From Exposed to Exploited: Drawing the Picture of Industrial Control Systems Security Status in the Internet Age
Yixiong Wu1, Jianwei Zhuge1,2, Tingting Yin1, Tianyi Li3, Junmin Zhu4, Guannan Guo5, Yue Liu6 and Jianju Hu7 1Institute of Network Science and Cyberspace, Tsinghua University, Beijing, China 2Beijing National Research Center for Information Science and Technology, Beijing, China 3Peking University, Beijing, China 4Shanghai Jiao Tong University, Shanghai, China 5School of Computer Science and Technology, University of Science and Technology of China, Hefei, China 6Qi An Xin Technology Research Institute, Beijing, China 7Siemens Ltd., China
Keywords: Internet-facing ICS Devices, Passive Vulnerability Assessment, Device Search Engine.
Abstract: The number of Internet-facing industrial control system(ICS) devices has risen rapidly due to remote control demand. Going beyond benefits in maintenance, this also exposes the fragile ICS devices to cyber-attackers. To characterize the security status of Internet-facing ICS devices, we analyze the exposed ICS devices and their vulnerabilities. Considering the ethic, we design and implement ICScope, a passive vulnerability assessment system based on device search engines. Firstly, ICScope extracts the ICS device information from the ban- ners returned by multiple search engines. Then, ICScope filters out the possible ICS honeypots to guarantee accuracy. Finally, ICScope associates ICS vulnerabilities with each ICS device. Over the past year, our mea- surements cover more than 466,000 IPs. We first perform a comprehensive measurement of Internet-facing ICS devices from Dec 2019 to Jan 2020. We find that there are about 49.58% of Internet-facing ICS devices that can be identified are affected by one or more vulnerabilities. We also conduct three times experiments from Jun 2020 to Dec 2020 to monitor the security status of Internet-facing ICS devices. We observe a slowly decreasing trend in the number of vulnerable ICS devices during our experiment period.
1 INTRODUCTION the convenience of data collection and remote mainte- nance. However, it also makes the fragile ICS devices With the rapid growth and deep integration of In- exposed to the cyber-attacks. In 2017, Triton attacked formation Technology and Operational Technology, a petrochemical plant in the Middle East, resulting in more and more industrial control system (ICS) de- an emergency shutdown of a critical industrial con- vices with computing and communication capabili- trol system (Di Pinto et al., 2018). In 2019, the Triton ties are introduced to smart factories, buildings, and was relaunched. Cyber-attacks like these towards ICS cities. The proprietary protocols used in these devices have existed for a long time and have already caused are originally designed to communicate between de- substantial damage. vices in isolated operation LANs. As a result, secu- To mitigate this type of threat, both the research rity protections for ICS communication are usually community and the industry take proactive actions. missing. Besides, for economic considerations, ICS ICS-CERT1 provides annual assessment reports for devices are rarely updated or upgraded. Administra- public ICS vulnerabilities. Kaspersky 2 further ana- tors usually avoid upgrades to reduce the possibility lyzes these reports and summarizes the vulnerability of system crashes. Thus, the life cycle of ICS vul- characteristics. However, both of them did not an- nerabilities is much longer than other kinds of vulner- 1 abilities. However, more and more ICS devices are https://us-cert.cisa.gov/ics 2Industrial Control Systems Vulnerabilities Statistics, exposed to the Internet nowadays. This is usually for Reported by Kaspersky in 2019
237
Wu, Y., Zhuge, J., Yin, T., Li, T., Zhu, J., Guo, G., Liu, Y. and Hu, J. From Exposed to Exploited: Drawing the Picture of Industrial Control Systems Security Status in the Internet Age. DOI: 10.5220/0010327902370248 In Proceedings of the 7th International Conference on Information Systems Security and Privacy (ICISSP 2021), pages 237-248 ISBN: 978-989-758-491-6 Copyright c 2021 by SCITEPRESS – Science and Technology Publications, Lda. All rights reserved
ICISSP 2021 - 7th International Conference on Information Systems Security and Privacy
alyze the distribution of vulnerabilities in the actual module, and vulnerability association module. For network. Existing works also focus on the discov- the first challenge, the data enrichment module inte- ery of online ICS devices. Both Mirian et al. (Mirian grates the device information extracted from multiple et al., 2016) and Feng et al. (Feng et al., 2016) have search engines to enrich the incomplete device infor- proposed their device discovery approaches to give an mation. It also uses the fingerprint database. For the Internet-Wide view of ICS devices. However, they second challenge, the honeypot detection module uti- focus more on the number of exposed devices rather lizes the non-interaction features to detect ICS honey- than vulnerable devices. Further works behind on- pots, such as ISP, ICS honeypot fingerprinting. It also line ICS devices’ detection are to perform a vulnera- detects ICS honeypots by comparing the results be- bility assessment for the Internet-facing ICS devices. tween multiple search engines. For the last challenge, Characterizing the vulnerable Internet-facing ICS de- the vulnerability association module builds vulnera- vices is highly desirable for the interests of securing bility trees to identify each ICS device’s vulnerabili- Internet-facing ICS devices. ties. To identify a device’s vulnerabilities, one instinc- We have implemented ICScope and performed a tive reaction is to perform a vulnerability assess- large-scale measurement