SlideShare a Scribd company logo

10th SANS ICS Security Summit Project SHINE Presentation

Bob Radvanovsky
Bob Radvanovsky

This is the presentation being given at the 10th SANS ICS Security Summit regarding Project SHINE and RUGGEDTRAX.

1 of 23
Download to read offline
Project SHINE [UPDATED] Findings Report Results Bob Radvanovsky, CIFI, CISM, CIPS rsradvan@infracritical.com Jake Brodsky, PE jbrodsky@infracritical.com 1 10th SANS ICS Security Summit, Orlando, FL, February 23-24, 2015 Project SHINE (SHodan INtelligence Extraction) Tuesday, February 24, 2015
SHodan INtelligence Extraction • Project SHINE was dependent upon SHODAN search engine; • SHODAN incepted circa 2008; • SHINE development started mid-2008, ended 31-Jan-2014; • Question raised: Are industrial control systems directly exposed to the Internet? • No one appeared to know the magnitude of the issue, or how widespread the issue was; and, • In doing so, this was how Project “SHINE” got started... 2
Project SHINE Mission Objectives ● To selectively perform searches from definable, searchable term criteria sets using open intelligence sources; ● To correlate data into meaningful, abstractive and relevant data that could be utilized to demonstrate further trending and/or correlation analysis based on the data given; ● To seek a baseline of how many control systems’ devices exist on the Internet (as of the conclusion of Project SHINE on 31- Jan-2014, we were unable to establish a baseline); and, ● To raise public awareness via governments & media outlets. 3
Data Artifacts ● The crux of this project was choosing suitable, meaningful search terms that identified control systems devices; ● The project was looking for not just control systems, but also any infrastructure supporting it, such as HVAC systems, serial converters, etc.; ● There were matches not related to actual infrastructure; ● Some units were not counted as some manufacturers’ names changed as firms were bought and sold; and, ● Other devices may have been spuriously counted as similar software may have been used by multiple manufacturers. 4
Types of Devices Discovered 5 • Traditional SCADA/ICS  RTU Systems  PLC Systems  IEDs/Sensory Equipment  SCADA/HMI Servers  Building Automation  Medical Devices (DAS) • Non-Traditional SCADA/ICS  Intelligent Traffic Control  Automotive Control  Traffic/Lighting Control  HVAC/Environment Control  Power Regulators/UPS  Security/Access Control  Serial Port Servers  Data Radios  Mining Equipment  Traffic Cameras
Manufacturer Results 6 927 total number of search terms 886 unique number of search terms; traditional and non-traditional 578 unique number of search terms; non-traditional removed 207 total number of manufacturers 182 unique number of traditional manufacturers 41 total search term difference; traditional and non-traditional 349 total search term difference; non-traditional removed 25 total manufacturer difference
Top 11 Manufacturers 7 Manufacturer Count % Out of 100% ENERGYICT 106235 18.10% SIEMENS 84328 14.37% MOXA 78309 13.34% LANTRONIX 56239 9.58% NIAGARA 54437 9.27% GOAHEAD-WEB 42473 7.24% VXWORKS 34759 5.92% INTOTO 34686 5.91% ALLIED-TELESYS 34573 5.89% DIGI INTERNATIONAL 30557 5.21% EMBEDTHIS-WEB 30381 5.17% The devices found estimated at 586,997, approx. 26.84% of total 2,186,971 devices
Top 16 HVAC/BACNet Manufacturers 8 The devices found estimated at 13,475, approx. 0.62% of total 2,186,971 devices Manufacturer Count % Out of 100% HEATMISER 6487 48.13% HONEYWELL 3588 26.63% YORK 921 6.83% BACNET INTERNATIONAL 560 4.16% TRANE 506 3.76% JOHNSON CONTROLS 460 3.41% CARRIER 234 1.74% TEMPERATURE GUARD 180 1.34% LG ELECTRONICS 145 1.08% LIEBERT 126 0.94% CENTRALINE 81 0.60% STULZ 77 0.57% CONTROL4 38 0.28% BOSCH AUTOMATION 37 0.27% LENNOX 24 0.18% CUMMINGS 11 0.08%
Top 6 Serial->Ethernet Manufacturers 9 The devices found estimated at 204,416, approx. 9.35% of total 2,186,971 devices Manufacturer Count % Out of 100% MOXA 78309 38.31% LANTRONIX 56239 27.51% ALLIED TELESYS 34573 16.91% DIGI INTERNATIONAL 30557 14.95% ATOP SYSTEMS 3846 1.88% MULTITECH SYSTEMS 892 0.44%
