The document discusses the risks associated with internet-accessible industrial control systems (ICS), noting differing impacts on critical infrastructure across various countries. It highlights the use of scanners like Shodan for identifying such devices, emphasizing the vulnerabilities they introduce, particularly for companies. The document suggests that asset owners and vendors should actively search for their IP addresses and products with tools like Shodan to understand and mitigate these risks.

1. Internet Accessible ICS in Japan
Dale Peterson
Digital Bond, Inc.
peterson@digitalbond.com
Twitter: @digitalbond

2. Is Internet Accessible ICS A Problem?
• To critical infrastructure and society in general?
– In the US, no
– In other countries, some yes and some no
• Hydroelectric Dam in France
– In Japan, needs further investigation, but likely no
• To individual companies
– Yes, clearly YES
– In the US, in Japan and everywhere in the world
– Insecure by design ICS connected to the Internet can
be exploited. Only limit is the input/output.

3. Scanning the Internet for ICS
• You can use or build your own scanner
– Example: Project Redpoint discussed yesterday
• You can use a search engine for Internet
connected devices … Shodan
– http://www.irongeek.com/i.php?page=videos/showme
con2014/1-10-inside-the-worlds-most-dangerous-search-
engine-john-matherly
– HD Moore’s Project Sonar
– Project Shine
– Private efforts

4. Shodan
“I crawl the Internet every month”
“Modeled the output after Google Maps”
“Tracking 550 million devices”
John Matherly
http://www.irongeek.com/i.php?page=videos/showmecon2
014/1-10-inside-the-worlds-most-dangerous-search-engine-john-
matherly

5. https://ics-radar.shodan.io/

7. https://www.shodan.io/report/wKyGlXWq

12. Searching Banners
• Many ICS devices have web, ftp, ssh, snmp and
other IT protocols that Shodan searches
• Create a search string and find devices

16. Combining Search Techniques
• EtherNet/IP search identified a device in Japan
– But no useful information came back
• A secondary search of the IP address found an
FTP server and banner
– It’s a Yokogawa device, Data Management Device for
a paperless recorder
• The FTP server allowed anonymous FTP
– PERL Data Language file (PDL)
– Data Display File (DAD)

17. Further Analysis
• PDL files has names/email addresses
– Belongs to major energy and mining company
– Could use these emails in spear-phishing attack
• Tags / Points
– ST1,沈砂池川側水位
– ST2,沈砂池山側水位
– ST3,三号開渠水位
– ST4,川側ﾚｰｷ電流

18. Let’s Find Some CC-Link
• CC-Link originally developed by Mitsubishi and is
widely deployed in Japan
– Now a standard run by the CC-Link Partner Association
• CC-Link IE does not use IP (or even Ethernet)
• So you can’t use Shodan to search directly for it

19. Maybe There Is A CC-Link Gateway
Anybus

20. https://www.shodan.io/search?query=Anybus+country%3Ajp

21. What Should You Do?
• Asset Owners
– Search Shodan for your IP address space
• Vendors
– Search Shodan for your products
– A nice service for your customer
• Industry Group(s) / CERTS / Others
– Find ICS assets on the Internet and notify owners

22. Thanks
• John Matherly and Shodan
• Eireann Leverett
– http://www.digitalbond.com/blog/2012/02/09/s4-
video-denial-of-surface-ics-on-the-internet/
• Stephen Hilt
• A number of anonymous researchers

23. Questions