22
  23. 23. How to find ICS on the InternetSHODANshodanhq.comScans for HTTP(S), Telnet, SNMP, FTP and NetBios,SCADACS, ICS on the Internet, PHDays 2013 23
  24. 24. How to find ICS on the Internetshodanhq.comScans for HTTP(S), Telnet, SNMP, FTP and NetBiosOldest results dating back to 2010,SCADACS, ICS on the Internet, PHDays 2013 23
  25. 25. How to find ICS on the Internetshodanhq.comScans for HTTP(S), Telnet, SNMP, FTP and NetBiosOldest results dating back to 2010Provides an API and search filters for protocols, dates, etc.,SCADACS, ICS on the Internet, PHDays 2013 23
  26. 26. How to find ICS on the InternetDevices found on SHODANType CountHuman Machine Interface 295Uninterruptible Power SupplyEnterprise-Resource-PlanningSupervisory Control and Data AcquisitionPLC Network DeviceProgrammable Logic ControllerBuilding Management SystemThe industry and PLC manufacturer claim that ICS are not connected to theInternet!SCADACS, ICS on the Internet, PHDays 2013 24
  27. 27. How to find ICS on the InternetDevices found on SHODANType CountHuman Machine Interface 295Uninterruptible Power Supply 664Enterprise-Resource-PlanningSupervisory Control and Data AcquisitionPLC Network DeviceProgrammable Logic ControllerBuilding Management SystemThe industry and PLC manufacturer claim that ICS are not connected to theInternet!SCADACS, ICS on the Internet, PHDays 2013 24
  28. 28. How to find ICS on the InternetDevices found on SHODANType CountHuman Machine Interface 295Uninterruptible Power Supply 664Enterprise-Resource-Planning 1222Supervisory Control and Data AcquisitionPLC Network DeviceProgrammable Logic ControllerBuilding Management SystemThe industry and PLC manufacturer claim that ICS are not connected to theInternet!SCADACS, ICS on the Internet, PHDays 2013 24
  29. 29. How to find ICS on the InternetDevices found on SHODANType CountHuman Machine Interface 295Uninterruptible Power Supply 664Enterprise-Resource-Planning 1222Supervisory Control and Data Acquisition 3258PLC Network DeviceProgrammable Logic ControllerBuilding Management SystemThe industry and PLC manufacturer claim that ICS are not connected to theInternet!SCADACS, ICS on the Internet, PHDays 2013 24
  30. 30. How to find ICS on the InternetDevices found on SHODANType CountHuman Machine Interface 295Uninterruptible Power Supply 664Enterprise-Resource-Planning 1222Supervisory Control and Data Acquisition 3258PLC Network Device 9772Programmable Logic ControllerBuilding Management SystemThe industry and PLC manufacturer claim that ICS are not connected to theInternet!SCADACS, ICS on the Internet, PHDays 2013 24
  31. 31. How to find ICS on the InternetDevices found on SHODANType CountHuman Machine Interface 295Uninterruptible Power Supply 664Enterprise-Resource-Planning 1222Supervisory Control and Data Acquisition 3258PLC Network Device 9772Programmable Logic Controller 20501Building Management SystemThe industry and PLC manufacturer claim that ICS are not connected to theInternet!SCADACS, ICS on the Internet, PHDays 2013 24
  32. 32. How to find ICS on the InternetDevices found on SHODANType CountHuman Machine Interface 295Uninterruptible Power Supply 664Enterprise-Resource-Planning 1222Supervisory Control and Data Acquisition 3258PLC Network Device 9772Programmable Logic Controller 20501Building Management System 47764The industry and PLC manufacturer claim that ICS are not connected to theInternet!,SCADACS, ICS on the Internet, PHDays 2013 24