Example: MODBUS 10 Create a search entry, and look for MODBUS devices Search string would be: http://www.shodanhq.com/search?q=modbus
Example: MODBUS 11 If searched on Google, this device is… HTTP/1.0 401 Unauthorized Date: Thu, 18 Sep 2008 16:06:08 GMT Server: Boa/0.93.15 Connection: close WWW-Authenticate: Basic realm="ModbusGW" Content-Type: text/html Returned HTTP header information from one of the sites searched by SHODAN; the detail information to that entry looks like this…
Search Terms Found (Per Day) 12 0 50 100 150 200 250 300 350 400 450 500 14-Apr-2012 31-Jan-2014 654 days Max Search Terms Found = 469 (out of 927)
Total Counts(Per Day) 13 14-Apr-2012 31-Jan-2014 654 days 0 2000 4000 6000 8000 10000 12000 14000 16000 Max Total Count = 13498
Counts by Country 14
Project RUGGEDTRAX Mission Objectives • To provide substantiation that directly connecting an ICS device onto the Internet could have consequences; • Obtain current ICS equipment through public sources (eBay), and deploy equipment as actual cyber assets controlling perceived critical infrastructure environments; • Ascertain any pertinent threat/attack vectors, and magnitude of any attacks against perceived critical infrastructure environments; • Record access attempts, analyze network packets for patterns; and, • Report redacted public awareness to governments & media outlets. 15
Device Specifications ● Serial->Ethernet converter ● Two-ports; supports both MODBUS/TCP and DNP3 ● Device is Siemens RuggedCom RS910 ● Firmware is v3.8.0 ● Device connected directly to Internet (NO FIREWALL) ● Supports: TELNET, TFTP, RSH, SSH, SNMP, HTTP/HTTPS, MODBUS/TCP and DNP3 16
Device Configuration ● Disabled TELNET, TFTP, RSH, SNMP and MODBUS/TCP ● SSH and HTTP/HTTPS limited to ONE connection ● DNP3 cannot be disabled ● Device may be connected via network (SSH), web (HTTP/HTTPS), or serial (console) 17
Project RUGGEDTRAX Statistical Results • Devices acquired from eBay were not properly “cleaned”, but were “lobotomized” ; contained “residual data” from previous owner: – Configuration information – IP address and pertinent networking information – Contact information • Device placed online 13-Oct-2014 (Monday) @ 1917 hrs CDT • First attack begins 13-Oct-2014 @ 2104 hrs CDT (< 2 hrs after incept) • Device appears on SHODAN 15-Oct-2014 (Wednesday) @ 1229 hrs CDT • Project concluded 27-Dec-2014 @ 1021 hrs CDT • Total count of access attempts: 140,430 (from 651 IPs) • Top country counted: China @ 125,299 (or 89.23%) (from 269 IPs) 18
Flaws and Potential Errors • Countries identified do not implicate any specific nationality; • IP addresses are based on country assignment -- nothing else; • IP addresses may be: – Falsified – Spoofed – Proxied, or – Black-holed • Unknown if human or “robot” attacking the device, although it is highly probable that it is predominately automated 19
Project RUGGEDTRAX Top 4 Countries 20 China 92.17% (60,318) United States 1.44% (945) Germany 1.74% (1136) France 4.65% (3044) Countries found represent Top 50 entries of access attempts of approx. 65,443 attempts, of 140,430 attempts, or approx. 46.60% 47 entries 1 entry per country
Conclusion ● New legislation is needed to curb this behavior; ● Industry practices need to be modified; ● Diagnostic practices and configuration management schemes need to improve dramatically; ● Sites may technically be in compliance with regulations -- only because the asset owners may have no idea that they really are exposed; and, ● The community must get past this terrible practice of compliance-based security and focus instead on an attitude of safety, vigilance, and performance awareness. 21
Useful Information • Project SHINE Findings Report [1 Oct 2014]: – http://01m.us/l/ltjify8p2a1r • Project RUGGEDTRAX Preliminary Report [21 Oct 2014]: – http://01m.us/l/gltlhotyw69j • Quantitatively Assessing and Visualising Industrial System Attack Surfaces, Eireann Leverett [Jun 2011]: – http://01m.us/l/hsjlqz • 10th SANS ICS Security Summit Presentation [24 Feb 2015]: – http://01m.us/l/72ikss 22
Questions? Bob Radvanovsky, (630) 673-7740 rsradvan@infracritical.com Jake Brodsky, (443) 285-3514 jbrodsky@infracritical.com