of ICS devices’ security sta- ment using vulnerability scanners like Nessus (Ac- tus in the whole public address space. We collect tive Mode). However, such techniques cannot be ap- 270,283 Internet-facing ICS devices on four device plied to identify an ICS device’s vulnerability. Be- search engines from Dec 2019 to Jan 2020. Among cause sending many packets to ICS systems regards these ICS devices, ICScope has detected 21,578 ICS as an intrusive behavior. Therefore, we prefer the pas- honeypots (about 7.98%). Excluding these ICS hon- sive vulnerability assessment (Passive Mode), which eypots, we observe that 106,382 ICS devices can ex- is based on a search engine to identify a device’s vul- tract complete ICS device entries. And ICScope re- nerabilities without any interaction. Most previous gards 52,739 of them (about 49.58%) as vulnerable works on passive vulnerability assessment focus on ICS devices. We further analyze the vulnerable ICS common services, i.e., HTTP, IMAP. For example, devices and related vulnerabilities. We find that the ShoVAT (Genge and Enachescu,˘ 2016) focuses on vulnerable ICS devices are distributed in the vast ma- several common services, and Scout (O’Hare et al., jority of countries. Among the vulnerabilities, most 2019) only supports HTTP service. Because of the of them are in high or critical severity level and can inconsistent banner format between common services be remotely exploitable with little or no limitation. and ICS devices, their methods are not considered Over six months, our measurement shows a slowly feasible. There are also existing works focus on ICS decreasing trend in the number of vulnerable ICS de- services. Both Samtani et al. (Samtani et al., 2016) vices. We also use ICScope to measure the impact of and Leverett et al. (Leverett and Wightman, 2013) a 0day vulnerability. The result shows that the vulner- identify the vulnerabilities for online ICS devices. ability affects 3,999 ICS devices. However, the scope of their works is limited to spe- Contribution. Our contributions can be summarized cial ICS services. Moreover, both of them scan target as follows: ICS devices. In this paper, we aim to answer the fol- 1. We design and implement a passive vulnerability lowing question: assessment tool ICScope. ICScope can automat- ically obtain ICS devices’ information from mul- Q: What is the security status of Internet-facing ICS tiple device search engines and correlate the vul- devices in the whole public IP address space? nerabilities of each device. 2. By using ICScope, we perform the large-scale To answer this question, we propose a passive vul- measurement on the security status of all Internet- nerability assessment system based on device search facing ICS devices in the whole public IP address engines. For ethical consideration, our system IC- space and find that 49.58% of the Internet-facing Scope uses passive mode to avoid intrusive behaviors. ICS devices with complete device entries are vul- We face three main technical challenges to build IC- nerable. We also further characterizing the vul- Scope. 1) The information returned by device search nerable ICS devices. engines is often incomplete. 2) There are many ICS honeypots in the results of device search engines. 3) 3. We proposed a non-interaction ICS honeypot de- It is not easy to accurately find the vulnerabilities that tection approach to detect the ICS honeypots affect the ICS devices. without intrusive behaviors. This method has de- To address these challenges, we build ICScope tected 21,578 ICS honeypots (about 7.98%) on with data enrichment module, honeypot detection our datasets.
238 From Exposed to Exploited: Drawing the Picture of Industrial Control Systems Security Status in the Internet Age
Our results reveal the severe and considerable se- Basic Hardware: 6ES7 313-6CE01-0AB0 v.0.1 curity risks faced by ICS devices in the current cy- Module: 6ES7 313-6CE01-0AB0 v.0.1 berspace. At the end of the paper, we discuss the mit- Basic Firmware: v.2.0.11 (a) Shodan banner igation measures against this security threat. Basic Hardware: 6ES7 313-6CE01-0AB0 Module: 6ES7 313-6CE01-0AB0 (b) FOFA banner 2 MOTIVATION AND CHALLENGES (c) SIEMENS 2.1 Motivation Online Shop Vendor: SIEMENS The risk of Internet-facing ICS devices is a persis- Product: SIMATIC S7-300 CPU 313C-2DP tent problem. Most existing works focus on what Version: v2.0.11 (d) Device Information devices have been exposed to the Internet or the at- Figure 1: Device information for SIMATIC S7-300 with tacker’s malicious behaviors (Fachkha et al., 2017). banners returned by Shodan and FOFA. Researchers perform vulnerability assessments for Internet-facing ICS devices (Samtani et al., 2016; information from banners returned by multiple device Leverett and Wightman, 2013). However, these works search engines based on ICS protocol features. For are usually limited in scale and scope. More impor- the ICS device in Figure 1, we extract its version from tantly, their approaches cannot avoid intrusive behav- the Shodan banner. Through the article number found iors. in the banner, we obtain its vendor and product from In this paper, we seek to provide a more compre- the SIEMENS online shop. hensive and holistic view of Internet-facing ICS de- Honeypot Detection. Industrial honeypots are wildly vices’ security status via a large-scale empirical mea- used in the detection of industrial control security surement. We obtain more comprehensive Internet- threats (Serbanescu et al., 2015). The device search facing ICS devices by integrating multiple search en- engines also add honeypots to the query results to gines’ data and perform passive vulnerability assess- monitor the abuse of them by attackers. Previous ment on them. We further analyze the vulnerable ICS works (Feng et al., 2016) that utilize network finger- devices and related vulnerabilities across multiple di- printing technology (Comer and Lin, 1994) are not mensions, e.g., geolocation distribution, vulnerability working here due to the lack of interaction. We lever- ratio. We also conduct a non-interaction ICS honey- age the non-interaction features to detect ICS hon- pot detection to decrease false positives while previ- eypots, such as the fingerprints of open-source ICS ous vulnerability assessment works not. honeypots and the device inconsistencies in different search engines. 