  33. 33. How to find ICS on the Internet,SCADACS, ICS on the Internet, PHDays 2013 25
  34. 34. How to find ICS on the InternetProject SHINEinfracritical.orgRunning since 2012-04-14SCADACS, ICS on the Internet, PHDays 2013 26
  35. 35. How to find ICS on the Internetinfracritical.orgRunning since 2012-04-14Found over 500,000 ICS related entries on SHODAN(ICS-ALERT-13-016A)SCADACS, ICS on the Internet, PHDays 2013 26
  36. 36. How to find ICS on the Internetinfracritical.orgRunning since 2012-04-14Found over 500,000 ICS related entries on SHODAN(ICS-ALERT-13-016A)U.S. DHS reduced the list to 20,000 devicesSCADACS, ICS on the Internet, PHDays 2013 26
  37. 37. How to find ICS on the Internetinfracritical.orgRunning since 2012-04-14Found over 500,000 ICS related entries on SHODAN(ICS-ALERT-13-016A)U.S. DHS reduced the list to 20,000 devicesList has since grown to over 800k entriesSCADACS, ICS on the Internet, PHDays 2013 26
  38. 38. OutlineIntroductionWhat is a SCADA system?Our playgroundExploits on the InternetStart/Stop ExploitHow to find ICS on the InternetIndustrial Risk Assessment Map - IRAMSCADACS Search Engine - SSEEvaluation of SHODAN (Preview)OutlookJoint Data Integration and Information,SCADACS, ICS on the Internet, PHDays 2013 27
  39. 39. Industrial Risk Assessment Map - IRAM,SCADACS, ICS on the Internet, PHDays 2013 28
  40. 40. Industrial Risk Assessment Map - IRAMData source: SHODAN,SCADACS, ICS on the Internet, PHDays 2013 29
  41. 41. Industrial Risk Assessment Map - IRAMData source: SHODAN83,541 devices,SCADACS, ICS on the Internet, PHDays 2013 29
  42. 42. Industrial Risk Assessment Map - IRAMData source: SHODAN83,541 devices83 SHODAN search terms e.g.SIMATICSoftPLCRockwell Automation+1769i.LONinline+controller,SCADACS, ICS on the Internet, PHDays 2013 29
  43. 43. Industrial Risk Assessment Map - IRAMIRAM - 1. DEMO / VIDEO,SCADACS, ICS on the Internet, PHDays 2013 30
  44. 44. OutlineIntroductionWhat is a SCADA system?Our playgroundExploits on the InternetStart/Stop ExploitHow to find ICS on the InternetIndustrial Risk Assessment Map - IRAMSCADACS Search Engine - SSEEvaluation of SHODAN (Preview)OutlookJoint Data Integration and Information,SCADACS, ICS on the Internet, PHDays 2013 31
  45. 45. SCADACS Search Engine - SSE,SCADACS, ICS on the Internet, PHDays 2013 32
  46. 46. SCADACS Search Engine - SSESCADACS Search EngineC implementation using raw sockets,SCADACS, ICS on the Internet, PHDays 2013 33
  47. 47. SCADACS Search Engine - SSESCADACS Search EngineC implementation using raw socketsCurrently scanning at 2,500 IP / s ... (possible up to 25,000 IP / s),SCADACS, ICS on the Internet, PHDays 2013 33
  48. 48. SCADACS Search Engine - SSESCADACS Search EngineC implementation using raw socketsCurrently scanning at 2,500 IP / s ... (possible up to 25,000 IP / s)Services: HTTP(S), Telnet, S7com, Modbus, (SNMP),SCADACS, ICS on the Internet, PHDays 2013 33
  49. 49. SCADACS Search Engine - SSESCADACS Search EngineC implementation using raw socketsCurrently scanning at 2,500 IP / s ... (possible up to 25,000 IP / s)Services: HTTP(S), Telnet, S7com, Modbus, (SNMP)Future protocols: BACnet, OPC, SRTP,SCADACS, ICS on the Internet, PHDays 2013 33
  50. 50. SCADACS Search Engine - SSES7 Communication (Siemens PLCs)Proprietary protocolModbusSCADACS, ICS on the Internet, PHDays 2013 34