More Related Content

10th SANS ICS Security Summit Project SHINE Presentation

  • 1. Project SHINE [UPDATED] Findings Report Results Bob Radvanovsky, CIFI, CISM, CIPS rsradvan@infracritical.com Jake Brodsky, PE jbrodsky@infracritical.com 1 10th SANS ICS Security Summit, Orlando, FL, February 23-24, 2015 Project SHINE (SHodan INtelligence Extraction) Tuesday, February 24, 2015
  • 2. SHodan INtelligence Extraction • Project SHINE was dependent upon SHODAN search engine; • SHODAN incepted circa 2008; • SHINE development started mid-2008, ended 31-Jan-2014; • Question raised: Are industrial control systems directly exposed to the Internet? • No one appeared to know the magnitude of the issue, or how widespread the issue was; and, • In doing so, this was how Project “SHINE” got started... 2
  • 3. Project SHINE Mission Objectives ● To selectively perform searches from definable, searchable term criteria sets using open intelligence sources; ● To correlate data into meaningful, abstractive and relevant data that could be utilized to demonstrate further trending and/or correlation analysis based on the data given; ● To seek a baseline of how many control systems’ devices exist on the Internet (as of the conclusion of Project SHINE on 31- Jan-2014, we were unable to establish a baseline); and, ● To raise public awareness via governments & media outlets. 3
  • 4. Data Artifacts ● The crux of this project was choosing suitable, meaningful search terms that identified control systems devices; ● The project was looking for not just control systems, but also any infrastructure supporting it, such as HVAC systems, serial converters, etc.; ● There were matches not related to actual infrastructure; ● Some units were not counted as some manufacturers’ names changed as firms were bought and sold; and, ● Other devices may have been spuriously counted as similar software may have been used by multiple manufacturers. 4
  • 5. Types of Devices Discovered 5 • Traditional SCADA/ICS  RTU Systems  PLC Systems  IEDs/Sensory Equipment  SCADA/HMI Servers  Building Automation  Medical Devices (DAS) • Non-Traditional SCADA/ICS  Intelligent Traffic Control  Automotive Control  Traffic/Lighting Control  HVAC/Environment Control  Power Regulators/UPS  Security/Access Control  Serial Port Servers  Data Radios  Mining Equipment  Traffic Cameras
  • 6. Manufacturer Results 6 927 total number of search terms 886 unique number of search terms; traditional and non-traditional 578 unique number of search terms; non-traditional removed 207 total number of manufacturers 182 unique number of traditional manufacturers 41 total search term difference; traditional and non-traditional 349 total search term difference; non-traditional removed 25 total manufacturer difference
  • 7. Top 11 Manufacturers 7 Manufacturer Count % Out of 100% ENERGYICT 106235 18.10% SIEMENS 84328 14.37% MOXA 78309 13.34% LANTRONIX 56239 9.58% NIAGARA 54437 9.27% GOAHEAD-WEB 42473 7.24% VXWORKS 34759 5.92% INTOTO 34686 5.91% ALLIED-TELESYS 34573 5.89% DIGI INTERNATIONAL 30557 5.21% EMBEDTHIS-WEB 30381 5.17% The devices found estimated at 586,997, approx. 26.84% of total 2,186,971 devices
  • 8. Top 16 HVAC/BACNet Manufacturers 8 The devices found estimated at 13,475, approx. 0.62% of total 2,186,971 devices Manufacturer Count % Out of 100% HEATMISER 6487 48.13% HONEYWELL 3588 26.63% YORK 921 6.83% BACNET INTERNATIONAL 560 4.16% TRANE 506 3.76% JOHNSON CONTROLS 460 3.41% CARRIER 234 1.74% TEMPERATURE GUARD 180 1.34% LG ELECTRONICS 145 1.08% LIEBERT 126 0.94% CENTRALINE 81 0.60% STULZ 77 0.57% CONTROL4 38 0.28% BOSCH AUTOMATION 37 0.27% LENNOX 24 0.18% CUMMINGS 11 0.08%
  • 9. Top 6 Serial->Ethernet Manufacturers 9 The devices found estimated at 204,416, approx. 9.35% of total 2,186,971 devices Manufacturer Count % Out of 100% MOXA 78309 38.31% LANTRONIX 56239 27.51% ALLIED TELESYS 34573 16.91% DIGI INTERNATIONAL 30557 14.95% ATOP SYSTEMS 3846 1.88% MULTITECH SYSTEMS 892 0.44%
  • 10. Example: MODBUS 10 Create a search entry, and look for MODBUS devices Search string would be: http://www.shodanhq.com/search?q=modbus