2.2 Challenges Associate Vulnerabilities. Previous works (Genge and Enachescu,˘ 2016; O’Hare et al., 2019) utilize the There are three main challenges in designing a passive most similar CPE name reconstructed from banner to vulnerability assessment system. find possible vulnerabilities. However, this approach Incomplete Banners. Not all banners returned by is limited to ICS. First, some ICS devices might have device search engines contain complete device in- more than one CPE name, while some have none. For formation. For example, the different banners of example, the device’s CPE name in Figure 1 can be the same ICS device are respectively returned by cpe:/h:siemens:simatic s7-300 cpu:2.0.11 or Shodan and FOFA (see Figure 1a and Figure 1b). cpe:/h:siemens:simatic s7-300 cpu 313:2.0. Compared to Shodan, the FOFA’s banner lacks the 11. Second, CPE data used to identify the impact Basic Firmware information used to extract version range of a vulnerability in the National Vulnerability information. Moreover, both of them do not contain Database (NVD) is exaggerated or underesti- vendor and product information. Existing works that mated (Dong et al., 2019). Rather than reconstructing reconstruct CPE names from banners are limited to the CPE name, we construct vulnerability trees from the lack of device information. Fortunately, we ob- multiple public vulnerability libraries and use them serve that device search engines’ capabilities are dif- to associate vulnerabilities. ferent, and part of device information can be identi- fied through a particular field in ICS protocol. Based on this observation, we try to extract complete device
239 ICISSP 2021 - 7th International Conference on Information Systems Security and Privacy
Data Acquisition Information Extraction Vulnerability Association Table 1: Protocols supported by ICScope. X: supported by device search engine; 4: enriched by ICScope. Device Search Engines Shodan Vulnerability Protocol Name Enrich Databases Shodan Censys FOFA SiNan Banner Honeypot Processing Detection Modbus - Vulnerability X X X X Censys Tree Siemens S7 X X X X 4 ICS Device DNP3 - Banners X X X X Entries FOFA Niagara Fox X X X X 4 Associate Data Vulnerabilities BACnet X X X X 4 Enrichment SiNan Vulnerable EtherNet/IP X - X X 4 ICS Devices GE-SRTP X - X X - Figure 2: Architecture of the ICScope. HART-IP X - X X - PCWorx X - X X 4 MELSEC-Q X - X X - 3 ICScope OMRON FINS X - X X 4 Crimson v3 X - X X - CoDeSys - 4 In this work, we design and implement a search en- X X X IEC 60870-5-104 X - X X - gine based automatic passive vulnerability assess- ProConOS X - X X - ment tool for ICS, ICScope, and present its design in VertX Edge - - X X 4 this section. Moxa NPort - - X X - Lantronix UDP - - X X - 3.1 Overview Koyo DirectNet - - - X - HollySys MACS - - - X - Proficy-webspace - - - - The overall architecture of ICScope is shaped in Fig- X Siemens License - - - X - ure 2, which consists of three modules. First, the data Total 15 5 18 22 8 acquisition module (§3.2) collects all Internet-facing ICS device data via the Application Programming In- 3.3 Information Extraction terface (API) of search engines. Then, the informa- tion extraction module (§3.3) extracts device infor- As shown in Figure 2, the information extraction mation, i.e., vendor names, product names, and ver- module consists of three submodules: sions, from the ICS device banners returned by search engines. The information extraction module (§3.3.3) 3.3.1 Banner Processing also detects and excludes the ICS honeypots in the results. Finally, the vulnerability association module This submodule takes the banners as input and out- (§3.4) constructs vulnerability trees from the public puts the device information. An ICS device entry vulnerability libraries and utilizes it and the extracted can be characterized by the tuple hvendor, product, device information to associate possible vulnerabili- versioni. Except for the ICS device entry, device in- ties. formation also includes feature information for data enrichment or honeypot detection, i.e., the article 3.2 Data Acquisition number in the S7 protocol. However, the fields of de- vice information are different in different ICS proto- The search engines provide APIs with search filters, cols. We analyzed 22 ICS protocols and wrote parsers which are special keywords for special properties. For for them separately. example, protocol:s7 is used to find all Internet- facing ICS devices in FOFA3, which use the S7 proto- 3.3.2 Data Enrichment col. As reported by Guo et al., the data integration of multiple device search engines can obtain more com- The challenge here is that the banners returned by prehensive Internet-facing ICS devices (Guo et al., search engines are incomplete. To address this, we 2018). Table 1 shows the industrial control protocols take the following three ways to enrich the incomplete and device search engines supported by ICScope. IC- ICS device entry: Scope leverages the APIs and special search filters to Data Enrichment based on Industrial Control Pro- acquires all Internet-facing ICS devices from different tocol. Some attributes of ICS device entry might show device search engines’ databases. as identifiers rather than the exact value in some ICS protocols. For example, BACnet defines a numerical 3 https://fofa.so/ ”vendor identifier” to arbitrate between non-standard