  51. 51. SCADACS Search Engine - SSES7 Communication (Siemens PLCs)Proprietary protocolExisting code: libnodave and plcscanModbusSCADACS, ICS on the Internet, PHDays 2013 34
  52. 52. SCADACS Search Engine - SSES7 Communication (Siemens PLCs)Proprietary protocolExisting code: libnodave and plcscanModbusOpen protocolSCADACS, ICS on the Internet, PHDays 2013 34
  53. 53. SCADACS Search Engine - SSES7 Communication (Siemens PLCs)Proprietary protocolExisting code: libnodave and plcscanModbusOpen protocolMany opensource tools (e.g. plcscan)SCADACS, ICS on the Internet, PHDays 2013 34
  54. 54. SCADACS Search Engine - SSEThanks to SCADA StrangeLove for plcscan tool!,SCADACS, ICS on the Internet, PHDays 2013 35
  55. 55. SCADACS Search Engine - SSEFirst Scan Project - SetupSeeding with 7,000 whois queries on IPs found via SHODANSCADACS, ICS on the Internet, PHDays 2013 36
  56. 56. SCADACS Search Engine - SSEFirst Scan Project - SetupSeeding with 7,000 whois queries on IPs found via SHODAN4,213 European IP BlocksSCADACS, ICS on the Internet, PHDays 2013 36
  57. 57. SCADACS Search Engine - SSEFirst Scan Project - SetupSeeding with 7,000 whois queries on IPs found via SHODAN4,213 European IP Blocks283 Mio. IPs (6.58% of IPv4 address space)SCADACS, ICS on the Internet, PHDays 2013 36
  58. 58. SCADACS Search Engine - SSEFirst Scan Project - Results (Preview)10,266 ICS/BMS related answers,SCADACS, ICS on the Internet, PHDays 2013 37
  59. 59. SCADACS Search Engine - SSEFirst Scan Project - Results (Preview)10,266 ICS/BMS related answers436 via S7 Communication,SCADACS, ICS on the Internet, PHDays 2013 37
  60. 60. SCADACS Search Engine - SSEFirst Scan Project - Results (Preview)10,266 ICS/BMS related answers436 via S7 Communication2571 via Modbus,SCADACS, ICS on the Internet, PHDays 2013 37
  61. 61. SCADACS Search Engine - SSEFirst Scan Project - Results (Preview)10,266 ICS/BMS related answers436 via S7 Communication2571 via Modbus602 IP Blocks (Modbus / S7),SCADACS, ICS on the Internet, PHDays 2013 37
  62. 62. SCADACS Search Engine - SSEFirst Scan Project - Results (Preview)10,266 ICS/BMS related answers436 via S7 Communication2571 via Modbus602 IP Blocks (Modbus / S7)132 IP Blocks used for dynamic IPs,SCADACS, ICS on the Internet, PHDays 2013 37
  63. 63. SCADACS Search Engine - SSE6 IP blocks owned by a big manufacturer6.25% of their IPs are answering to Modbus requests8 IP blocks owned by critical infrastructureSCADACS, ICS on the Internet, PHDays 2013 38
  64. 64. SCADACS Search Engine - SSE6 IP blocks owned by a big manufacturer6.25% of their IPs are answering to Modbus requests8 IP blocks owned by critical infrastructure16% of their IPs are answering to S7 Communication requestsSCADACS, ICS on the Internet, PHDays 2013 38
  65. 65. SCADACS Search Engine - SSEIRAM and SSE (green: Modbus, red: S7 communication),SCADACS, ICS on the Internet, PHDays 2013 39
  66. 66. OutlineIntroductionWhat is a SCADA system?Our playgroundExploits on the InternetStart/Stop ExploitHow to find ICS on the InternetIndustrial Risk Assessment Map - IRAMSCADACS Search Engine - SSEEvaluation of SHODAN (Preview)OutlookJoint Data Integration and Information,SCADACS, ICS on the Internet, PHDays 2013 40
  67. 67. Evaluation of SHODAN (Preview),SCADACS, ICS on the Internet, PHDays 2013 41
  68. 68. Evaluation of SHODAN (Preview)Scan of a SHODAN sample set (7,000 devices)Approx. 15 % of devices found on SHODAN are reachable at a giventime,SCADACS, ICS on the Internet, PHDays 2013 42
