white paper on industrial control network security situation in 2018 (part 2)

Posted by deaguero at 2020-03-29

Based on its traditional security research advantages, the network security team of "listen" of Northeast University has developed and designed and implemented the search engine for industrial control equipment in Cyberspace ( According to various security data collected by "listen", the team has written and published the white paper on the situation of industrial control network security in 2018. Readers can learn about the typical situation in 2018 through the report The analysis of industrial control safety standards, regulations and typical industrial control safety events, as well as the explanation and analysis of industrial control system loopholes, industrial control system attacks and networked industrial control equipment in the report, will help to fully understand the status quo of industrial control system safety, multi-directional perception of industrial control system safety situation, and provide reference for the research of industrial control safety related personnel.


All rights reserved by the network security team of "listen to" of Northeastern University, and the right of final interpretation and modification of this statement in this report.

Without the consent of the network security team of "listen to" of Northeastern University, no one is allowed to copy, extract, backup, modify, disseminate, translate into other languages and use all or part of the contents of this report for commercial purposes in any form.

The document is based on the existing information and is subject to change without notice.

The "listen to" network security team of Northeast University has tried its best to ensure the accuracy and reliability of the content when writing the document, but there are inevitably omissions, inaccuracies, or errors. Please criticize and correct.

If you have any valuable comments or suggestions, please feedback to:

Email: [email protected]

Official website:

WeChat official account: listen to ditecting

Next chapter

5. Distribution of networked industrial control equipment

The search engine of industrial control equipment in cyberspace of "listen" supports 26 kinds of protocol fingerprint identification services. Figure 5-1 shows the industrial control protocol related information identified by the "listen" network security team and the perceived IP quantity in 2018. For details of these protocols, please refer to the white paper of industrial control network security situation analysis previously released by the "listen to" network security team, or log in to view, which will not be covered here.

Figure 5-1 protocol supported by search engine of "listening" industrial control equipment in Cyberspace

The data published on the official website of "listen" is the historical data before 2017. If you need the latest version of the data, please contact the network security team of "listen" of Northeastern University directly. According to the internal data collected by the search engine of industrial control equipment in the "listen" cyberspace, through the analysis of the "listen" cybersecurity team, a visual display is obtained as shown in Figure 5-2, 5-3 and 5-4, which is briefly described below.

Figure 5-2 global perspective of "listening attentively" exposed industrial control equipment

As shown in Figure 5-2, the exposure of industrial control equipment is analyzed from a global perspective (demo display), and figure 5-3 shows the top-10 countries of global industrial control equipment exposure. Due to the addition of multiple protocol parsing tools by the "listen to" team in 2018, and the improvement of deep interaction and honeypot recognition ability for quick scan results, the national ranking has changed a lot compared with the past.

Figure 5-3 global industrial control equipment exposure top-10

Globally, the United States, as the most developed industrialized country in the world, still maintains the first industrial control equipment exposed. In recent years, Brazil's industrial output value has grown rapidly in the second place. South Korea's electronic, semiconductor and other industries are in the third place, followed by South Africa and France. China ranks the sixth in the world. The following focuses on the exposure of industrial control equipment in China, the United States, Brazil and South Africa.

1、 Exposure of domestic industrial control equipment

The number of exposure industrial control equipment in China ranks sixth in the world. Industry is also gradually developing into an important pillar of China's economy. After decades of development, China has basically established an industrial system with a relatively complete set of departments, the main body of which is entrusted processing, the pillar of which is information electronics industry in high-tech industry, steel, oil and textile industry in manufacturing industry, etc. the safety risks faced by the industrial control system should be given enough attention.

Figure 5-4 proportion of domestic exposure agreements

As can be seen in Figure 5-5, the number of industrial control equipment exposed in China is the largest in Taiwan. Industry is an important pillar of Taiwan's economy. After decades of development, Taiwan has basically established an industrial system with a relatively complete set of departments, the principal part of which is entrusted processing, the pillar of which is information electronics industry in high-tech industry, steel, oil and textile industry in manufacturing industry. Therefore, the industrial control system is faced with greater security risks.

