Drawing the Picture of Industrial Control Systems Security Status in the Internet Age
Total Page:16
File Type:pdf, Size:1020Kb
From Exposed to Exploited: Drawing the Picture of Industrial Control Systems Security Status in the Internet Age Yixiong Wu1, Jianwei Zhuge1;2, Tingting Yin1, Tianyi Li3, Junmin Zhu4, Guannan Guo5, Yue Liu6 and Jianju Hu7 1Institute of Network Science and Cyberspace, Tsinghua University, Beijing, China 2Beijing National Research Center for Information Science and Technology, Beijing, China 3Peking University, Beijing, China 4Shanghai Jiao Tong University, Shanghai, China 5School of Computer Science and Technology, University of Science and Technology of China, Hefei, China 6Qi An Xin Technology Research Institute, Beijing, China 7Siemens Ltd., China Keywords: Internet-facing ICS Devices, Passive Vulnerability Assessment, Device Search Engine. Abstract: The number of Internet-facing industrial control system(ICS) devices has risen rapidly due to remote control demand. Going beyond benefits in maintenance, this also exposes the fragile ICS devices to cyber-attackers. To characterize the security status of Internet-facing ICS devices, we analyze the exposed ICS devices and their vulnerabilities. Considering the ethic, we design and implement ICScope, a passive vulnerability assessment system based on device search engines. Firstly, ICScope extracts the ICS device information from the ban- ners returned by multiple search engines. Then, ICScope filters out the possible ICS honeypots to guarantee accuracy. Finally, ICScope associates ICS vulnerabilities with each ICS device. Over the past year, our mea- surements cover more than 466,000 IPs. We first perform a comprehensive measurement of Internet-facing ICS devices from Dec 2019 to Jan 2020. We find that there are about 49.58% of Internet-facing ICS devices that can be identified are affected by one or more vulnerabilities. We also conduct three times experiments from Jun 2020 to Dec 2020 to monitor the security status of Internet-facing ICS devices. We observe a slowly decreasing trend in the number of vulnerable ICS devices during our experiment period. 1 INTRODUCTION the convenience of data collection and remote mainte- nance. However, it also makes the fragile ICS devices With the rapid growth and deep integration of In- exposed to the cyber-attacks. In 2017, Triton attacked formation Technology and Operational Technology, a petrochemical plant in the Middle East, resulting in more and more industrial control system (ICS) de- an emergency shutdown of a critical industrial con- vices with computing and communication capabili- trol system (Di Pinto et al., 2018). In 2019, the Triton ties are introduced to smart factories, buildings, and was relaunched. Cyber-attacks like these towards ICS cities. The proprietary protocols used in these devices have existed for a long time and have already caused are originally designed to communicate between de- substantial damage. vices in isolated operation LANs. As a result, secu- To mitigate this type of threat, both the research rity protections for ICS communication are usually community and the industry take proactive actions. missing. Besides, for economic considerations, ICS ICS-CERT1 provides annual assessment reports for devices are rarely updated or upgraded. Administra- public ICS vulnerabilities. Kaspersky 2 further ana- tors usually avoid upgrades to reduce the possibility lyzes these reports and summarizes the vulnerability of system crashes. Thus, the life cycle of ICS vul- characteristics. However, both of them did not an- nerabilities is much longer than other kinds of vulner- 1 abilities. However, more and more ICS devices are https://us-cert.cisa.gov/ics 2Industrial Control Systems Vulnerabilities Statistics, exposed to the Internet nowadays. This is usually for Reported by Kaspersky in 2019 237 Wu, Y., Zhuge, J., Yin, T., Li, T., Zhu, J., Guo, G., Liu, Y. and Hu, J. From Exposed to Exploited: Drawing the Picture of Industrial Control Systems Security Status in the Internet Age. DOI: 10.5220/0010327902370248 In Proceedings of the 7th International Conference on Information Systems Security and Privacy (ICISSP 2021), pages 237-248 ISBN: 978-989-758-491-6 Copyright c 2021 by SCITEPRESS – Science and Technology Publications, Lda. All rights reserved ICISSP 2021 - 7th International Conference on Information Systems Security and Privacy alyze the distribution of vulnerabilities in the actual module, and vulnerability association module. For network. Existing works also focus on the discov- the first challenge, the data enrichment module inte- ery of online ICS devices. Both Mirian et al. (Mirian grates the device information extracted from multiple et al., 2016) and Feng et al. (Feng et al., 2016) have search engines to enrich the incomplete device infor- proposed