Revealing Web-Connected Critical Devices
By Yehonatan Kfir, CTO, Radiflow
In my last entry I mentioned shortly the reconnaissance stage in ICS attack campaigns. In this post I will present the risks involved, and I will describe one of the tools used for reconnaissance.
If you read this post through, you will be able to search on your own for web-connected SCADA controllers.
The detection of ICS devices connected to the web involves several stages. The first is scanning the web for devices’ IP addresses. This is followed by applying one of several target profiling methods to each IP address found.
One of the common profiling methods is port scanning. This is followed by attempting to open TCP connections on each port (or at least on the most commonly-used ports) and gathering information about the services related to the open ports found.
For example, finding an open port 502 may indicate a Modbus device. To verify this, the scanner will request information about the device using a Modbus diagnostic command, or by reading registers associated to specific manufactures.
Another method for profiling a target IP address is “Banner-Grabbing”. In this method, the scanner connects to a port and saves the message it receives.
The message may include important information about the target: its service version, whether the service requires authentication, its manufacture and more. The scanner can also look for keywords in the banner that correlate to a specific mode (e.g. “SQL Server” for SQL servers on the web).
Find your target
Internet-wide scanning methods and tools are nowadays openly available. One of the most popular tools is Shodan.
As described on its website, is “Shodan is a search engine for the Internet of Things”. It scans the internet for devices and services, grabs public information from the found devices and classifies them.
All of the information gathered is available for users to search within. The result is that anyone can locate and find various types of embedded web-connected devices.
Shodan even goes one step further: it helps beginner users with pre-configured searches. Once registered to the website, users can search for various devices using multiple filters for type, class, vendor and more, without entering their exact profiles. For example, users can search for “webcams”, “Cisco routers”, or default passwords.
To make it even easier to zero in on devices, Shodan dedicated sections on the site to specific industries. This further demonstrates the increased attention toward ICS systems: in addition to the sections for wind turbines and automated license plate readers, Shodan added a section for ICS/SCADA systems.
For example, searching for a DNP3 device will present a list of all DNP3 devices connected to the internet, complete with each device’s IP address, DNP3 address and geographical location. The preset query for wind turbines will display the information for each, all around the world (most wind turbines are connected to the web directly, exposing volumes of
information about their operation and vulnerabilities.)
Internet-connected devices present an inherent risk to their underlying physical processes. They may become open to DoS attacks, which can sabotage their operation.
In addition, some of these devices have their software version exposed, which helps attackers find exploits unique to the target device’s software version. These exploits can lead to several types of attacks, from DoS to Code Execution.
So how can organizations (operators, manufactures etc.) avert the threat of cyber attack, with the advent of tools that make it simple to find and access ICS networks?
The first step is to increase awareness inside the organization toward the risk posed by connecting devices to the Internet.
This can be achieved by regularly educating ICS engineers about the threats to ICS systems, the tools used by attackers and the methods and the tools used to prevent attacks.
Second, operators and integrators should adhere to one very simple rule: never connect a device to the internet through a non-firewalled connection. In the case of industrial devices, it’s important to make sure that the firewall supports the relevant industrial protocol.
Another important factor is user authentication. While operators need to provide users access to ICS devices for configuration or for viewing, they need to ensure that their firewall model supports user authentication with privilege separation. This requires at least one for viewing and one for editing.
Device manufacturers (controllers, sensors, generators etc.) should install safeguards that would prevent connecting their devices to the internet without a firewall. Hackers hunt down these devices, and it takes only one attack demonstration to create a bad impression of your product.
In addition, vulnerabilities discovered on one costumer’s network may be used to target another user’s network, so the weakest cyber-protected costumer basically defines how secure the product is.
Questions? Drop me a line and I’ll be happy to help you assess the risks on your network and how to mitigate them.