2017 2nd International Conference on Artificial Intelligence and Engineering Applications (AIEA 2017)
ISBN: 978-1-60595-485-1
ICSMap: An ICS Scanning Tool Based on
Stateless Connections
ZHUO CHEN, HUA ZHANG and TENGFEI TU
ABSTRACT
The security of the industrial control system is related to the safety and stability of the national energy and basic industrial facilities, it has gradually become a serious challenge for enterprises and national security. This paper proposes an industrial control network scanning tools based on stateless connection: ICSMap. This tool can scan the global exposure to the public network of industrial equipment very fastly, and get their manufacturers, models and other related information. Experiments show that ICSMap can be used for Modbus, DNP3, S7, BACnet and other protocols of industrial control equipment, and its scanning speed greatly faster than the Nmap.
INTRODUCTION
Since the " Stuxnet" virus break out in 2010[1, 2, 3] and caused huge losses to Iran's nuclear facilities, the whole world was aware of the importance of the industrial control system security and the severity of the consequences as long as it being attacked, and industrial control system security had upgrade to the strategic level.
In order to scan the industrial control system exposed to the global public network quickly and accurate, discovering and managing industrial control system to identify the scope of impact of vulnerability accurately when the vulnerability break out[4, 5, 6]. We proposed an industrial control network scanning tools based on stateless connection: ICSMap. It can find and identify industrial control equipment quickly and accurate, and it also support for multiple communication protocols and equipment. ICSMap supports a variety of common used industrial protocol scanning, such as: Modbus, Ethernet / IP, DNP3, BACnet, S7 and other industrial control protocols.
_________________________________________
Zhuo Chen, State Key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications, Beijing, 100876, China. [email protected]
Corresponding author: Hua Zhang, State Key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications, Beijing, 100876, China. [email protected]
Because the use of non-retransmission strategy, skip the TCP / IP protocol stack and generation Ethernet frames directly, and using the way of no pre-connection state, making the scanning efficiency has been greatly improved. A common machine, using 100 MB bandwidth to scan the global ipv4 address space takes 24 hours, compared to the traditional Nmap scan rate increased by 1000 times. Evaluation show that the tool can identify industrial equipment quickly and accurate.
RELATED WORK
Traditional Industrial Control System Detection Method
In traditional network, identify some services and systems can be done through the port scanning way, such as check the open condition of some common used port [7, 8]. Through the open port situation can probably understand the running services and operating system type of the target system. To verify some specific services can use the corresponding protocol, interacting and requesting the corresponding content. In traditional network, a large number of protocols are standard and open.
Nowadays, scanning the entire network aim to the Internet becoming more frequently, scanning and recognition methods are based on equipment and external communication Ethernet TCP / UDP communication protocols [9, 10], such as Modbus, IEC104, DNP3, S7, FINS protocol and so on. So, as long as scanning the specific port, can we find the network which exists industrial control system. Generally, communication between industrial control equipment are using TCP connections, a small amount of them using UDP connections, for example: Modbus protocol using the 502 port, DNP3 protocol using the 20000 port, S7 and IEC61850 protocol using the 102 port and so on. But this can only detect the target may exist industrial equipment, cannot be determined, even can't identify the manufacturer and type of industrial control equipment that target had used. We need further detection to know these information’s. The traditional method of detecting is to establish a TCP connection with the target. If the connection can be established, the target port is open. Then, the probe packet can be sent to detect the target device’s model, and the version number. Nap [11] provides a lot of industrial equipment scanning scripts are also based on this principle. But this kind of scanning method to carry out a global scanning requires at least a few weeks or even months.
Scanning based stateless connections
In 2013, Zakir Durumeric and others introduced a more rapid scanner, named ZMap[12, 13, 14]. Because ZMAP use no pre-connection state way of scanning, it can scanning the IPv4 public address space over 1300 time faster than the most aggressive Nmap default settings. Zmap can scanning for a given open port across the entire public IPv4 address space in under 45 minutes—over 97% of the theoretical maximum speed of gigabit Ethernet without requiring specialized hardware. At present, scanning for industrial networks is also based on this: firstly, using Zmap scan the target which opened the corresponding port, then using a method similar to Nmap for further detection of the target.
performing a bulk scan, this will not only increase the number of communication between the two sides, but also reducing the scanning efficiency because the computer will save the connection state and the resources are greatly occupied. And stateless connection does not save the connection state between the two sides, forget the connection after sending a SYN packet, and then send the SYN packet to the next target. It can greatly enhance the scanning efficiency and reduce the system resource consumption because system does not have to save the connection
Figure 1. ICSMap Architecture.
