Impact of the Shodan Computer Search Engine on Internet-facing Industrial Control System Devices

The Shodan computer search engine crawls the Internet attempting to identify any connected device. Using Shodan, researchers identified thousands of Internet-facing devices associated with industrial controls systems (ICS). This research examines the impact of Shodan on ICS security, evaluating Shodan\u27s ability to identify Internet-connected ICS devices and assess if targeted attacks occur as a result of Shodan identification. In addition, this research evaluates the ability to limit device exposure to Shodan through service banner manipulation. Shodan\u27s impact was evaluated by deploying four high-interaction, unsolicited honeypots over a 55 day period, each configured to represent Allen-Bradley programmable logic controllers (PLC). All four honeypots were successfully indexed and identifiable via the Shodan web interface in less than 19 days. Despite being indexed, there was no increased network activity or targeted ICS attacks. Although results indicate Shodan is an effective reconnaissance tool, results contrast claims of its use to broadly identify and target Internet-facing ICS devices. Additionally, the service banner for two PLCs were modified to evaluate the impact on Shodan indexing capabilities. Findings demonstrated service banner manipulation successfully limited device exposure from Shodan queries

Uncovering Vulnerable Industrial Control Systems from the Internet Core

Industrial control systems (ICS) are managed remotely with the help of dedicated protocols that were originally designed to work in walled gardens. Many of these protocols have been adapted to Internet transport and support wide-area communication. ICS now exchange insecure traffic on an inter-domain level, putting at risk not only common critical infrastructure but also the Internet ecosystem (e.g., DRDoS~attacks). In this paper, we uncover unprotected inter-domain ICS traffic at two central Internet vantage points, an IXP and an ISP. This traffic analysis is correlated with data from honeypots and Internet-wide scans to separate industrial from non-industrial ICS traffic. We provide an in-depth view on Internet-wide ICS communication. Our results can be used i) to create precise filters for potentially harmful non-industrial ICS traffic, and ii) to detect ICS sending unprotected inter-domain ICS traffic, being vulnerable to eavesdropping and traffic manipulation attacks

Creating Convincing Industrial-Control-System Honeypots

Cyberattacks on industrial control systems (ICSs) can be especially damaging since they often target critical infrastructure. Honeypots are valuable network-defense tools, but they are difficult to implement for ICSs because they must then simulate more than familiar protocols. This research compared the performance of the Conpot and GridPot honeypot tools for simulating nodes on an electric grid for live (not recorded) traffic. We evaluated the success of their deceptions by observing their activity types and by scanning them. GridPot received a higher rate of traffic than Conpot, and many visitors to both were deceived as to whether they were dealing with a honeypot. We also tested Shodan’s Honeyscore for finding honeypots, and found it was fooled by our honeypots as well as others when, like most users, it did not take site history into account. This is good news for collecting useful attack intelligence with ICS honeypots

Constructing Cost-Effective and Targetable ICS Honeypots Suited for Production Networks

Honeypots are a technique that can mitigate the risk of cyber threats. Effective honeypots are authentic and targetable, and their design and implementation must accommodate risk tolerance and financial constraints. The proprietary, and often expensive, hardware and software used by Industrial Control System (ICS) devices creates the challenging problem of building a flexible, economical, and scalable honeypot. This research extends Honeyd into Honeyd+, making it possible to use the proxy feature to create multiple high interaction honeypots with a single Programmable Logic Controller (PLC). Honeyd+ is tested with a network of 75 decoy PLCs, and the interactions with the decoys are compared to a physical PLC to test for authenticity. The performance test evaluates the impact of multiple simultaneous connections to the PLC. The functional test is successful in all cases. The performance test demonstrated that the PLC is a limiting factor, and that introducing Honeyd+ has a marginal impact on performance. Notable findings are that the Raspberry Pi is the preferred hosting platform, and more than five simultaneous connections were not optimal

Improving the National Cyber-security by Finding Vulnerable Industrial Control Systems from the Internet