In recent years, Hong Kong has vigorously promoted industrial development by proposing "re industrialization", and the number of exposed industrial control equipment ranks second in China. From the establishment of "smart Manufacturing Technology Exhibition Center" to "smart industry alliance", from the creation of "knowledge creation space" to the launch of "industry 4.0 pilot project", in order to assist in the transformation and upgrading of manufacturing enterprises, Hong Kong promotes the diversification of industrial industry, and the manufacturing industry has flourished in recent years.

Figure 5-5 number of exposed industrial control equipment in various regions of China

Guangdong Province has the largest number of exposed industrial control equipment in mainland China. Guangdong mainly focuses on manufacturing industry, gives full play to its advantages adjacent to Hong Kong and Macao, deepens regional cooperation in advanced manufacturing industry, and has an industrial system of food, textile industry, machinery, household appliances, automobile, medicine, building materials and metallurgy. As the pillar industry of Guangdong Province, the equipment manufacturing industry and automobile manufacturing industry have developed steadily and rapidly. At the same time, Guangdong Province advocates the traditional manufacturing enterprises to accelerate the intelligent transformation, and the industries such as smart phones and home appliances are at the leading level. Guangdong Province is the core economic development area, but there are great security risks, so it is urgent to strengthen the security services in this area.

Beijing will take the road of new industrialization, and accelerate the formation of a new industrial structure with high-tech industry and modern manufacturing industry as the main body, traditional advantageous industries after optimization and transformation as the basis, and urban industry as an important supplement. The industrial structure has improved significantly, and the industry has developed from the traditional heavy industry to the modern manufacturing industry dominated by automobile and electronics. In the key fields of software, integrated circuit, computer and network, communication, biomedicine, energy and environmental protection, a domestic advantageous industrial cluster has been formed. Beijing has become the second most exposed area of industrial control equipment in mainland China.

The number of exposure in the Yangtze River Delta is second only to Beijing. The Yangtze River Delta (Jiangsu, Zhejiang and Shanghai) is the most developed region in China with the most complete industrial supporting facilities and the strongest overall competitiveness. With the continuous acceleration of industrialization, the proportion relationship among the three major industries in the Yangtze River Delta has been further optimized. Shanghai will give priority to the development of modern service industry and advanced manufacturing industry; Zhejiang will seize the opportunity of industrial restructuring, focus on improving the competitiveness of advanced manufacturing industry, and accelerate the transfer of international industries; Jiangsu will enhance its ability to start its own business by developing modern manufacturing industry, adhere to the informatization driven industrialization, promote the rapid development of information technology and information industry, and promote information technology Technology in various industries and fields of popularization and application. At the same time, Jiangsu also needs to build a modern international manufacturing base to undertake international industries from a selective and high starting point.

As the cradle of China's industry, Liaoning, Jilin and Heilongjiang provinces once became the locomotive of China's economy. Northeast China is one of the most important industrial bases in China. It plays an important role in building a harmonious socialist society. It has formed a complete industrial system with iron and steel, machinery, petroleum, chemical industry as the core. In addition to the original Shenyang Fushun Anshan Benxi heavy industry zone, there are also large-scale tourism industrial zone mainly composed of machinery and chemical industry, Liaoxi corridor industrial zone mainly composed of coal and chemical industry, Changchun Jilin central industrial zone mainly composed of machinery, chemical industry and paper industry, Harbin Daqing mainly composed of electrical machinery, Petroleum and mechanical industry Qiqihar Industrial Zone, the western industrial zone of Heilongjiang Province with coal forest industry as the main industry, and the northeast is also the main military industrial base of China. Military industry is related to the safety lifeline of a country, so it is easier to become the primary target of attack.

