Investigating the Vast World of ICS Coverage: Part 1
At Censys, our goal is to capture an accurate representation of the Internet at any given time. However, this is a deceivingly simple task. Not only is the Internet large, but our investigations and prior research show that many of the services on the Internet do not respond on their standard port. While you would expect Modbus to be found only on port 502, the reality is that there is a plethora of Modbus on other, non-standard ports.
Thus, today we’re going to dive under the hood and discuss how we use independent measurement and research to verify where to scan in a more focused manner. We focus on ICS protocols as a case study, given their interest of late.
The World is Small – Examining Standard +/- 1 Ports
One way to account for non-standard port is a global IPv4 65k port walk. However, given the sheer size of this scan, it is spread out over time, and thus, won’t find everything immediately. While we aren’t inclined to change the global 65k port walk, we can change our dedicated scans to include broader port scans in areas of interest, thus allowing us to find hosts more systematically.
A natural first question is “What non-standard ports are most likely to host protocols of interest?”. Instead of starting with a 65K port scan that blasts many hosts, we begin with a very targeted focus. Based on anecdota and prior knowledge, we have reason to believe that many ICS protocols are hosted on their standard port +/- 1 (e.g. Modbus on 501 and 503, even though its standard port is 502).
So, a measurement is born. Specifically, we want to test for the existence of an ICS protocol on its standard +/- 1 port, to see if further experiments are worthwhile. We pick Automatic Tank Gauges, or ATG, as our protocol of interest, since they are not the most populous ICS protocol, but still numerous. Since ATG’s standard port is 10001, we run a single Internet-wide scan to find as many devices as possible with ports 10000 and 10002 open. We then run our ATG protocol scanner against these hosts with open ports, filtering for successful scans and those that responded on ATG. Out of ~7K successful hosts that provide some sort of protocol-level data back, we find that ~1.3K are responsive ATG on these non-standard ports, or almost 20%!
Given this finding, as well as data in our platform to back up non-standard ports on other ICS protocols, we implement standard port +/- scanning for all ICS protocols. We then analyzed how our protocol coverage changes for these ICS protocols over time, and found an increase in a number of protocols, namely WDBRPC (~1.8x), DIGI (~2.8x), FINS (~1.9x). We also find more moderate increases in BACNET, S7, IEC60870_05_104, OPC_UA, DNP3, ATG.
This is a huge increase, and very exciting for us! In this process, we also examined what were the top three ports for each protocol. Naturally, we would expect that the three largest ports would be the standard port +/- 1 for each ICS protocol, especially given this new change to our scanning methodology. However, that wasn’t always the case. Stay tuned for next week, where we’ll discuss more about how we launched two additional measurements, and dived even deeper into the world of ICS coverage.
Appendix of ICS descriptions:
- ATG (Automated Tank Gauge) is used to monitor and track levels of tank contents (often fuel) over time.
- BACnet is primarily used for building automation and control, such as HVAC, lighting, and building access controls.
- CIMON PLC facilitates communications for the CIMON programmable logic controller.
- C-more serves the C-more HMI, which allows operators to monitor and interact with industrial control systems.
- CODESYS is hardware-independent automation software used to program and debug PLCs.
- DIGI is used to discover networked devices, often in industrial settings.
- DNP3 (Distributed Network Protocol 3) is a communications protocol widely used in electric utility systems in North America.
- E/IP (Ethernet Industrial Protocol), was designed for use in various automation systems. Encapsulated inside CIP (Common Industrial Protocol), this protocol exchanges data between various device types, such as PLCs, HMIs, and controllers.
- FINS (Factory Interface Network Service) is a proprietary protocol for Omron industrial automation devices, particularly Omron-manufactured PLCs and HMIs.
- FOX is used for building automation and control, such as HVAC and other facilities management processes.
- GE SRTP (General Electric Service Request Transfer Protocol) facilitates communications between GE PLCs and other devices.
- HART (Highway Addressable Remote Transducer) is an open source protocol that combines analog and digital communication for industrial systems.
- IEC 60870-5-104 is part of the IEC 60870 series of standards designed for applications in electrical engineering.
- MMS (Manufacturing Message Specification) transfers process information among networked devices in industrial settings.
- Modbus enables communications between PLCs, sensors, and other devices in industrial environments.
- OPC UA (Open Platform Communications Unified Architecture) is a communications protocol that emphasizes interoperability among devices from different manufacturers
- PCOM is a proprietary communications protocol used by Unitronics PLCs.
- PCWORX is a proprietary protocol for communicating with Phoenix Contact PLCs.
- ProConOS is a proprietary communications protocol used by systems running the ProCon operating system.
- Red Lion Crimson is a software and communications protocol used for Red Lion HMI configuration.
- S7 is a proprietary Siemens protocol used in communications between HMIs and PLCs in an automated or industrial environment.
- WDBRPC (Wind River Debug) is a protocol for Wind River’s VxWorks real-time operating system (RTOS).
