Hacking Book | Free Online Hacking Learning

 Home

analysis on the situation and trend of industrial control system (ics) networking

Posted by patinella at 2020-04-12
all

Key points

As an industrial control safety enthusiast, he is very concerned about the following issues:

Q1 how many industrial control devices are connected to the Internet

What are the geographical distribution characteristics of Q2

Has Q3 increased or decreased in recent years

In order to solve the above problems, this paper analyzes the data of five industrial control protocols scanned by censys in two years (2015.12-2017.11), and finds the following trends:

1. The number of industrial control equipment connected to the Internet keeps increasing in general, with different protocols: S7 and MODBUS keep increasing, BACnet and fox remain unchanged, and DNP3 slightly decreases

2. The distribution of industrial control equipment connected to the Internet in different regions has a high degree of correlation with the degree of industrial development, and the trend of change has a high degree of correlation with the global industrial migration: the proportion of Asia has increased significantly, the proportion of North America has declined, and other regions have remained stable

3. The number of networked industrial control equipment in China is considerable, and the number continues to increase, and the proportion gradually increases.

4. Modbus, S7 and DNP3 have a higher proportion of temporary Internet connection, while BACnet and fox have a higher proportion of continuous Internet connection.

Note: an academic paper has been published on relevant achievements. Please refer to the original paper and conference presentation for details:

1. Xu, W., Tao, Y., Guan, X.: The Landscape of Industrial Control Systems (ICS) Devices on the Internet. In: 2018 International Conference on Cyber Situational Awareness, Data Analytics and Assessment (Cyber SA), pp. 1-8. IEEE, (2018)

The Landscape of Industrial Control Systems (ICS) Devices on the Internet​doi.orghttps://www.c-mric.com/wp-content/uploads/2018/06/Wei_CyberSA2018.pdf​www.c-mric.com

Note 2: in this paper, ICs and "industrial control" are mixed, meaning is basically the same; "connect to the Internet", "connect to the Internet" and "expose to the Internet" are mixed, meaning is basically the same

1, introduction

Industrial control system (ICS) controls many key infrastructure from power plants and factory manufacturing workshops to smart cities and intelligent buildings, and plays an important role in the national economy and people's daily life. With the development of information and communication technology and the wave of industrial upgrading such as "industrial Internet", "industrial 4.0" and "made in China 2025", more and more industrial control systems are connected to the Internet. However, these ICs protocols were originally designed for closed systems, and there was no built-in security mechanism. If the industrial control equipment is directly connected to the Internet, it may be attacked by the network. Once the system is attacked, it may not only cause serious economic loss, but also affect human life and health, or affect the environment. There have been many similar security incidents. In 2010, the earthquake network virus attacked Iran's nuclear power plant, causing damage to more than 1000 centrifuges. At the end of 2015, hackers attacked the Ukrainian power grid, causing widespread blackouts, affecting about 1.4 million people. The outbreak of "wannacry" blackmail virus in 2017 also infected the production networks of many industrial enterprises, causing serious impact.

However, researchers found that many ICs devices are still directly exposed to the Internet. How many ICs devices are connected to the Internet, where are they distributed, what are their characteristics, and what is the trend of their quantity? In order to answer the above questions, this study was carried out.

Internet wide scanning is an effective means to understand ICs exposure, and many such scanning tools and platforms have emerged. The main scanning platforms in foreign countries mainly include censys and Shodan. Censys is a scanning platform researched by the University of Michigan in the United States. The source code, scanning results and historical data of its scanner can be downloaded publicly and free of charge (changed to commercial operation after 2018). Shodan is a commercial scanning platform dedicated to Internet of things scanning, including ICs protocol. In China, the main ICs scanners are "listening attentively" and "zoomeye of Zhong Kui" of Northeastern University.

These scanning platforms collect information of industrial control equipment on the Internet, but we can't get the historical data of listening and zoomeye. In order to study the trend of the number of industrial control equipment on the Internet changing with time, we choose to analyze the historical data of censys.