240 From Exposed to Exploited: Drawing the Picture of Industrial Control Systems Security Status in the Internet Age
messages of different manufacturers. Each vendor Vendor 1 identifier has been assigned to a vendor. For the pro- prietary protocols, we can identify their vendors di- Product 1 Product 2 � Product n rectly, e.g., SIEMENS for S7 protocols. Based on �������������� … ��������������
241 ICISSP 2021 - 7th International Conference on Information Systems Security and Privacy
Algorithm 1: Associate ICS device with vulnerabilities. respectively. We crawl the published vulnerability in- Input: ICS device entry hvendor, product,versioni, Vul- formation from NVD, CNNVD, Exploit-DB, Secu- nerability Tree(VT) rityFocus and PacketStorm, and merged all the in- Output: a set of possible CVE names (Rcve) formation into 286,269 distinct enriched vulnerability Rcve ← {} records, of which 160,795 are from CVE and 129,653 vt vendors ← all root nodes of VT are from NVD. for each vt vendor ∈ vt vendors do if sim lookup(vendor,vt vendor) then vt products ← all sub-nodes of vt vendor in VT 4.2 Discovery Approaches Validation for each vt product ∈ vt products do if sim lookup(product,vt product) then First, we evaluate the performance of our honeypot vt vuls ← all leaves of vt product in VT detection module. Shodan provides an interface5 to for each hcve,versionRangei ∈ vt vuls do query the probability that an IP is a honeypot. Among if match(version,versionRange) then the above ICScope datasets, Shodan only ensures Rcve ← Rcve + cve end if 55 IPs as honeypots. We use these IPs as a cross- end for validation dataset to validate the honeypot detection end if module results. For these ICS honeypots, ICScope end for can detect 52 of them (about 94.55%). We manu- end if ally inspect the remaining 3 IPs. We notice that the end for information extraction module returns none for two we add the CVE name of the vulnerability into the set of them. However, our approach is based on the de- of possible CVE names. vice information returned by the information extrac- tion module. The last one seems like a normal ICS device. The reason might be the limitation of the fea- tures in our approach. 4 DEMYSTIFYING Secondly, we evaluate the precision of our device INTERNET-FACING ICS discovery approach. The ICS devices reside in the re- DEVICES SECURITY STATUS mote Internet space. We cannot perform active-mode scanning due to ethical considerations. We also try In this section, we use ICScope to evaluate the se- to contact several vendors with their devices exposed, curity status of Internet-facing ICS devices in the but none of them accept our request to fill a survey whole public IP address space. We first introduce the obtaining the ground truth of the exposed devices. datasets used by ICScope and then we analyze the se- Therefore, we report the 319 vulnerable ICS devices curity status of Internet-facing ICS devices. Finally, located in our own country to the relevant Computer we compare our work with the vulnerability detection Emergency Response Team (CERT). Until the time of function provided by Shodan. paper submission, the CERT team has dealt with 59 of them and they confirm that ICScope identifies the 4.1 The Datasets of ICScope vendor, product and version information and the asso- ciated vulnerabilities of all 59 devices correctly. The The data collected by ICScope can be divided into two results show that our device discovery approach has parts: data of Internet-facing ICS devices from the de- high accuracy. And we plan to share the ICScope tool vice search engine and vulnerability information from and discovered vulnerable ICS devices to the inter- public vulnerability database. We retrieve Internet- ested CERT teams and help to deal with the exposed facing ICS devices from the four device search en- and vulnerable ICS devices. gines between Dec 2019 and Jan 2020. We ob- tain 76,489/219,238/78,363/85,531 device informa- 4.3 The Honeypots in Internet-facing tion from Shodan, Censys, FOFA and SiNan, respec- ICS Devices tively. The device number of FOFA is much larger than the others because the time span of the FOFA Among the 270,283 Internet-facing ICS devices, IC- is one year, but the others not. The independent IPs Scope regards 21,578 of them (about 7.98%) as ICS for the above results is 270,283. To monitor Internet- honeypots. Among these ICS honeypots, the multi- facing ICS devices, we also conducted the experi- source comparison-based approach detects 18,428 of ments per three months from Jun 2020 to Dec 2020. them (about 85.40%), while the ISP-based approach We obtain 229,048/225,473/242,034 Internet-facing ICS devices in Jun 2020, Sep 2020, and Dec 2020, 5https://honeyscore.shodan.io/
242 From Exposed to Exploited: Drawing the Picture of Industrial Control Systems Security Status in the Internet Age
detects 3,653 (about 16.93%). Furthermore, the tremely low, the differences indicate that it may be fingerprinting-based approach detects 1,216 (about a honeypot. We are mainly concerned about the in- 5.64%). Notice that an ICS honeypot might occur consistency of the vendor, product, and version. As multiple times on the above results. shown in Figure 4, most of the inconsistencies are related to the version. Devices with version incon- sistency account for 89.89% of the total inconsistent Vendor 0.77% Product devices. It is worth noting that search engines identi- 2.75% 6.60% fied entirely different results on 2.4% of inconsistent 2.40% devices. We tag these inconsistent devices as honey- 0.69% 12.86% pots.