  69. 69. Evaluation of SHODAN (Preview)IPs crawled bySHODAN: Approx. 4,000,000,000 IPs (worldwide)Search time usedSCADACS, ICS on the Internet, PHDays 2013 43
  70. 70. Evaluation of SHODAN (Preview)IPs crawled bySHODAN: Approx. 4,000,000,000 IPs (worldwide)SSE: 283,000,000 IPs (Europe)Search time usedSCADACS, ICS on the Internet, PHDays 2013 43
  71. 71. Evaluation of SHODAN (Preview)IPs crawled bySHODAN: Approx. 4,000,000,000 IPs (worldwide)SSE: 283,000,000 IPs (Europe)Search time usedSHODAN: 1080 days (~3 years)SCADACS, ICS on the Internet, PHDays 2013 43
  72. 72. Evaluation of SHODAN (Preview)IPs crawled bySHODAN: Approx. 4,000,000,000 IPs (worldwide)SSE: 283,000,000 IPs (Europe)Search time usedSHODAN: 1080 days (~3 years)SSE: 2 daysSCADACS, ICS on the Internet, PHDays 2013 43
  73. 73. Evaluation of SHODAN (Preview)S7 devices foundSHODAN: 444Overlap of SHODAN and SSESCADACS, ICS on the Internet, PHDays 2013 44
  74. 74. Evaluation of SHODAN (Preview)S7 devices foundSHODAN: 444SSE: 436Overlap of SHODAN and SSESCADACS, ICS on the Internet, PHDays 2013 44
  75. 75. Evaluation of SHODAN (Preview)S7 devices foundSHODAN: 444SSE: 436Overlap of SHODAN and SSE125 S7 devices~28%SCADACS, ICS on the Internet, PHDays 2013 44
  76. 76. OutlineIntroductionWhat is a SCADA system?Our playgroundExploits on the InternetStart/Stop ExploitHow to find ICS on the InternetIndustrial Risk Assessment Map - IRAMSCADACS Search Engine - SSEEvaluation of SHODAN (Preview)OutlookJoint Data Integration and Information,SCADACS, ICS on the Internet, PHDays 2013 45
  77. 77. Outlook,SCADACS, ICS on the Internet, PHDays 2013 46
  78. 78. OutlineIntroductionWhat is a SCADA system?Our playgroundExploits on the InternetStart/Stop ExploitHow to find ICS on the InternetIndustrial Risk Assessment Map - IRAMSCADACS Search Engine - SSEEvaluation of SHODAN (Preview)OutlookJoint Data Integration and Information,SCADACS, ICS on the Internet, PHDays 2013 47
  79. 79. Joint Data Integration and InformationCombine the presented results into one toolIndustrial Risk Assessment Map - IRAMWhat do we get?,SCADACS, ICS on the Internet, PHDays 2013 48
  80. 80. Joint Data Integration and InformationCombine the presented results into one toolIndustrial Risk Assessment Map - IRAMSCADACS Search Engine - SSEWhat do we get?,SCADACS, ICS on the Internet, PHDays 2013 48
  81. 81. Joint Data Integration and InformationCombine the presented results into one toolIndustrial Risk Assessment Map - IRAMSCADACS Search Engine - SSEExploitsWhat do we get?,SCADACS, ICS on the Internet, PHDays 2013 48
  82. 82. Joint Data Integration and InformationEasy to use point and click interfaceWhat could it look like?SCADACS, ICS on the Internet, PHDays 2013 49
  83. 83. Joint Data Integration and InformationEasy to use point and click interfaceSophisticated target selection (per country, owner, device type, etc.)What could it look like?SCADACS, ICS on the Internet, PHDays 2013 49
  84. 84. Joint Data Integration and InformationEasy to use point and click interfaceSophisticated target selection (per country, owner, device type, etc.)Integrated vulnerability and exploit databaseWhat could it look like?SCADACS, ICS on the Internet, PHDays 2013 49
  85. 85. Joint Data Integration and InformationEasy to use point and click interfaceSophisticated target selection (per country, owner, device type, etc.)Integrated vulnerability and exploit databaseDirect access to network informations (ping, whois, reverse DNS)What could it look like?SCADACS, ICS on the Internet, PHDays 2013 49
