Early detection of ICS attacks decreases the probability of causing damage to the network. In this post I will focus on one of the first stages in ICS attacks, where the attacker attempts to scan the network for devices. First, I will explain the motivation behind the scanning stage, followed by a description of the scanning techniques used. Lastly I will present examples of real-world attacks and malware.
ICS Reconnaissance and Scanning
In general, an ICS attack campaign can be divided into several stages.
In the first, “Reconnaissance” stage, the attacker will look for information about the target. Web tools such as “shodan” provide insight into ICS networks that are (still) connected to the web. Information related to SCADA systems, including credentials, IP addresses and company details is available in the cyber black-market. In addition, too many ICS networks have web servers that are poorly segregated from the IT network. Those servers can potentially be an entrance point to the internal network.
Following the reconnaissance stage is the scanning stage, in which the attacker gathers information about the target network. First, the attacker will attempt to find network IPs, firewalls and topology. Next, he will try to determine the operating systems and the services that run on each machine. For each service, he will try to determine its probable vulnerabilities.
Using the information gathered in the first two stages, the attacker will try to tamper with the network, and proceed to more advanced stages (that are beyond the scope of this post.)
Scanning the OT network
The scanning phase in OT networks is quite similar to IT network scanning. However, there are several major differences.
As the attacker enters the operational network, he will need to validate its architecture and the information gathered. From the attacker’s perspective, this validation is crucial in order to execute an effective attack (see our previous post).
How can the attacker validate the information? He can read the tags from the OPC server, which hopefully will have meaning full names. He can try to take snapshots from the HMI. He will attempt to sniff the network to validate the communication to the controllers.
In addition, the attacker will try to send benign commands to potential controllers. He may also attempt to change parameter values (unbeknownst to the operator, of course). These actions guarantee that on attack day the attacker would be able to take over the platform, and cause the desired damage.
In this section I’ll review the techniques used for scanning devices in the network. Important note: active scanning of the OT network can cause damage. Please do not use these methods without professional guidance.
ARP Scanning: ARP is a protocol used for converting network addresses (IP) into physical addresses (MAC). Whenever a network element sends packets to another element, it must know the destination element’s IP address, and the MAC address of the device in the next hop in the route to the destination. To do so, the sender element looks for the next hop MAC address in its cache. If it is not there, the sender element will send an ARP message, requesting the MAC address of the next hop IP address. The response will be the MAC addresses of the requested IP address. In ARP Scanning, the scanner sends multiple ARP requests to the entire range of IP addresses within the sub-network it is located in. Each ARP response indicates a valid networked device.
ICMP Echo Request (ping): ARP scanning allows detection of network elements within the same LAN. In order to scan for devices on a different subnet, the scanner can simply send “ping” messages for an IP range. Once pinged, each existing network element will respond to the scanner, indicating its existence.
The above techniques allow detecting network elements. However, as mentioned, in ICS networks the attacker needs to know more than that: the vendor of the PLCs, which protocols they use, their version and more. This information is attained using the following techniques:
Port Scanning: the scanner scans for open ports in the target element. This can be done in several ways, for example by sending a SYN TCP packet to a specific port. If the port is open, the element will return a SYN-ACK packet; if the port is closed, the element will return a RST-ACK packet. This way the scanner can determine if the port is open or closed. Then, based on which ports are open, the scanner can identify the service that it executes. For instance, the scanner will try to connect to a device on port 502. If successful it would mean that the device is a Modbus device.
Another outcome of port scanning is the detection of services/open ports on the target element. Any service is a potential vulnerability candidate. Sometimes these services are unknown even to the target network manager.
Vendor Detection: in order to detect the vendor of a network element placed on the same LAN as the scanner, the scanner can extract the MAC address of the element. The first three bytes of the MAC address indicate the vendor that had developed that network element (using websites like http://www.macvendorlookup.com/). For example, the three bytes “08-00-06” indicate a device by Siemens AG.
Specific PLC Implementation: detecting the vendor and the protocol is not always enough. The attacker may want to detect the specific type of code that is executed in the PLC (e.g. “is this the PLC that operates the #XYZ turbine?”) Some PLCs allow pulling this information using dedicated commands. Even if no such commands exist, the scanner can check which function codes and registers are supported in a specific PLC. To do this, the scanner will send commands with several function codes. Any response would indicate that the sent function code is supported. The attacker may also try to read all the registers, or only registers that characterize the target PLC implementation.
In conclusion, the process of detecting industrial devices consists of (i) identifying a network element, (ii) scanning its ports to find open ports that indicate industrial protocols, and (iii) verifying that it is indeed an industrial element by sending non-harmful commands such as reading registers.
Real world malicious scanning
The above scanning techniques are used in the first stages of an ICS attacks. Hence, it is not surprising to see them implemented in several ICS malwares:
Honeypots: in a Trend Micro research, the researchers built an ICS Honeypot – a simulated ICS network deliberately designed to be relatively open to attacks, for the purpose of monitoring attackers’ behavior. Their findings were conclusive: the attackers started with scanning the network and the industrial services, followed by attempts to send commands to the industrial devices.
Energetic Bear: an actor involved in several APT campaigns against ICS networks. The APT has a unique module that scans the network for ports related to ICS components: 502 (Modbus), 102 (Siemens PLC), 44818 (Rslinx), 11234 (Measuresoft ScadaPro) and 12401 (7-Technologies IGSS SCADA).
Scanning the OT network is a preliminary stage in attacking ICS networks, allowing the attacker to proceed to more advanced stages. The attacker has several ways to scan the network, and in this article I have presented the major techniques. Real world incidents show that these techniques are indeed used by attackers.
Yehonatan Kfir, CTO