Censys has made a preliminary analysis of the number of industrial control devices connected to the global network in its previous papers, and found that there are many ICs connected to the Internet, and has made a simple analysis of the distribution of its five protocols. However, due to the short scanning time and less data accumulation at that time, the analysis of the trend of the number of networked industrial control equipment changes with time is not representative.

Based on the analysis of tens of data published by censys in the past two years, this paper studies the number, distribution, characteristics and change trend of five protocol networking devices, MODBUS, Siemens S7, DNP3, BACnet and tridium fox. We found that there are still a large number of ICs devices exposed to the Internet, distributed in more than 100 countries around the world, and the number of networking devices has increased in the last two years. For different ICs protocols, in the past two years, the number of Modbus and Siemens S7 protocol devices has continued to grow rapidly, the number of DNP3 protocol devices has declined, and the number of BACnet and tridium fox protocol devices has remained basically the same. In addition, we made a preliminary analysis of the geographical distribution of these equipment, and found that the distribution of industrial control equipment connected to the Internet in different regions has a high degree of correlation with the degree of industrial development, and the trend of change has a high degree of correlation with the global industrial migration: the proportion of Asia has increased significantly, the proportion of North America has declined, and other regions remain stable. The number of networked industrial control equipment in China is considerable, and the number continues to increase, and the proportion gradually increases. Finally, we also analyze the characteristics of ICs honeypot and industrial control equipment with different protocols connecting to the Internet in the long and short term.

2, background

2.1 introduction to five industrial control protocols of censys scanning

Censys scans five mainstream ICs protocol devices: modbus, Siemens S7, DNP3, BACnet, tridium fox

Next, we will briefly introduce censys and these five ICs protocols.

Modbus protocol Modbus protocol is a serial communication protocol designed by Modicon (the predecessor of Schneider) on PLC in the late 1970s. Modbus is a general industrial control protocol because it is simple, robust, open and does not need special authorization. In order to adapt to the Ethernet environment, MODBUS is encapsulated in the TCP packet and transmitted by default through the 502 port of the TCP protocol.

S7 S7 communication protocol, or step 7 communication protocol, is a private protocol of Siemens company, which is used for communication of Siemens S7 Series PLC. It is mainly used in the field of production and manufacturing. S7 protocol is based on command, and data packet is divided into command and response. S7 protocol does not adopt authentication and encryption measures, and can be cheated, counterfeited, session hijacked, or denial of service attacks.

DNP3 protocol distributed network protocol (DNP3) is the main control system protocol used by power and water supply facilities in North America. Although it is also used in other fields, it is not very common. DNP3 protocol is mainly used for communication between data acquisition system and remote equipment, such as communication between SCADA system control center and remote substation in power system. DNP3 protocol usually adopts the configuration mode of master / slave station. The control center is the SCADA master station, while the substation is equipped with remote terminal unit (RTU). DNP3 protocol is designed to be a set of reliable protocols that can be transmitted in many media and have little impact on the stability of the system. DNP3 protocol usually uses 20000 ports of TCP protocol for communication.

BACnet protocol (UDP 47808) BACnet protocol is one of the widely used protocols in building automation system. It is a standard established by ASHRAE and maintained by the organization. The standard number is 135.1. BACnet protocol defines the service of communication between building equipment and allows different manufacturers to extend the protocol. However, its application is not limited to air conditioning system. BACnet protocol is also used in generator set, elevator, lighting control system, fire fighting system, alarm system and access control system of building automation system. The protocol contains security features, but the researchers found that manufacturers did not implement these security properties.

Niagara tridium fox (TCP 1911) tridium fox protocol is a tunnel protocol designed by Niagra company for communication with remote SCADA. This protocol is mainly used in the field of building automation. The protocol generally uses TCP 1911 port for communication. The protocol does not directly communicate with industrial components, and the underlying protocol such as BACnet is used for communication between management workstation and equipment. The protocol has built-in authentication and basic security properties.

