Date of Award
6-19-2014
Document Type
Thesis
Degree Name
Master of Science
Department
Department of Electrical and Computer Engineering
First Advisor
Jonathan W. Butts, PhD.
Abstract
The Shodan search engine reveals Industrial Control System (ICS) devices around the globe are directly connected to the Internet. After Shodan's inception in 2009, multiple news reports have focused on the increased threat to infrastructure posed by Shodan. While no attacks to date have been directly attributed to Shodan searches, its existence provides an anonymous reconnaissance platform that facilitates ICS targeting for those actors with both a desire and capability to carry out attacks. Recent research has demonstrated that simple search queries return thousands of ICS devices indexed by Shodan, and the number of newly indexed ICS devices is growing. This research discusses the method used to distinguish the Internet-facing ICS devices indexed by the Shodan search engine. PLC code is obtained by sending specifically crafted CIP request messages to the devices, capitalizing on the fact that authentication is not built in to the CIP application layer protocol. This data allows categorization of Internet-facing devices by comparing PLC code attributes. The results of this research show PLC code can be collected from Internet-facing ICS devices with no significant impact to task execution times. Also, this research demonstrates a method to distinguish Internet-facing ICS devices by function and by Critical Infrastructure sector. This capability develops an understanding of the function and purpose of ICS devices that are being connected to the Internet.
AFIT Designator
AFIT-ENG-T-14-J-41
DTIC Accession Number
ADA602989
Recommended Citation
Williams, Paul M., "Distinguishing Internet-facing ICS devices using PLC programming information" (2014). Theses and Dissertations. 524.
https://scholar.afit.edu/etd/524