Omron is a well-known electronic and automatic control equipment manufacturer from Japan. Among them, small PLC has a high market share in the domestic market, including CJ, cm and other series. PLC can support fins, host link and other protocols for communication.

OMRON PLC CPU and Ethernet communication module supporting Ethernet generally support fins protocol according to different models. Some modules also support Ethernet / IP protocol. Omron fins protocol uses 9600 port of TCP / UDP for communication. Fins protocol is encapsulated in TCP / UDP for communication. It should be noted that there are differences in the head between packet grouping and UDP mode under TCP mode. Please refer to Omron's official agreement documents for the construction of specific agreement package. As shown in the figure below, you can use the 0501 command in the fins command to request the current CPU information of PLC: the implemented NSE plug-in based on nmap is shown in the figure below:

The first scanning and detection of OMRON fins protocol was completed on January 30. The detection range is IPv4 address of the whole network. 923 sets of OMRON PLC of various models were found to be connected to the public network in the first round.

The graphical statistical distribution is as follows:

1. Omron is Japan's leading auto-control equipment manufacturer, and the number of Japanese exposure is not too much from the data obtained. I wonder if there are other deep-seated reasons behind this? 2. It is also worth mentioning that once this type of PLC communication port is exposed to the public network, it means that all functions of the PLC can be directly operated through protocols, software, etc. (if it does not set the level access password), if the PLC needs to communicate remotely across regions, when configuring the port mapping of the route, it is recommended to set the permission password for the PLC at the same time, or add it in the firewall Trusted source address based filtering is used to reduce the security risks exposed to the Internet. 3. The scanner used in this blog for the statistics and research of industrial control equipment security risk situation has set up DNS reverse record. The domain name is icsresearch1.plcscan.org. Please continue to pay attention to more industrial control equipment statistical reports or letters after communication with me.

Make me relax