2.2 introduction to the data of censys

At first, censys uses zmap to scan the Internet ports, uses zgrab to identify the application protocol in the list of open specific ports, uses ztag to parse and label the results, and finally stores the scanning results in the unstructured database ZDB developed by itself. As an open source system, censys allows users to search using its search engine page, and allows users to use rest API to automatically query, and also allows users to download their original data for in-depth analysis. Censys supports scanning of 16 protocols, including 5 industrial control protocols, namely modbus, S7, DNP3, BACnet and fox. Censys scans industrial control protocols once a week. Most of the industrial control protocols have been scanned since the second half of 2015, and have been scanned for nearly two years, with nearly 100 times of scanning. These data can be downloaded free of charge. We downloaded the original data related to the industrial control protocols scanned from censys to the end of 2017 as the analysis data set.

The downloaded data consists of these parts: zmap result, zgrab result, ztag record, log, etc. zmap result and zgrab result are the main parts of the data. The structure of zgrab result data is shown in the figure below, including IP, timestamp, data, error and error component fields. The data field also contains a structure named after ICs protocol. The specific device information fields of the structure are as follows: vendor name, model name, location, etc. We download these records and import them into mongodb database, then use geolite2 database to determine the geographical location of IP address, and finally use pandas for specific data analysis.

3. General situation

As shown in the above table, censys scans about 100 times for each protocol, keeping the frequency of scanning once a week, which is consistent with the relevant papers. The scanning date of each protocol is different, and the scanning results show great fluctuation because of the influence of network environment. We first carry out the necessary data cleaning, then extract all the successful data records of handshake, and remove the individual abnormal data before further analysis. Due to the different scanning time of different protocols, it is difficult to summarize. We calculated the average value of multiple scanning results in each month from December 2015 to November 2017, based on which we analyzed the trend of the number of devices in each protocol.

As can be seen from the figure, the number of ICs devices exposed to the Internet shows a steady upward trend. After calculation, we found that in the past two years, the total number increased from 61736 to 67942, with an increase of 11.48%.

We use maxmind's geoip2 database to locate the location of each IP address, and then analyze all the records in each protocol to determine the number of networked industrial control equipment in different regions. In terms of its distribution region, North America accounts for the highest proportion, accounting for about half of the world's total. In recent two years, its total has not changed much. However, due to the growth of the global total, its proportion shows a slow downward trend; the proportion of Europe is as high as one third, and its total and proportion are rising slowly in recent two years; the proportion of Asia is about 10%, but the total and proportion in recent two years They are all rising rapidly; the proportion of other regions is small and the change is not big.

4. Agreements

4.1 Modbus Protocol

In the data we analyzed this time, there are 417.24m original records of modbus, among which 245.71k times of successful Modbus protocol handshake.

From the perspective of continent, MODBUS devices are mainly distributed in Europe (49.62%), followed by North America (24.55%) and Asia (20.03%). From the national perspective, it is mainly distributed in the United States (19.58%), France (6.71%), China (6.52%), Spain (6.46%), Turkey (6.13%).

Among these records, 508242 records contain mei﹐response field, 493515 records contain equipment information, accounting for 20.08% of the total success. We can classify these equipment by their manufacturer names. The top five equipment suppliers are Schneider Electric (43.35%), solar datensystem GmbH (14.84%), telemedicanique (12.91%), abb stotz Kontakt (2.74%) and Se Elektronic (2.43). We find that the Modbus devices exposed to the Internet are mainly general programmable logic controllers, and their application fields cannot be determined. However, solar datensystem GmbH is a device provider in the field of solar power generation. It can be seen that a considerable part of the exposed MODBUS devices are used in the field of solar power generation.

Through data analysis, we found that the number of Modbus devices increased by 17.17% in the past two years, maintaining an annual growth rate of 8.25%. It can also be seen from the figure below that although there is a small fluctuation, the number of exposed equipment shows a steady growth trend.

4.2 S7 protocol

In these scans, we found 364286 successful protocol interactions in 295m records.

From the perspective of continent, S7 devices are mainly distributed in Europe (70.23%), followed by Asia (14.89%) and North America (11.26%). From the perspective of countries and regions, the devices of S7 agreement are distributed in 116 countries and regions in the world. The top 5 are Germany (12.95%), Italy (10.44%), the United States (9.77%), Poland (7.06%), Spain (6.50%) and China (5.3%).