  • 11. Example: MODBUS 11 If searched on Google, this device is… HTTP/1.0 401 Unauthorized Date: Thu, 18 Sep 2008 16:06:08 GMT Server: Boa/0.93.15 Connection: close WWW-Authenticate: Basic realm="ModbusGW" Content-Type: text/html Returned HTTP header information from one of the sites searched by SHODAN; the detail information to that entry looks like this…
  • 12. Search Terms Found (Per Day) 12 0 50 100 150 200 250 300 350 400 450 500 14-Apr-2012 31-Jan-2014 654 days Max Search Terms Found = 469 (out of 927)
  • 13. Total Counts(Per Day) 13 14-Apr-2012 31-Jan-2014 654 days 0 2000 4000 6000 8000 10000 12000 14000 16000 Max Total Count = 13498
  • 15. Project RUGGEDTRAX Mission Objectives • To provide substantiation that directly connecting an ICS device onto the Internet could have consequences; • Obtain current ICS equipment through public sources (eBay), and deploy equipment as actual cyber assets controlling perceived critical infrastructure environments; • Ascertain any pertinent threat/attack vectors, and magnitude of any attacks against perceived critical infrastructure environments; • Record access attempts, analyze network packets for patterns; and, • Report redacted public awareness to governments & media outlets. 15
  • 16. Device Specifications ● Serial->Ethernet converter ● Two-ports; supports both MODBUS/TCP and DNP3 ● Device is Siemens RuggedCom RS910 ● Firmware is v3.8.0 ● Device connected directly to Internet (NO FIREWALL) ● Supports: TELNET, TFTP, RSH, SSH, SNMP, HTTP/HTTPS, MODBUS/TCP and DNP3 16
  • 17. Device Configuration ● Disabled TELNET, TFTP, RSH, SNMP and MODBUS/TCP ● SSH and HTTP/HTTPS limited to ONE connection ● DNP3 cannot be disabled ● Device may be connected via network (SSH), web (HTTP/HTTPS), or serial (console) 17
  • 18. Project RUGGEDTRAX Statistical Results • Devices acquired from eBay were not properly “cleaned”, but were “lobotomized” ; contained “residual data” from previous owner: – Configuration information – IP address and pertinent networking information – Contact information • Device placed online 13-Oct-2014 (Monday) @ 1917 hrs CDT • First attack begins 13-Oct-2014 @ 2104 hrs CDT (< 2 hrs after incept) • Device appears on SHODAN 15-Oct-2014 (Wednesday) @ 1229 hrs CDT • Project concluded 27-Dec-2014 @ 1021 hrs CDT • Total count of access attempts: 140,430 (from 651 IPs) • Top country counted: China @ 125,299 (or 89.23%) (from 269 IPs) 18
  • 19. Flaws and Potential Errors • Countries identified do not implicate any specific nationality; • IP addresses are based on country assignment -- nothing else; • IP addresses may be: – Falsified – Spoofed – Proxied, or – Black-holed • Unknown if human or “robot” attacking the device, although it is highly probable that it is predominately automated 19
  • 20. Project RUGGEDTRAX Top 4 Countries 20 China 92.17% (60,318) United States 1.44% (945) Germany 1.74% (1136) France 4.65% (3044) Countries found represent Top 50 entries of access attempts of approx. 65,443 attempts, of 140,430 attempts, or approx. 46.60% 47 entries 1 entry per country
  • 21. Conclusion ● New legislation is needed to curb this behavior; ● Industry practices need to be modified; ● Diagnostic practices and configuration management schemes need to improve dramatically; ● Sites may technically be in compliance with regulations -- only because the asset owners may have no idea that they really are exposed; and, ● The community must get past this terrible practice of compliance-based security and focus instead on an attitude of safety, vigilance, and performance awareness. 21
  • 22. Useful Information • Project SHINE Findings Report [1 Oct 2014]: – http://01m.us/l/ltjify8p2a1r • Project RUGGEDTRAX Preliminary Report [21 Oct 2014]: – http://01m.us/l/gltlhotyw69j • Quantitatively Assessing and Visualising Industrial System Attack Surfaces, Eireann Leverett [Jun 2011]: – http://01m.us/l/hsjlqz • 10th SANS ICS Security Summit Presentation [24 Feb 2015]: – http://01m.us/l/72ikss 22
  • 23. Questions? Bob Radvanovsky, (630) 673-7740 rsradvan@infracritical.com Jake Brodsky, (443) 285-3514 jbrodsky@infracritical.com