73.93% Data Enrichment with Multiple Device Search En- gines. As mentioned in Section 2.2, the results of Version search engines, including incomplete data. This prob- Figure 4: Attribution-distribution of inconsistent ICS de- lem can be alleviated by data enrichment. Different vices. The three circles represent the percentage of devices search engines have different ability to recognize dif- with vendor, product, and version inconsistency among all ferent attributes of devices. We extract the attributes inconsistent devices. that can be identified by different search engines and combine them to get complete device information. Figure 5 shows the different abilities of the four search engines on recognizing different device at- tributes. From Figure 5a, Figure 5b and Figure 5c, we can know that the search engines, except for Cen- sys, performs well in recognition of vendor and prod- uct. But all the four search engines are weak in rec- ognizing version, among which, Censys get the best (a) Vendor recognition rate (d) Vendor recognition rate at all ICS protocols at BACnet protocols recognition rate of 56.6%. Taking the BACnet proto- col as an example, we can obtain the version informa- tion from Censys and the other information from the other three search engines (See Figure 5d, Figure 5e, Figure 5f).
4.5 The ICS Devices Affected by Public Vulnerabilities (b) Product recognition rate (e) Product recognition rate at all ICS protocols at BACnet protocols For the 22 industrial control protocols mentioned in this paper, we can completely extract vendor, prod- uct and version information in only 9 of them (See Table 2). We obtain 215,649 ICS devices using one of the 9 ICS protocols from device search engines. After excluding 15,294 devices that may be indus- trial controlled honeypots, 106,382 (about 53.10%) devices can extract complete information. For those (c) Version recognition rate (f) Version recognition rate devices with complete information, there are 52,739 at all ICS protocols at BACnet protocols (about 49.58%) devices affected by one or more vul- nerabilities. Figure 6 shows the percentage of vul- Figure 5: Recognition rate of different attributions. nerable ICS devices in different protocols. Next, we focus on the analysis of the impact of public vulnera- 4.4 The Advantage of Multiple Device bilities on these 52,739 devices. Search Engines Protocol-distribution of Vulnerable ICS Devices. Table 2 shows the impact of public vulnerabilities Inconsistencies in Device Search Engines. We in ICS devices. We find that about half of Internet- first analyze the inconsistencies between the different facing ICS devices are still vulnerable, thus having search engines. Since the probability of upgrading or the risks of being compromised. More than half of replacing the device during the scanning cycle is ex- the ICS protocols have at least 40% vulnerable de-
243 ICISSP 2021 - 7th International Conference on Information Systems Security and Privacy
Figure 6: Vulnerable device percentage at protocol-level.
Table 2: Statistics result of vulnerable devices. Vulnerable Protocol Name Vulnerable Devices Percentage Modbus 3461 28600 12.10% Figure 7: Hilbert curve heatmap of vulnerable ICS devices Siemens S7 4400 7663 57.42% in the IPv4 addresses space. Niagara Fox 35669 37060 96.25% BACnet 1918 14405 13.31% EtherNet/IP 4006 9171 43.68% PCWorx 1444 3610 40.00% OMRON FINS 208 2032 10.24% CoDeSys 1633 3526 46.31% VertX Edge 0 315 0.00% Total 52739 106382 49.58% *Devices: refers to total number of ICS devices with complete vendor, product and version information. vices. In particular, the percentage of vulnerable ICS devices using Niagara Fox protocol, the most seri- Figure 8: Geo-distribution of vulnerable ICS devices. ous protocol, is close to 100%. For Vertx Edge, we only find one remote code execution vulnerability of able devices (21,156), which accounts for 40.11% of an HID VertX/Edge device in the public vulnerabil- all vulnerable Internet-facing ICS devices. We further ity databases, more specific, from SecurityFocus and analyze the proportion of vulnerable ICS devices in PacketStorm. However, there is no detailed impact each country. Among the six continents, North Amer- scope of this vulnerability. Thus the assessment re- ica has the highest proportion of vulner- able ICS de- sult for VertX Edge is 0.00%. vices, with an overall rate of 39.48%. This is mainly Geo-distribution of Vulnerable ICS Devices. We because the proportion of vulnerable ICS devices in adopt the Hilbert curve (Moon et al., 2001) to visu- the United States and Canada with more than 1000 alize the vulnerable ICS device distribution in the In- ICS devices is as high as 40.72% and 35.48%, respec- ternet space. As shown in Figure 7, the distribution tively. The rest are Australia (20.99%), South Amer- of vulnerable ICS devices is irregular. It is hard to ica (20.23%), Europe (19.93%), Asia (11.66%) and find any correlation between vulnerable ICS devices Africa (9.15%). As shown in Figure 9, more than 90% and IP. Although we cannot find any correlation at IP- of the Niagara Fox vulnerable devices can be found in layer, we can also investigate the correlation between the top 10 countries, and there is a long-tail effect in spatial location and vulnerable ICS device distribu- their vulnerable ICS devices distribution. There are tion. Figure 8 shows the geographical distribution of similar distribution characteristics in other vulnera- Internet-facing ICS devices affected by public vulner- ble ICS devices. At the city-level, Figure 10 shows abilities. These vulnerable ICS devices are distributed a long-tail effect in vulnerable ICS devices. The Ni- in the vast majority of countries around the world, agara Fox protocol has the most extensive coverage. among which the United States, Italy, Canada, France More than 43% of the Niagara Fox vulnerable devices and Spain are on the top. In particular, the United are located in the top 50 cities, 60% of the Niagara States is the only country that has over 10,000 vulner- Fox are in the top 134 cities. OMRON FINS has the
244 From Exposed to Exploited: Drawing the Picture of Industrial Control Systems Security Status in the Internet Age
Figure 9: Location distribution of vulnerable ICS devices at country-level. Figure 11: Vulnerable ICS devices over time. The solid lines represent the number of vulnerable ICS devices. The dash lines represent the percentage of vulnerable ICS de- vices.