2、 Exposure of international industrial control equipment

The exposure of international industrial control equipment is briefly introduced in the United States, Brazil and South Africa. As the most developed industrialized country in the world, the United States exposes the most industrial control equipment. U.S. enterprises, governments and scientific research institutions work together to lead the development process of global network information technology and industry, including Intel, IBM, Qualcomm, Cisco, apple, Microsoft, Oracle, Google and other IT giants that control the backbone of the global network information industry chain, and at the same time, in Semiconductors (integrated circuits), communication networks, operating systems, office systems, databases , search engine, cloud computing, big data technology and other key technology areas also occupy an obvious first mover advantage. Under the background of the new era of Internet, industrialization meets with informatization. The United States advocates "industrial Internet", which connects intelligent devices, people and data, realizes the networking of internal and external services through the Internet, and uses these exchanged data in an intelligent way to form an open and global industrial network. Under the leadership of General Electric, a manufacturing giant, five leading enterprises in the U.S. jointly formed the industrial Internet Alliance (IIC), which promoted the industrial Internet to promote the deep integration of informatization and industrialization.

Figure 5-6 proportion of industrial control agreements exposed in the United States

At the same time, the U.S. cyberspace military force is strong and has the ability to control global cyberspace operations. The United States has been developing network monitoring and attack and defense forces on a large scale. While constantly improving the national network capabilities, it is also monitoring the network activities of other countries and collecting intelligence. After Norden exposed the "prism gate" incident, the United States did not relax the construction of military forces in cyberspace at all. Because of this, the United States has also become a target of public criticism, frequently suffering from organized criminal groups or national level cyber warfare attacks. According to US media reports, hacker groups supported by Iran have been carrying out network attacks on us energy, finance, water conservancy, power and other industries, and have successfully obtained control system software permissions of us enterprises, enough to damage oil and gas pipeline equipment.

Brazil's industrial control equipment exposure ranked second. Brazil's economy is very developed. In the whole Latin American region, Brazil's economy is the first. Brazil has established a relatively complete industrial system in the 1970s, with major industrial sectors including steel, automobile, shipbuilding, petroleum, cement, chemical industry, metallurgy, electricity, textile, construction, etc. Nuclear power, communication, electronics, aircraft manufacturing, military industry, etc. have entered the ranks of advanced countries in the world. After the Second World War, in order to change the single economic structure, the government accelerated the pace of industrialization. The Brazilian government has accelerated the pace of industrialization. Brazil's iron ore reserves are large and its quality is excellent. Its output and export volume are among the top in the world. In modern industry, iron and steel, shipbuilding, automobile, aircraft manufacturing, etc. have leapt into the ranks of the world's important production countries. Brazil is the largest steel producer in South America and the sixth largest steel producer in the world. Its steel export reaches 12 million tons, accounting for 54% of the total steel volume of the country. It is also the first automobile manufacturer in Latin America and the ninth largest automobile manufacturer in the world.

Figure 5-7 proportion of industrial control agreements exposed in Brazil

As shown in Figure 5-8, the number of industrial control equipment exposed in Sao Paulo is extremely prominent. As Sao Paulo is the largest city and the largest industrial center in Brazil, there are more than 3000 large-scale industrial enterprises and more than 2 million workers. Its overall industrial strength ranks first among the cities in South America. The state of Sao Paulo is rich in cotton, rice and coffee, so the industry of Sao Paulo, as the capital of the state, is dominated by the traditional industries of cotton spinning, grain processing and coffee processing. Later, metallurgy, machinery, automobile, electric power, food, cement, chemistry, rubber, tobacco, paper and other industries were gradually developed. The main reason that these industries could develop vigorously was that there were abundant hydraulic resources near the city, and most of the industrial raw materials could be obtained from the state of Saint Paul and the surrounding areas. In the past 20 to 30 years, Sao Paulo has also built Brazil's electronic industry center, automobile industry base and the largest refinery in the country. This also shows that the more important the economic development area, the more prosperous the industrial development area, the more exposed the industrial control system.