State. The target opening the corresponding port will respond to a SYN-ACK packet, and unopened port will not respond. After we receive the response, we can determine that the target has opened the corresponding port, and then the kernel will automatically respond with a RST packet to close the connection.
ICSMAP: THE SCANNER
ICSMap presents a new scanning method for industrial control system that is, after receiving the SYN-ACK packet, and then send an ACK packet to create a complete TCP connection, and then send a PSH -ACK package which carry the payload data. When we receive the next PSH-ACK packet, we will get the target fingerprint information or device information.
ICSMap is mainly composed of eight parts: Address Generation module, Config module, Packet Generation module, Packet Transmission module, Packet Receipt and Validation module, Packet Analyze module. Result Processing module and Output module. Its architecture is shown in Figure 1.
Address Generation
The address generation module generates the address list based on the configuration entered by the user. Since we skipped the TCP / IP protocol stack and generating Ethernet frames directly consequently, we attempt to send packet as quickly as the source’s NIC can support. If we scan all the ipv4 address space, and our bandwidth is higher than the target bandwidth, using traversal scanning way may be blocking the target network, to achieve the effect of a Dodos attack. So we need to distribute our traffic evenly on the target, so we use the random address generated method.
mapping between the original index variable and the output. This means that while we linearly go through the range, the output IP addresses are completely random.
We used the encryption method is "Feistily network", this is a crypto-like construction that encrypts an arbitrary sized range. Given a number in the range [0.9999], it'll produce a mapping to a distinct different number in the same range (and back again). In other words, it randomizes the order of numbers in a sequence. So as to achieve the purpose of randomly generating IP addresses
Packet Generation and Transmission
The packet generation module is divided into two parts: the SYN packet generation module and the payload package generation module. The SYN packet generation module is responsible for constructing the SYN probe packet, and the payload generation module constructs ACK packet, PSH-ACK packet, or RST packet based on the result returned by the packet analyze module. The two modules do not interfere with each other, belong to different threads, and send the structured data packet to target by packet transmission module.
Packet transmission module in order to enhance the scanning and packet speed, default to take no retransmission strategy (only send a SYN probe packet), bypassing the kernel to send packets, which greatly improves the scanning efficiency, and even with a slower CPU, will be the maximum allowable hardware transmission of data packets.
Packet Receipt and Validation and Packet Analyze
The packet receipt validation module is responsible for receiving and verifying packets, verify whether the packet is mainly made by the scanner, filter out the packet is not related to the scan task, and then send to the package analyze module for analysis. The Packet analyze module is responsible for analyzing the type of return packet, locate the current identify step. If the returned packet is RST packet, it means the destination port is not open and the packet will be discarded directly. If the returned packet is SYN-ACK packet, it means the destination port is open and analyze the packet to get the target IP, target port and other information. Then send the results of the analysis to the payload packet generation module to generate ACK and PSH-ACK packets and send to target. If the returned packet is PSH-ACK packet, it means we had got the target device information.
Some industrial protocols may require multiple data interactions to obtain device information, such as S7, BACnet, etc. ICSMap will create a hash table and record the current progress of the communication, if the communication is completed, the packet will send to result processing module to deal. Otherwise send the result to the payload packet generation module to generate the next communication packet and send it to target.
EVALUATION
We currently support the scanning protocol and the corresponding port number as shown in Table 1.
protocol takes about 24 hours, but it may take days or even weeks to use Nmap. So ICSMap in the scanning speed of the upgrade is very obvious
For the results of the scan we have done some statistics, from the statistics can be seen in the current use of the protocol of industrial equipment exposed to the number of public networks and distribution in the world.
Figure 3 shows the number of industrial protocols exposed to the public network.
TABLE 1. INDUSTRIAL CONTROL PROTOCOL AND THE CORRESPONDING PORT NUMBER.
Protocol Port
EtherNet/IP 44818
Modbus 502
DNP3 20000
BACnet 47808
S7 102
Tridium Niagara Fox 1911
IEC 60870-5-104 2404
OMRON FINS 9600
PCWorx 1962
[image:5.612.85.506.160.711.2]ProConOs 20547
Figure 2. Evaluation result. 42056
23154 18356
2706 2273 421 364 322 122 44
0 50000
a. The number of industrial protocols exposed to the public network
26880
2550 2516 1437 1360 1352 1238 550 495 365
0 20000 40000
b. Tridium Niagara Fox protocol global distribution (Top 10)
14959
4334
748 571 517 399 375 365 357 301
0 10000 20000
c. BACnet protocol global distribution (top 10)
3405
1681 1490
1149 948 900 868 730 729 706
0 2000 4000
As can be seen from Figure 3, the current exposure to the public network in the largest industrial equipment is the use of Tridium Niagara Fox protocol equipment, followed by the use of BACnet protocol equipment and the use of Modbus protocol equipment. From the statistical chart, the global exposure to the public network of the number of devices is still a lot.