Top 5 Vulnerabilities in Different ICS Protocols. Ta- ble 3 shows the top 5 ICS vulnerabilities in different industrial control protocols. For Niagara Fox proto- col, the three vulnerabilities we found affect about 96.25% of all Niagara Fox ICS devices with com- plete information. There are similar characteristics in PCWorx and CoDeSys protocols. For such vulnera- bilities, ICS engineers should take measures to fix or Figure 10: Location distribution of vulnerable ICS devices at city-level. mitigate them as soon as possible. least coverage. The cities which have ICS devices us- ing OMRON FINS protocol are only 34. Vulnerable ICS Devices over Time. Among the three experiments over six months, we find 46,489/38,466/37,027 vulnerable ICS devices, re- spectively, and the details are shown in Figure 11. There is a slowly decreasing trend in the number of vulnerable ICS devices for most ICS protocols dur- ing our measurement period. This indicates that peo- ple had taken some measures to mitigate the risk of Internet-facing ICS devices, but still not enough counter-measures. However, the Siemens S7 pro- Figure 12: Severity distribution of ICS vulnerabilities in tocol shows an anomalously increasing trend in the different protocols. number and percentage of vulnerable ICS devices. This mainly due to the growing number of exposed The Severity of ICS Vulnerabilities in Different ICS SIMATIC S7-1200 devices. Protocols. We use the Common Vulnerability Scor- ing System(CVSS)(version 3) to assess the severity 4.6 The Statistics of ICS Vulnerabilities of ICS vulnerabilities. CVSS version 3.0 was released in June 2015, and vulnerabilities released before that We then carry on the statistical analysis of the ICS date have no CVSSv3 score. 46 out of 207 ICS vul- vulnerabilities mentioned above. We find that only nerabilities are released before June 2015, and the ICS 207 different vulnerabilities affect a total of 52,739 vulnerabilities of OMRON FINS and CoDeSys are all ICS devices. We classify these vulnerabilities accord- among them. As shown in Figure 12, the ICS vulner- ing to protocols and then further analyze the impact abilities with high or critical severity in all ICS pro- scope, CVSSv3 score, and life cycle of vulnerabili- tocols are at least 60%. The severity of vulnerabili- ties under different protocols. ties in the PCWorx protocol, the most severe proto-
245 ICISSP 2021 - 7th International Conference on Information Systems Security and Privacy
Table 3: Top 5 vulnerabilities in different ICS protocols. Modbus Siemens S7 BACnet EtherNet/IP CVE Numbers CVE Numbers CVE Numbers CVE Numbers CVE-2015-7937 3095 CVE-2017-2680 4384 CVE-2019-18249 1770 CVE-2017-7898 3147 CVE-2015-6461 3077 CVE-2017-2681 4384 CVE-2016-4495 37 CVE-2017-7899 3147 CVE-2015-6462 3077 CVE-2017-12741 4337 CVE-2016-3155 36 CVE-2017-7901 3147 CVE-2018-7241 2462 CVE-2019-10936 4246 CVE-2018-7779 27 CVE-2017-7902 3147 CVE-2018-7242 2462 CVE-2018-13815 3021 CVE-2018-7795 25 CVE-2017-7903 3147 Total vul num: 22 Total vul num: 56 Total vul num: 93 Total vul num: 29 Niagara Fox PCWorx OMRON FINS CoDeSys CVE Numbers CVE Numbers CVE Numbers CVE Numbers CVE-2017-16744 35669 CVE-2019-9201 1444 CVE-2015-0987 208 CVE-2014-0760 1633 CVE-2017-16748 35669 CVE-2019-10953 605 CVE-2015-1015 195 CVE-2014-0769 1633 CVE-2018-18985 35669 ------Total vul num: 3 Total vul num: 2 Total vul num: 2 Total vul num: 2 *Numbers: refers to the number of devices affected by the vulnerabilities.
the vulnerabilities mentioned above. We can find that most of the vulnerabilities are disclosed within 3 years, yet 19.80% have been disclosed for more than 5 years. Among these vulnerabilities, we find that there are 40 vulnerabilities (about 19.32%) which exploits are published on the Internet. This indicates that these corresponding affected devices are in a highly danger- ous state.
4.7 The ICS Devices Affected by 0day Vulnerabilities
Figure 13: Average score and outliers of ICS vulnerabilities ICScope also supports the evaluation of the impact of in different protocols. 0day vulnerabilities. We use ICScope to evaluate the impact of a 0day vulnerability we found in Schneider Electric device. This vulnerability affects four dif- ferent products, including Modicon M580 (version ≤ 3.10). We find that 3,999 Schneider Electric devices exposed to the Internet are affected by this vulnerabil- ity. We have reported this vulnerability to the vendor and waiting for the vendor to fix it.