Figure 5-8 number of exposed industrial control equipment in Brazil

South Africa is the most developed country in Africa, with a high level of economic development, good infrastructure and rich resources. Its gross domestic product and foreign trade account for the first place in Africa. South Africa has the most advanced transportation, power, communication and other industrial infrastructure in Africa. Manufacturing, construction, energy and mining are the four major industries in South Africa. The main products are steel, metal products, chemical industry, transportation equipment, machine manufacturing, food processing, textile, clothing, etc. The steel industry is the pillar of South Africa's manufacturing industry, with six major iron and steel joint companies and more than 130 steel enterprises. South Africa has become the world's largest producer and exporter of gold. Electricity generation accounts for 60% of Africa. Figure 5-8 shows that IEC 60870-5-104, the automation system communication standard used in the electric power industry, is the most exposed standard, which also shows the prosperity of infrastructure such as power and transportation in South Africa.

Figure 5-9 proportion of industrial control agreements exposed in South Africa

It can be seen from figures 5-4, 5-6, 5-7 and 5-9 that, for several countries with a large number of industrial control equipment exposure in China, the United States, South Africa and Brazil, tridium Niagara fox is the most used one, because of its original "Niagara" Framework "framework, which can integrate and connect various intelligent devices and systems without considering their manufacturers and protocols, forms a unified platform, creates value for customers and is favored by most customers around the world.

Modbus protocol is also used as the industrial control service with high proportion. Now, MODBUS protocol belongs to Schneider company. It is the first real bus protocol used in industrial field in the world. Because it is published without royalty requirements, industrial network deployment is relatively easy. For suppliers, there are not many restrictions on modifying Mobile native bits or bytes, which makes it widely used in the world Application.

The Standard IEC 60870-5-104, which is often used in the electric power industry, also accounts for a high proportion (especially in South Africa). IEC 60870-5-104 is a specification formulated by the International Electrotechnical Commission, which is used to adapt to and guide the development of power system dispatching automation and regulate the technical performance of dispatching automation and telecontrol equipment. IEC 60870-5-104 can be used in the transportation industry. It is a very good method to realize the integrated communication between the substation and the integrated monitoring system based on man in urban rail transit by using IEC104 protocol. It not only ensures the openness of the power monitoring system, but also meets the real-time and reliable requirements of the urban rail transit system for the information transmission of the power monitoring system, which is also conducive to the utilization The advantage of standardization brings convenience to development.

Other industrial control services such as Omron fins and building BACnet have also been applied, but the proportion is relatively small. In the initial design of the protocol, in order to take into account the real-time nature of the industrial control system communication, many ignored the confidentiality and authentication of the protocol communication. However, with the close relationship between industrial control system and information network, the traditional idea is that the physical isolation between industrial intranet and internet no longer exists, so almost all field bus protocols are clear code communication. In recent years, there are many new attack methods for industrial control network, such as PLC Blaser virus, which is a worm virus successfully tested by researchers in the laboratory. It can spread from one PLC to another without a PC or server. Its design is aimed at Siemens S7 Series PLC. It can be seen that the more widely used protocols, the more security they need to ensure the data transmission.

From the above statistical chart and analysis, it can be seen that the more important the economic development area is, the more exposed the industrial control system is, and the easier it is to become the primary target of attack. At the same time, the team found that some industrial control systems exposed on the Internet have been maliciously used, which needs to be highly valued.

3、 Correlation analysis of industrial control IP and Threat Intelligence

We use the industrial control IP address exposed on the Internet to analyze the threat information crawled on the Internet (such as Xisi and other websites), including proxy IP library (about 1.33 million), onion routing IP library (about 250000), malicious IP library (about 4.8 million), zombie node IP library (about 1.13 million). Compare the industrial control IP with the IP in other databases, calculate the distribution of the adjacent networks of industrial control asset IP, and compare the statistics according to the IP network number difference ≤± 2, ≤± 4, ≤± 8, ≤± 16, ≤± 32, and get the following results.

