#1263366: State of Industrial Control Systems in Poland and Switzerland - Internet-Exposed ICS

Description: TL;DR New update for Kamerka allows to map Industrial Control Systems of whole country. As in previous version, interactive map is created but this time Google Street View has been added in order to take you for a virtual walk near found ICS devices.

I will present final map and some statistics on the example of Poland and Switzerland.

Code is still here → https://github.com/woj-ciech/Kamehameha

Introduction
Industrial Control Systems (ICS) are systems/devices that are responsible for managing factories, power plants, hospitals or even traffic lights. Everyone knows how fragile these systems are and how outages may disrupt normal functioning of a city or country. The most famous cyberattack against ICS (except Stuxnet) had place in Ukraine in 2015 with BlackEnergy malware, however it’s not only strain of malicious software attacking ICS. Next example can be Industroyer or Triton, which code has been leaked and was analyzed, I recommend you to read the analysis to know how complex it is what damage it can cause.

In general, ICS shouldn’t be connected to the Internet but in order to save money, companies allow technicians remote access to this systems and create additional risk. Moreover, ports like HTTP, FTP, SSH, SNMP are accessible which potentially makes machine more vulnerable to different attacks. I even came across machines with VNC or SMB open. It confirms bad security practices and lack of network segregation.

Knowing history, i.e. attack on Ukraine, one should pay more attention to things that are exposed to the internet with other services that might help attackers to compromise machine or exfiltrate data in other way. Current Kamerka update gives you possibility to enumerate ICS device in specific country including localization and Google Street View photos.

Now it is fully functional recognize-intelligence gathering platform for specific location or Industrial Control Systems. It can be used in two parts, first enumerates localization of ICS and second part looks for cameras and social media photos nearby previously found industrial systems. This way you can gather full geo-intelligence (localization, cameras in neighborhood, google street view and social media photos) and also data intelligence (IP address, hostnames, services or open ports).

How it works?
First version of Kamerka included only exposed cameras, then social media photos have been added and now you have possibility to visualize Industrial Control Systems of any country. The data source is still Shodan and following filter are used:

port:502,102,47808,44818
port:1911,4911 product:“Niagara Fox”
port:20000 source address
product:”general electric”
port:20547,1962 PLC
product:“Mitsubishi”
port:9600 response code
port:789 product:”Red Lion Controls”
port:2404 asdu address
port:2455 operating system
(with additional filter „country” with two letter short code of country as a value.)

Which means that following devices and products are checked:

Modbus
Siemens S7
Tridium
General Electric
BACnet
HART IP
Omron
Mitsubishi Electric
DNP3
EtherNet/IP
PCWorx
Red Lion
Codesys
IEC 60870–5–104
ProConOS
It checks whether specific port is open or if device is a product like „Niagara Fox” or „Mitsubishi”. To be perfectly sure that this is ICS, script looks for „ics” tag in Shodan’s response. Then, with help of Folium library, map is created with photos from Google Street View.

You need additional API key for Google with Street View with billing activated.

Most of the location points to unspecified buildings, but in some cases I was able to find hospitals or power plants. Additional link to Shodan has been added to get more knowledge about particular host. It’s worth to mention that every host requires additional research, you can check what exactly belongs to this network with filter „net:IP” or what other devices are located in this place with „geo:LAT,LONG,RADIUS” filter.

Limitations
I had to connect couple filters into one in order to save API credits. From this same reason, only first page is checked, sometimes is enough knowing there are only 40 Niagara Fox devices in Poland. Each of the filter can be substituted with one „tag:ics” but it’s only available in enterprise version. If you need to adjust the script to enterprise version, let me know.

Research
Poland is very specific country because of it’s localization, which is in the middle of the Europe and creates sort of bridge between East and West. It is also interesting study case to show whether Poland can be second, after Ukraine, industrial cyber-battlefield.

Based on previously mentioned filters I enumerated 253 machines running different Industrial Control Systems, then I took geolocation and visualize it in form of map with clusters. Based on this, you can gather info where systems are located, if not exact location at least city is extracted.

I started this research with hope to find lot of power plants, factories and test their physical security with Google Street View and exposed cameras pointing this specific place. I found only couple places like factories or hospitals and rest of them are just completely other places, it’s also good study to show how geolocation data are precise, or not.
More info: https://medium.com/@woj_ciech/state-of-industrial-control-systems-in-poland-and-switzerland-656e2e363fe3

Date added June 13, 2019, 5:57 a.m.
Source Medium.com
Subjects
  • Energy - Oil / Electricity / Gas Utilities Alerts
  • ICS - Industrial Control and Automation Systems - New Reports In
  • SCADA - New Reports In
  • Shodan