  86. 86. Joint Data Integration and InformationEasy to use point and click interfaceSophisticated target selection (per country, owner, device type, etc.)Integrated vulnerability and exploit databaseDirect access to network informations (ping, whois, reverse DNS)Seamless integration of further data sourcesWhat could it look like?SCADACS, ICS on the Internet, PHDays 2013 49
  87. 87. Joint Data Integration and InformationEasy to use point and click interfaceSophisticated target selection (per country, owner, device type, etc.)Integrated vulnerability and exploit databaseDirect access to network informations (ping, whois, reverse DNS)Seamless integration of further data sourcesSocial networksWhat could it look like?SCADACS, ICS on the Internet, PHDays 2013 49
  88. 88. Joint Data Integration and InformationEasy to use point and click interfaceSophisticated target selection (per country, owner, device type, etc.)Integrated vulnerability and exploit databaseDirect access to network informations (ping, whois, reverse DNS)Seamless integration of further data sourcesSocial networksCurrent geopolitical informationsWhat could it look like?SCADACS, ICS on the Internet, PHDays 2013 49
  89. 89. Joint Data Integration and InformationEasy to use point and click interfaceSophisticated target selection (per country, owner, device type, etc.)Integrated vulnerability and exploit databaseDirect access to network informations (ping, whois, reverse DNS)Seamless integration of further data sourcesSocial networksCurrent geopolitical informationsNetwork perimetersWhat could it look like?SCADACS, ICS on the Internet, PHDays 2013 49
  90. 90. Joint Data Integration and InformationEasy to use point and click interfaceSophisticated target selection (per country, owner, device type, etc.)Integrated vulnerability and exploit databaseDirect access to network informations (ping, whois, reverse DNS)Seamless integration of further data sourcesSocial networksCurrent geopolitical informationsNetwork perimetersFlow of IP packetsWhat could it look like?SCADACS, ICS on the Internet, PHDays 2013 49
  91. 91. Joint Data Integration and InformationEasy to use point and click interfaceSophisticated target selection (per country, owner, device type, etc.)Integrated vulnerability and exploit databaseDirect access to network informations (ping, whois, reverse DNS)Seamless integration of further data sourcesSocial networksCurrent geopolitical informationsNetwork perimetersFlow of IP packetsDirect execution of exploitsWhat could it look like?SCADACS, ICS on the Internet, PHDays 2013 49
  92. 92. Joint Data Integration and InformationEasy to use point and click interfaceSophisticated target selection (per country, owner, device type, etc.)Integrated vulnerability and exploit databaseDirect access to network informations (ping, whois, reverse DNS)Seamless integration of further data sourcesSocial networksCurrent geopolitical informationsNetwork perimetersFlow of IP packetsDirect execution of exploitsUp to your imagination...What could it look like?SCADACS, ICS on the Internet, PHDays 2013 49
  93. 93. Joint Data Integration and Information,SCADACS, ICS on the Internet, PHDays 2013 50
  94. 94. The EndThank you for your attention.,SCADACS, ICS on the Internet, PHDays 2013 51

×