Updated: Dec 28, 2022
Welcome back, my aspiring SCADA Security Engineer!
As you know, SCADA/ICS systems around the world are under attack. These systems are industrial systems that make up the infrastructure of any nation's economy and are the prime targets in any cyberwar. In such a war, these systems can be easily found via a variety of tools such as;
In this tutorial I will demonstrate another excellent source for scouring the Internet for industrial systems, Censys.
For an overview of Censys, see my tutorial here.
Censys for SCADA/ICS
Censys uses heuristic techniques to categorize hosts into "tags". These tags simply represent hosts that have similar "heuristics". Think of heuristics as "if it walks like duck and quacks like a duck, there is VERY high probability it IS a duck!
But as we know, these types of heuristic systems are prone to some error. Take these results as less than deterministic but with a high probability of being correct.
The figure below shows a list of the most widely found "tags" that Censys identifies on the internet.
We can use these tags to help us find systems that "quack" like a SCADA system. SCADA systems are so distinctively different from other systems that when scanned by Zmap scan or nmap, their probability of being SCADA systems is very high.
We can narrow our search by a multitude of choices, but if we were looking for SCADA systems where the PLC's were manufactured by the German industrial giant, Siemens (their PLC's were the target of the Stuxnet attack on Iran) we could create a search such as;
tags:scada AND metadata.manufacturer:siemens
We can further narrow our search to those found in a particular country such as Germany, using the logical AND and then appending an additional condition of location.country_code and giving it a value of DE (Germany).
tags:scada AND metadata.manufacturer:siemens AND location.country_code:DE
One of the features I like best about Censys if the concept of "boosting". This comes in handy if you have two fields where one is far more important than the other. The logical "AND" normally gives equal weight to both terms. In this way, you can relay that one field is more important than the other. Furthermore, this boosting can be weighted.
For instance, if I were looking for systems with the modbus protocol and had a tag of "SCADA", I would probably want to place a lot on more weight on the modbus protocol and less on Censys's SCADA tag. Remember, the tag is developed by heuristics and won't always be correct.
We could convey to Censys this unweighted importance by appending a "^" plus a number registering the weight you want to give to that field.
tags:scada AND protocols:"502/modbus"^3
As you can see in the results above, we were able to retrieve information on sites that are tagged SCADA AND are running the modbus protocol with a heavier emphasis on "modbus".
We can find SCADA/ICS systems connected to the Internet through a variety of tools such as Shodan and nmap, but Censys can augment that data with nearly real-time data from a wide-variety of fields gathered via Zmap.
I think Censys takes us to the next level of understanding the attack surface of nearly every system on the planet in nearly real-time. That makes Censys an incredibly powerful tool to monitor the threat landscape of your company and cyber war landscape of geopolitics.