Figure 5-10 correlation analysis of industrial control IP and Threat Intelligence

It can be seen that the industrial control IP is closely related to tor IP, and has a large number of connections with botnet node IP, proxy IP and malicious IP. This part of industrial control IP, which is closely related to threat intelligence, is likely to have been applied to malicious attacks and deserves high attention.

6. Attack analysis of industrial control system

In recent years, virus, Trojan horse and other attacks on industrial control system have increased dramatically, which can lead to the failure of the whole control system, even malignant safety accidents, and cause serious consequences to personnel, equipment and environment. The team of "listen" of Northeastern University has developed the industrial control security honeypot "listen left ear", which simulates a variety of industrial control protocols and industrial control devices, and comprehensively captures the access traffic of attackers. Through the correlation analysis of honeypot data and threat information data, it can effectively detect the intrusion behavior against the industrial control network, and carry out further analysis and research, provide data support for the early warning and prediction of network security events, and effectively protect the security of industrial control network system.

At present, "listen to" honeypot supports 8 protocols. According to the data collected by honeypots that have been running for more than one year, through correlation analysis, we can draw a visual display as shown in Fig. 6-1, 6-2 and 6-3. The following is a brief description. Among them, figure 6-1 shows the multi-dimensional visual analysis (Demo) of "listening" honeypot to capture attacker data.

Figure 6-1 threat IP visualization

Figure 6-2 shows the proportion of attacks per protocol. S7 communication protocol is a kind of internal integrated communication protocol of Siemens S7 Series PLC. DNP3.0 is a common distributed network protocol for power and water plants. In addition, Omron fins protocol and Modbus protocol can be said to be widely used in the field of industrial automation. Therefore, the above protocols have attracted the attention of network security researchers, and more traffic has been intercepted.

Figure 6-2 proportion of attack volume of each protocol (data source "listening")

Figure 6-3 ranking of attack IP quantity of each country (data source "listen")

The data collected by multiple honeypots are analyzed from the IP address. Figure 6-3 can visually show the ranking of attack IP collected in 2018. At present, the "listen to" honeypot is mainly deployed on the domestic address, so the attack traffic monitored from domestic IP is the highest, and the attack traffic from the United States and Germany are ranked second and third. The team is conducting in-depth analysis and Research on such data, and will continue to release relevant research results.

7. summary

With the guidance of the State Council on deepening the development of the Internet plus advanced manufacturing industry, the development of China's industrial Internet is facing new opportunities for development, and it also brings more severe challenges to the protection of industrial control. With the popularization of Internet and the rapid development and application of new technologies and new businesses such as industrial Internet, big data and digital chemical plants, the complexity of industrial control system network is constantly increasing, the demand for information exchange between internal systems and controlled systems of each production unit is also growing, and the demand for network security of industrial control system is also growing rapidly. In recent years, with the emergence of high-risk security loopholes in industrial control system security, the increasing exposure of industrial control system and equipment on the Internet, and the gradual reduction of the difficulty of network attack, the network security threats and risks of industrial control system are increasing. The problems such as the disclosure of the details of the industrial control system vulnerabilities and intrusion cases, the leakage of the U.S. network "weapon depot", and the active APT organization continue to pose new challenges to the security of the industrial control system in China. With the high integration of industry and it, II / OT integration brings security threats from the virtual world to the real world, especially the key infrastructure. Once attacked, it will bring huge losses.

Throughout 2018, all kinds of threat data continued to rise. But fortunately, the government, industry, University and research community have been aware of the importance of industrial control system network security, and take measures to strengthen the early warning, so as to prevent the disaster. The promotion of industrial Internet in China has been paid much attention from the national policy level or the actual landing level of enterprises. The information security guarantee for industrial Internet is also the same. Along with the continuous implementation of policies such as the "Internet plus manufacturing", the speed of the industrial Internet will continue to accelerate, and the industrial safety industry is still a long way to go.

Report data provided: all members of "listen to" network security team

Report data visualization: Jin baiche

Report data analysis: all members of "listen to" network security team

Prepared by: Professor Yao Yu, Liu Siyu, an HONGNA

Dry goods for you!