284863 (78.20%) of them got module ﹣ ID feedback, 153213 (42.06%) got equipment manufacturer information, most of which were Siemens equipment (88.18%), a small number of insevis equipment (2.30%) and ibhsoftec equipment (0.20%).

The number of S7 protocol equipment has doubled from the end of 2015 to the end of 2017, with an annual growth rate of 44.23%. As can be seen from Figure 2, the number of equipment increased significantly from January to April 2016. In their published papers, the researchers observed and compared the scanning results of censys and Shodan during 2016, and studied their respective scanning methods. It was found that the scanning method of Shodan was better. Maybe, censys improved its scanner and improved the scanning accuracy. Even if excluding this surge, the number of S7 protocol exposure devices is still increasing steadily. From a continental perspective, Asia's growth rate is still higher than average.

4.3 DNP3 protocol

For DNP3 protocol, there are 403M DNP3 interaction records in 95 scans, and 9.60k DNP3 protocol devices are successfully identified.

We found that these devices are distributed in 50 countries and regions in the world, of which the United States accounts for 62.53% and other countries do not exceed 5%. From a continental perspective, the DNP3 protocol is mainly distributed in North America (68.89%) and a few in Europe (16.31%).

The number of DNP3 protocol devices has been reduced, the only one of the five protocols. In recent two years, the number of equipment has decreased by 16.23%, with an annual growth rate of - 8.47%. DNP3 protocol is the only one among these five protocols to reduce the number of exposed equipment, which has decreased by 16.23% in recent two years, with an annual growth rate of - 8.47%. It can also be seen from Figure 3 that the number of DNP3 equipment shows a state of fluctuating decline. The annual growth rate of equipment in North America is - 6.87%, while that in Europe is 35.05%. As the equipment is mainly distributed in North America, the global quantity shows a downward trend.

4.4 BACnet protocol

We extracted 108.27 BACnet device records from 1.6m BACnet records. These equipment are mainly distributed in North America, accounting for about 80% of the world's total, including 60.30% in the United States, 18.33% in Canada, and less in other countries and regions.

Almost all devices contain supplier information. We found that the top five suppliers are reliable controls Corporation (18.35%), tridium (16.14%), delta controls (12.87%), JCI (9.14%) and automated logic Corporation (8.71%).

It's very difficult to determine the owner of the device from these information. Through the analysis of the plant? ID field, we found that it was clearly marked as power Corporation (electric power company) has 2410 equipment, 437 equipment marked as nedtrain (Dutch railway) and 155 equipment marked as aludec (a famous auto parts supplier). Therefore, BACnet equipment will also appear in intelligent buildings of electric power, rail transit and manufacturing enterprises.

The location field of BACnet protocol data records the specific location of the device. This information is optional when the device is installed. But there are also some such as reunion tower parking garage, 827 South Main st, Memphis, TN 38105, which are very detailed and specific address information.

The number of BACnet devices has almost remained the same in the past two years, with a total increase of 0.87% in the past two years, and the fluctuation range is within 1%, almost negligible. In terms of regional changes, the number of devices of BACnet protocol increased slightly in Europe.

4.5 fox protocol

There are 385.10m records of 95 scans of fox protocol in the data of censys, and 3452.41k records of protocol interaction successfully completed.

Fox protocol equipment is mainly distributed in North America (77.54%) and Europe (17.35%), accounting for 77.54% and 17.35% respectively. Although fox protocol equipment is distributed in 101 countries around the world, the United States (70.99) and Canada (6.08%) account for the majority.

Extracting the os_name information of these devices, we found that QNX system accounted for the vast majority, accounting for 84.94%. Extracting the brand_id information of these devices, we found that vykon and facexp accounted for the highest proportion, accounting for 23.44% and 15.90% respectively.

The number of devices in fox protocol is very large, but it is almost the same in the past two years, with an increase of only 0.68% in the past two years, almost negligible.