4.8 Comparison with Shodan Vulnerability Detection
Shodan also tries to verify whether the target device Figure 14: Vulnerabilities Existing Time. is affected by known vulnerabilities. We use this function of Shodan to detect the vulnerability of the col, is high or critical. Figure 13 shows the CVSSv3 ICS devices that the complete information can be ex- scores of vulnerabilities in different protocols. The tracted. For 106,382 different IP addresses, Shodan average scores revolve around 7.5, and the scores of finds only 3,472 (about 3.26%) associated with one most vulnerabilities are spread across the 7.5-10 spec- or more vulnerabilities. Moreover, the vulnerabili- trum. Among the ICS vulnerabilities, 69.23% are re- ties detected by Shodan are all Web-based vulnerabil- motely exploitable, 74.52% do not require any special ities instead of ICS vulnerabilities. Comparing with conditions, and 66.35% could be executed without au- Shodan, ICScope finds that 52,739 Internet-facing thorization. ICS devices (about 49.58%) are affected by at least The Timeline of ICS Vulnerabilities in Different ICS one ICS vulnerabilities. As for ICS vulnerability de- Protocols. Figure 14 shows the disclosure time of tection, ICScope performs better than Shodan.
246 From Exposed to Exploited: Drawing the Picture of Industrial Control Systems Security Status in the Internet Age
5 RELATED WORK detection approach used in ICScope is based on the non-interaction features. So it has no probing packet Passive Vulnerability Assessment in Cyberspace. with ICS devices. Passive vulnerability assessment is an eco-friendly and resource-conserving research method for large scale security measurement towards Cyber-Space. 6 DISCUSSION B Genge et al. are the first to propose the Shodan-based passive vulnerability assessment tool, Ethical Considerations. From an ethical perspective, ShoVAT (Genge and Enachescu,˘ 2016). The CPE we perform our measurements in a completely passive based vulnerability matching technique used by mode to avoid any potential damage. The data used ShoVAT is heavily dependent on the quality of its for ICScope contains no sensitive data, and the data CPE dictionary. Jamie O’Hare et al (O’Hare et al., provided by public search engines are publicly avail- 2019) improved the previous work and proposed able. However, because the vulnerable ICS devices Scout to perform a passive vulnerability assessment are still unfixed, we cannot publish our datasets and of HTTP services on the Internet. Compared with over 52K vulnerable ICS devices directly. Instead, we ShoVAT, Scout focuses on the accuracy of vulnerabil- report vulnerable ICS devices in our country to rele- ity matching. By comparing with the scanning result vant CERT, and we also try to contact several vendors. of OpenVAS,Scout’s results are more practical. How- Limitations. First, the above experiment results only ever, neither of the works mentioned above is suit- show a subset of the security status of Internet-facing able for the industrial control scenario. Their match- ICS devices. The actual situation should be more se- ing techniques depends on the quality of the banners rious. This is a limitation because it is difficult or returned by search engines. However, it is common impossible to obtain all Internet-facing ICS devices that the banners are incomplete in ICS. We mitigate via search engines, and not all ICS devices can be ex- this problem with our data enrichment module. More- tracted full information. Second, while we obtain vul- over, previous works on passive vulnerability assess- nerable Internet-facing ICS devices, we still do not ment rarely consider the honeypot problem. ICScope confirm whether there is any defensive measure on try to address it to increase the accuracy of vulnera- them. Because ICScope is based on version to iden- bility detection. tify vulnerabilities rather than proof of concept(PoC). Online ICS Device Discovery. Previous works on the Third, the supporting ICS protocols of ICScope is discovery of online ICS devices are always a hot topic limited to the ability of search engines. ICScope sup- on ICS security. Mirian et al. (Mirian et al., 2016) ex- ports one ICS protocols only if its banners contain key tend ZMap (Durumeric et al., 2013) to support four fields. Fourth, a lack of raw probing packets makes ICS protocols and scan the public IPv4 address space it harder to extract device information or detect ICS to discover online ICS devices. Differently, Feng et honeypots because the banners generated by search al. (Feng et al., 2016) investigates 17 industrial con- engines might lose some information. trol protocols and develop their ICS device discovery Honeypot Detection. It is hard to detect ICS honey- system to conduct ICS device discovery. Although pots accurately in passive mode. For example, ICS both of them have tried to minimize the number of devices might share one IP by port forwarding. How- probing packets, their systems still need to interact ever, this is also a fingerprint to detect honeypots. We with target devices. By using search engines, ICScope cannot distinguish them without the help of probing can discover online ICS devices without any commu- packets. So we regard all of them as ICS honeypots nication interactions. By using multiple search en- to reduce false positives. Fortunately, we find that this gines, ICScope can better tolerate the limitation of problem might be corrected by the data from non-ICS scanning nodes. port, and we leave it as our future work. ICS Honeypot Detection. The honeypots in ICS se- Mitigation. We need to take some defensive mea- curity are often used to perform ICS threat analy- sures to mitigate the risk of Internet-facing ICS de- sis (Mirian et al., 2016; Vasilomanolakis et al., 2016; vices. The intuitive measure is to keep the latest ver- Serbanescu et al., 2015). There are few works con- sion of each ICS device. However, this is difficult or sidering ICS honeypot detection. Feng et al. (Feng impossible in the actual ICS environment. Instead, we et al., 2016) propose a learning model to determine can take the following defensive measures: the probability of an ICS honeypot and a heuristic al- Add Firewall Policy. By adding firewall to restrict gorithm to verify it with the least number of packets. source IP and destination port, we can prevent the at- However, both the learning model and the algorithm tack from accessing the vulnerable ICS devices. are based on the probing packets. The ICS honeypot Network Isolation. Isolate the ICS devices that need