their device discovery approaches to give an mation. It also uses the fingerprint database. For the Internet-Wide view of ICS devices. However, they second challenge, the honeypot detection module uti- focus more on the number of exposed devices rather lizes the non-interaction features to detect ICS honey- than vulnerable devices. Further works behind on- pots, such as ISP, ICS honeypot fingerprinting. It also line ICS devices’ detection are to perform a vulnera- detects ICS honeypots by comparing the results be- bility assessment for the Internet-facing ICS devices. tween multiple search engines. For the last challenge, Characterizing the vulnerable Internet-facing ICS de- the vulnerability association module builds vulnera- vices is highly desirable for the interests of securing bility trees to identify each ICS device’s vulnerabili- Internet-facing ICS devices. ties. To identify a device’s vulnerabilities, one instinc- We have implemented ICScope and performed a tive reaction is to perform a vulnerability assess- large-scale measurement of ICS devices’ security sta- ment using vulnerability scanners like Nessus (Ac- tus in the whole public address space. We collect tive Mode). However, such techniques cannot be ap- 270,283 Internet-facing ICS devices on four device plied to identify an ICS device’s vulnerability. Be- search engines from Dec 2019 to Jan 2020. Among cause sending many packets to ICS systems regards these ICS devices, ICScope has detected 21,578 ICS as an intrusive behavior. Therefore, we prefer the pas- honeypots (about 7.98%). Excluding these ICS hon- sive vulnerability assessment (Passive Mode), which eypots, we observe that 106,382 ICS devices can ex- is based on a search engine to identify a device’s vul- tract complete ICS device entries. And ICScope re- nerabilities without any interaction. Most previous gards 52,739 of them (about 49.58%) as vulnerable works on passive vulnerability assessment focus on ICS devices. We further analyze the vulnerable ICS common services, i.e., HTTP, IMAP. For example, devices and related vulnerabilities. We find that the ShoVAT (Genge and Enachescu,˘ 2016) focuses on vulnerable ICS devices are distributed in the vast ma- several common services, and Scout (O’Hare et al., jority of countries. Among the vulnerabilities, most 2019) only supports HTTP service. Because of the of them are in high or critical severity level and can inconsistent banner format between common services be remotely exploitable with little or no limitation. and ICS devices, their methods are not considered Over six months, our measurement shows a slowly feasible. There are also existing works focus on ICS decreasing trend in the number of vulnerable ICS de- services. Both Samtani et al. (Samtani et al., 2016) vices. We also use ICScope to measure the impact of and Leverett et al. (Leverett and Wightman, 2013) a 0day vulnerability. The result shows that the vulner- identify the vulnerabilities for online ICS devices. ability affects 3,999 ICS devices. However, the scope of their works is limited to spe- Contribution. Our contributions can be summarized cial ICS services. Moreover, both of them scan target as follows: ICS devices. In this paper, we aim to answer the fol- 1. We design and implement a passive vulnerability lowing question: assessment tool ICScope. ICScope can automat- ically obtain ICS devices’ information from mul- Q: What is the security status of Internet-facing ICS tiple device search engines and correlate the vul- devices in the whole public IP address space? nerabilities of each device. 2. By using ICScope, we perform the large-scale To answer this question, we propose a passive vul- measurement on the security status of all Internet- nerability assessment system based on device search facing ICS devices in the whole public IP address engines. For ethical consideration, our system IC- space and find that 49.58% of the Internet-facing Scope uses passive mode to avoid intrusive behaviors. ICS devices with complete device entries are vul- We face three main technical challenges to build IC- nerable. We also further characterizing the vul- Scope. 1) The information returned by device search nerable ICS devices. engines is often incomplete. 2) There are many ICS honeypots in the results of device search engines. 3) 3. We proposed a non-interaction ICS honeypot de- It is not easy to accurately find the vulnerabilities that tection approach to detect the ICS honeypots affect the ICS devices. without intrusive behaviors. This method has de- To address these challenges, we build ICScope tected 21,578 ICS honeypots (about 7.98%) on with data enrichment module, honeypot detection our datasets. 238 From Exposed to Exploited: Drawing the Picture of Industrial Control Systems Security Status in the Internet Age Our results reveal the severe