4.6 summary of changes of agreements over time

Through more than 100 scans, we can sketch the change trend of the devices exposed to the Internet by various protocols over the past two years. In addition, we calculated the average number of exposures in December 2015 (most protocols start scanning at this time) and November 2017 as the benchmark, calculated the growth rate of each protocol over the past two years, and calculated the CAGR of each protocol. In addition, we calculated the CAGR of major continents based on the geographic information obtained by XMIND. From these data, we can judge the change of the number of devices exposed to the Internet.

5. Regional conditions

In the above, in the process of analyzing the number of networking devices with different protocols, we have mentioned the distribution and changes in different regions. This chapter focuses on discussing the changes of networking devices in different regions from the perspective of the total number, and also analyzes them according to the monthly average value.

As can be seen from the following two figures, although the number of networked industrial control equipment in North America fluctuates, it has remained around 36000 in the two years, with little change. However, as mentioned above, the number of global networked industrial control equipment has increased by 11.48% in the two years, so the proportion of North America in the global networked industrial control equipment has continued to decline in the two years, from 59% of the peak to 53%.

It can be seen from the figure that the number of networked industrial control equipment in Europe continues to increase, from about 18000 to about 22000 in two years, and the proportion in the global total continues to rise, from 30% to 32%.

Asia's share in the total number of industrial control equipment is relatively small, but it has continued to increase in the past two years, from about 5000 to about 7000, and its share in the global total has continued to rise, from 8% to 10.5%, with the highest growth rate.

All of the above are the results of data analysis. We can not clearly analyze the causes of this trend for the time being. However, these trends are related to the deindustrialization of the United States and the economic rise of Asia. The proportion of networked industrial control equipment is also related to the trend of global industrial migration in recent years.

6. China

For a long time, foreign analysis reports believe that "the number of industrial control equipment connected to the Internet in China is relatively small, and there is no obvious increase in the number in recent years", which is not consistent with China's rapid economic development in recent years. In fact, there are some misunderstandings. We try to restore the truth through data.

There are several reasons for misunderstanding:

1. The IP geolocation system used by foreign analysis institutions generally divides China into mainland China, Hong Kong, Macao and Taiwan, so they mistakenly think that China is ranked lower.

2. Some protocols concerned by foreign research institutions are unique to the United States, while those unique to China are less concerned. For example, DNP3 is a North American power grid communication protocol, and BACnet is also a widely used intelligent building protocol in North America.

In the process of data analysis, we corrected these errors and identified IP as the data consolidation processing of mainland China, Hong Kong, Macao and Taiwan. The analysis found that in addition to some unique protocols, the number of China's networking devices is considerable, and the ranking is relatively high. For example, MODBUS protocol China accounts for 6.52% of global exposure, ranking third only after the United States and France; S7 protocol China also ranks sixth. According to the two-year changes, the number of industrial control equipment connected to the Internet in China increased steadily from about 1700 to about 2400 during the statistical period, and the proportion in the world increased gradually from 2.6% to 3.6%. Considering the high domestic rate of industrial control equipment in China and the large proportion of special agreements, the number should be far greater than this, but the trend of steady increase in the proportion should be a true reflection of the current situation.

7. Other findings

7.1 ICs honeypot

Honeypot is a kind of security resource whose value lies in being detected, attacked or destroyed. Honeypot monitors, detects and analyzes these attacks by recording and analyzing its network traffic. Security researchers often deploy honeypot to study and predict network attack behavior. In the field of ICs security, honeypot research is also a frequently used method. There are many ICs honeypot systems. Conpot is one of them. It is a widely used and open-source low interaction ICs honeypot system.

During the data analysis of S7 protocol, we found that the second value of data.s7.system field is technodrome, which is the default configuration of system field in the conpot honeypot system. We also found that the data.s7.serial'number field, the top three values are 88111222, 6ES7 216-2ad23-0xb016111663. 88111222 and 16111663 are the default serial numbers of different versions of conpot. The configuration of these fields of the honeypot is changeable, which indicates that some honeypot owners use the default configuration file.