Teollisuusautomaatiojärjestelmiä, joita käytetään muun muassa voimantuotannon, sähkönjakelun ja jätevedenpuhdistuksen järjestelmissä, voidaan löytää julkisesta Internetistä. Tarve etähallinnalle ja keskittämiselle, sekä tuotteiden huono suunnittelu ja virheet järjestelmien käyttöönotossa, ovat altistaneet automaatiojärjestelmiä kenen tahansa ulottuville. Yhteiskunnalle tärkeiden kriittisen infrastruktuuriin kuuluvien järjestelmien turvalliseksi saattaminen on tärkeää kansalliselle kyberturvallisuudelle: ongelmat kriittisessä infrastruktuurissa voivat aiheuttaa voimakkaita häiriöitä eri puolilla yhteiskuntaa. Viime vuosina on havaittu kasvava määrä kyberhyökkäyksiä. Sekä rikolliset, että valtiolliset toimijat kehittävät kyberaseita ja myös teollisuusautomaatiojärjestelmiin on kohdistettu hyökkäyksiä. Vuonna 2010 Stuxnet haittaohjelma onnistui tunkeutumaan iranilaisen ydinpolttoaineenrikastamon järjestelmiin ja aiheuttamaan mittavaa fyysistä tuhoa. Tässä työssä esitellään konsepti, jonka avulla voidaan automaattisesti löytää haavoittuvia teollisuusautomaatiojärjestelmiä, ja raportoida löydökset viranomaisille jatkotoimenpiteitä varten. Työssä esitellään myös prototyyppi, jolla testattiin konseptin toimivuutta oikeilla suomalaisilla järjestelmillä Internetin yli: sormenjälkitietokannan ja porttiskannauksen avulla 2913 IP-osoitteesta löydettiin 91 mahdollista teollisuusautomaatiolaitetta. Epäiltyjä teollisuusautomaatiojärjestelmiä pystytään löytämään Internetistä, mutta löydettyjen järjestelmien kriittisyyden ja tärkeyden arvionti ilman tunkeutumista kohteeseen on vaikeaa. Konseptia tehostaisi huomattavasti automaattinen tietoturva-auditointi, jolla tärkeimmät ja haavoittuvaisimmat kohteet voitaisiin paikallistaa ja poistaa näkyviltä nopeasti. Auditointi ilman järjestelmien omistajien lupaa vaatisi kuitenkin muutoksia lainsäädäntöön.Industrial control systems (ICS), which are used to control critical elements of the society's maintenance such as power generation and electricity distribution, are exposed to the Internet as a result of insecure design, and installation faults. Securing critical industrial systems is important for national cyber-security; malfunctioning elements in the critical infrastructure can quickly cascade into wide range of problems in the society. In the recent years increasing amount of cyber-attacks have been observed, and nations and criminals are developing offensive cyber-capabilities; industrial systems are also targeted as was seen with the Stuxnet-malware in 2010 causing havoc in an Iranian uranium enrichment facility. In this thesis a concept is presented to automatically find and evaluate exposed ICSs and report vulnerable devices to authorities for remediation. A prototype of the concept is built to prove the viability of the concept and to get data from port scanning real ICS devices in the Internet. With the prototype, 91 ICS devices were found out of the assigned 2913 IP addresses. Traffic volume produced by the scanner was insignificant compared to overall Finnish Internet traffic. The concept, called KATSE, is viable but not without challenges: ICS devices can definitely be identified from the Internet but analyzing the actual importance and purpose of the devices is difficult. Currently the Finnish legislation does not allow system intrusions or unauthorized security auditing even by authorities. Automated security auditing for the found devices would be useful to find the most vulnerable devices first but such auditing would require a change in legislation

Dynamic Honeypot Configuration for Programmable Logic Controller Emulation

Attacks on industrial control systems and critical infrastructure are on the rise. Important systems and devices like programmable logic controllers are at risk due to outdated technology and ad hoc security measures. To mitigate the threat, honeypots are deployed to gather data on malicious intrusions and exploitation techniques. While virtual honeypots mitigate the unreasonable cost of hardware-replicated honeypots, these systems often suffer from a lack of authenticity due to proprietary hardware and network protocols. In addition, virtual honeynets utilizing a proxy to a live device suffer from performance bottlenecks and limited scalability. This research develops an enhanced, application layer emulator capable of alleviating honeynet scalability and honeypot inauthenticity limitations. The proposed emulator combines protocol-agnostic replay with dynamic updating via a proxy. The result is a software tool which can be readily integrated into existing honeypot frameworks for improved performance. The proposed emulator is evaluated on traffic reduction on the back-end proxy device, application layer task accuracy, and byte-level traffic accuracy. Experiments show the emulator is able to successfully reduce the load on the proxy device by up to 98% for some protocols. The emulator also provides equal or greater accuracy over a design which does not use a proxy. At the byte level, traffic variation is statistically equivalent while task success rates increase by 14% to 90% depending on the protocol. Finally, of the proposed proxy synchronization algorithms, templock and its minimal variant are found to provide the best overall performance

Assessing and augmenting SCADA cyber security: a survey of techniques

SCADA systems monitor and control critical infrastructures of national importance such as power generation and distribution, water supply, transportation networks, and manufacturing facilities. The pervasiveness, miniaturisations and declining costs of internet connectivity have transformed these systems from strictly isolated to highly interconnected networks. The connectivity provides immense benefits such as reliability, scalability and remote connectivity, but at the same time exposes an otherwise isolated and secure system, to global cyber security threats. This inevitable transformation to highly connected systems thus necessitates effective security safeguards to be in place as any compromise or downtime of SCADA systems can have severe economic, safety and security ramifications. One way to ensure vital asset protection is to adopt a viewpoint similar to an attacker to determine weaknesses and loopholes in defences. Such mind sets help to identify and fix potential breaches before their exploitation. This paper surveys tools and techniques to uncover SCADA system vulnerabilities. A comprehensive review of the selected approaches is provided along with their applicability