247 ICISSP 2021 - 7th International Conference on Information Systems Security and Privacy
Internet connection from the ones that do not need Durumeric, Z., Adrian, D., Mirian, A., Bailey, M., and Hal- to prevent the attacker from accessing the vulnerable derman, J. A. (2015). A search engine backed by devices. internet-wide scanning. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Commu- nications Security, pages 542–553. ACM. Durumeric, Z., Wustrow, E., and Halderman, J. A. (2013). 7 CONCLUSION Zmap: Fast internet-wide scanning and its security ap- plications. In 22nd {USENIX} Security Symposium As a crucial component of modern city infrastructure, ({USENIX} Security 13), pages 605–620. the industrial control system exists in every corner of Fachkha, C., Bou-Harb, E., Keliris, A., Memon, N. D., and our life. However, the Internet-facing ICS devices Ahamad, M. (2017). Internet-scale probing of cps: Inference, characterization and orchestration analysis. are under the risk of known vulnerabilities. In this In NDSS. work, we develop ICScope to discover the vulnerable Feng, X., Li, Q., Wang, H., and Sun, L. (2016). Character- Internet-facing ICS devices. Base on the results, we izing industrial control system devices on the internet. perform a comprehensive analysis of the security sta- In 2016 IEEE 24th International Conference on Net- tus for online ICS devices. We find that 49.58% of work Protocols (ICNP), pages 1–10. IEEE. Internet-facing ICS devices that we can extract com- Genge, B. and Enachescu,˘ C. (2016). Shovat: Shodan- plete device information are affected by known vul- based vulnerability assessment tool for internet-facing nerabilities. The most serious ICS protocol is Niagara services. Security and communication networks, Fox, which proportion of vulnerable devices is even 9(15):2696–2714. as high as 96.25%. We observe that most of the vul- Guo, G., Zhuge, J., Yang, M., Zhou, G., and Wu, Y. (2018). A survey of industrial control system devices on the nerable devices are affected by the same vulnerabil- internet. In 2018 International Conference on Inter- ity in Niagara Fox, PCWorx, and CoDeSys protocols. net of Things, Embedded Systems and Communica- In all ICS protocols, at least 60% of the ICS vulner- tions (IINTEC), pages 197–202. IEEE. abilities are with high or critical level severity. We Leverett, E.´ and Wightman, R. (2013). Vulnerability inheri- also observe a slowly decreasing trend in the number tance programmable logic controllers. In Proceedings of vulnerable ICS devices during our six-month mea- of the Second International Symposium on Research surement period. Moreover, our measurement results in Grey-Hat Hacking. only present the lower limit of the actual situation. In Mirian, A., Ma, Z., Adrian, D., Tischer, M., Chuenchujit, response to these severe industrial control security is- T., Yardley, T., Berthier, R., Mason, J., Durumeric, sues, we also discuss the mitigation measures, such as Z., Halderman, J. A., et al. (2016). An internet-wide view of ics devices. In 2016 14th Annual Conference add firewall policy. on Privacy, Security and Trust (PST), pages 96–103. IEEE. Moon, B., Jagadish, H. V., Faloutsos, C., and Saltz, J. H. ACKNOWLEDGEMENTS (2001). Analysis of the clustering properties of the hilbert space-filling curve. IEEE Transactions on knowledge and data engineering, 13(1):124–141. We would like to thank all anonymous reviewers for O’Hare, J., Macfarlane, R., and Lo, O. (2019). Identifying their valuable feedback that greatly helped us improve vulnerabilities using internet-wide scanning data. In this paper. Besides, we would like to thank Yuxiang 2019 IEEE 12th International Conference on Global Lu, Zhenbang Ma, Yu Wang, for their helping in our Security, Safety and Sustainability (ICGS3), pages 1– work. 10. IEEE. Samtani, S., Yu, S., Zhu, H., Patton, M., and Chen, H. (2016). Identifying scada vulnerabilities using pas- sive and active vulnerability assessment techniques. REFERENCES In 2016 IEEE Conference on Intelligence and Secu- rity Informatics (ISI), pages 25–30. IEEE. Comer, D. E. and Lin, J. C. (1994). Probing tcp implemen- Serbanescu, A. V., Obermeier, S., and Yu, D.-Y. (2015). Ics tations. In Usenix Summer, pages 245–255. threat analysis using a large-scale honeynet. In 3rd In- Di Pinto, A. A., Dragoni, Y., and Carcano, A. (2018). Tri- ternational Symposium for ICS & SCADA Cyber Se- ton: The first ics cyber attack on safety instrument sys- curity Research 2015 (ICS-CSR 2015) 3, pages 20–30. tems. In Proc. Black Hat USA, pages 1–26. Vasilomanolakis, E., Srinivasa, S., Cordero, C. G., and Dong, Y., Guo, W., Chen, Y., Xing, X., Zhang, Y., and Muhlh¨ auser,¨ M. (2016). Multi-stage attack detec- Wang, G. (2019). Towards the detection of inconsis- tion and signature generation with ics honeypots. tencies in public security vulnerability reports. In 28th In NOMS 2016-2016 IEEE/IFIP Network Opera- {USENIX} Security Symposium ({USENIX} Security tions and Management Symposium, pages 1227–1232. 19), pages 869–885. IEEE.
248