Through these default configuration information, we found 14060 conpot honeypot records in 364.29k records of S7 protocol, accounting for 3.86% of the total. It can be seen that the number of conpot honeypots deployed is considerable. The country with the largest honeypot distribution is Tunisia, accounting for 33.39%, followed by United States, accounting for 13.44%. The cloud server deployment area distribution has certain relevance.

The honeypot configured by default for a single system is up to 3.68% of the number of S7 protocol devices. There may be more conpot broilers not configured by default, and there may be many honeypots of other systems. From this we can infer that there are a large number of ICs honeypots on the Internet.

7.2 analysis and discovery of IP address of networked ICs

We analyzed the IP address of the exposed devices in the past two years. We analyzed the number of repeated IP addresses in multiple scans. We found that the average number of repeated Modbus and S7 protocols in the industrial production field was the lowest, the number of repeated DNP3 was the middle, and the number of repeated BACnet and Fox was the highest.

As shown in the following table, we find that 416.94k IP addresses have appeared in Modbus protocol, 65K IP addresses have appeared in S7, 3.92k, 40.04k and 110.58k IP addresses have appeared in DNP3, BACnet and fox protocols, respectively, which are far greater than the number of records in a single scan. This shows that some ICs devices are temporarily connected

We calculated the average number of IP address occurrences of each protocol, among which MODBUS and S7 protocol have the lowest average repetition times, 5.89 and 5.60 respectively, DNP3 has the highest average repetition times, and BACnet and fox protocols have the highest average repetition times, 27.04 and 31.22 respectively

In order to study the proportion of ICs temporarily connected to the Internet, we extract all IP addresses that have appeared, count the number of times they have appeared, and analyze these data. All the protocols have the highest proportion of IP addresses, but there are also significant differences. MODBUS and S7 protocols account for 76.90% and 75.61% respectively, DNP3 protocol accounts for 65.02%, Fox and BACnet are the lowest, 41.37% and 35.85% respectively.

There are two main reasons for the change of IP address of devices exposed to the Internet. One is the IP drift caused by the automatic allocation of IP address by DHCP. The other is that some industrial control devices are not always connected to the Internet, but are temporarily connected to the Internet for remote maintenance or upgrading by device providers.

In order to study how many devices are continuously exposed to the network, we used the first scan in December 2015 as a benchmark to see the proportion of these IP addresses in the previous and subsequent scans.

As shown in the figure, the IP address repetition rate of S7 protocol and Modbus protocol decreased rapidly at the beginning, and then decreased slowly, the proportion decreased to 23.76% and 37.03% respectively after two years; the IP address repetition rate of DNP3 protocol continued to decline at a constant speed, and the proportion decreased to 26.44% after two years; the IP repetition rate of BACnet and fox protocol decreased the slowest, and remained about half after two years, 45.51% and 51.56% respectively. In addition, the scanning results of Modbus protocol before December 1, 2015 also maintain a symmetrical curve, which shows that the trend of IP recurrence rate decline is a certain continuity.

Based on the above data, we can infer that the proportion of modbus, S7 and DNP3 devices that continuously connect to the Internet is low, while the proportion of devices that temporarily connect to the Internet is high; BACnet and fox protocols, on the contrary, most devices continue to connect to the Internet, while a few devices temporarily connect to the Internet.

conclusion

Based on the analysis of the historical data scanned by censys, this paper explores the distribution law of the number of networked industrial control equipment and the trend of change with time, and only makes some preliminary exploration in many aspects. It is found that the number of global networked industrial control equipment keeps increasing year by year, and different protocols have different characteristics. In addition, we found that networked industrial control equipment is mainly distributed in North America, Europe and Asia, with the highest proportion in North America, but the total number remains unchanged in recent years, and the proportion gradually decreases; the number and proportion in Europe are steadily increasing; the base number in Asia is relatively low, but the number and proportion are growing rapidly. China has a large number of networked industrial control equipment, and the number and proportion are growing rapidly in recent years. We also analyzed the IP address of the networked industrial control equipment and explored their characteristics. We found that modbus, S7 and DNP3 protocols have a high proportion of temporary Internet connection, while BACnet and fox protocols have a high proportion of continuous Internet connection.

© 2023