Figure 2 shows some evaluation result. As can be seen from Figure 2(a), the current exposure to the public network in the largest industrial equipment is the use of Tridium Niagara Fox protocol equipment, followed by the use of BACnet protocol equipment and the use of Modbus protocol equipment. From the statistical chart, the global exposure to the public network of the number of devices is still a lot.
Figure 2(b), Figure 2(c), Figure 2(d) is the distribution of the Tridium Niagara Fox protocol, the BACnet protocol, and the Modbus protocol in the world.
Figure 2(b), Figure 2(c) and Figure 2(d) show us though the United States is one of the most developed countries in the world, it is also the largest country that industrial control equipment exposed to the public network, and the quantity is huge. These industrial control agreements related to the national functions of construction, infrastructure management, telecommunications facilities management, security systems, smart grid, HVAC equipment, building control systems and so on. If these devices are attacked by hackers, they will seriously affect national security.
Comparing with Zmap + Nmap scanning method, as shown in Figure 3, the scanning efficiency of ICSMap is significantly improved compared to Zmap + Nmap. Combined with Figure 2(a), it is observed that the efficiency of using Zmap + Nmap scan mode is proportional to the number of scanned industrial control equipment, however, the scanning efficiency of ICSMap is relatively stable, and the scanning speed is closed to each other when the number of scanned industrial control systems are very few, this is because they both used the stateless connections for port scanning, but ICSMap don't need to re-run the TCP three-way handshake, so it's scanning speed is improved and the scanning speed is relatively stable, and has no changes over the number of scanned industrial control system.
ACKNOWLEDGMENTS
Figure 3. Compare with Zmap + Nmap scanning efficiency.
Corresponding author: Hua Zhang, State Key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications, Beijing, 100876, China. [email protected].
REFERENCES
1. Langner, Ralph. "Stuxnet: Dissecting a cyberwarfare weapon." IEEE Security & Privacy 9.3 (2011): 49-51.
2. Falliere, Nicolas, Liam O. Murchu, and Eric Chien. "W32. stuxnet dossier." White paper, Symantec Corp., Security Response 5 (2011): 6.
3. Stouffer, Keith, Joe Falco, and Karen Scarfone. "Guide to industrial control systems (ICS) security." NIST special publication 800.82 (2011): 16-16.
4. Bodenheim R.C. Impact of the Shodan computer search engine on internet-facing industrial control system devices [R]. Air Force Institute of Technology Wright-Patterson Afb Oh Graduate School of Engineering and Management, 2014.
5. Post T.W. Cyber Search Engine Shodan Exposes Industrial Control Systems to New Risks [J]. Foreign Affairs, 2012.
6. Bodenheim R., Butts J., Dunlap S., et al. Evaluation of the ability of the Shodan search engine to identify Internet-facing industrial control devices [J]. International Journal of Critical Infrastructure Protection, 2014, 7(2): 114-123.
7. Leonard D., Loguinov D. Demystifying service discovery: implementing an internet-wide scanner [C]// ACM SIGCOMM Conference on Internet Measurement. ACM, 2010: 109-122. 8. Bartlett G., Heidemann J., Papadopoulos C. Understanding passive and active service discovery
[C]// ACM SIGCOMM Conference on Internet Measurement 2007, San Diego, California, USA, October. DBLP, 2007: 57-70.
9. Stevens W.R., Wright G.R. TCP/IP illustrated (vol. 2): the implementation [J]. 1995, -1(-1). 10. Stevens W.R.. TCP/IP illustrated: the implementation [J]. Addison-Wesley Professional, 1995. 11. Lyon G.F. Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery
and Security Scanning [M]. Insecure, 2009.
12. Adrian D., Durumeric Z., Singh G., et al. Zippier ZMap: Internet-Wide Scanning at 10 Gbps [C]//WOOT. 2014.
13. Durumeric Z., Bailey M., Halderman J.A. An Internet-Wide View of Internet-Wide Scanning [C]//USENIX Security. 2014: 65-78.
