The primary objective of the SISSDEN project is to offer National CERTs, ISPs and network owners free reports on malicious activity detected on their networks. This is achieved through the establishment of a network of honeypots. One of these honeypots emulates ICS protocols, such as modbus or s7comm. Scanning for ICS devices may be part of a benign activity - for example, a research project or an organization like the Shadowserver Foundation looking for open/vulnerable services that it can report to National CERTs and network owners so that they remediate their networks. Other scans may be part of a network reconnaisance that may be a preparatory phase for an attack or an attempt to exploit these devices.
Below is a description of a report based on data collected by SISSDEN "ICS-aware" honeypots. Basic information collected includes the source of the scan and the requests being sent, including the communication state and any other protocol specific details if available. Note that because the ICS sensors used are also HTTP-aware, observed scans may also include non-ICS related attacks that happen to also hit these sensors. These may be considered false positives from an ICS related attack perspective but may be attacks in themselves too.
Field | Description |
timestamp | Time that the scan was performed in UTC+0 |
ip | The IP address performing the scan |
port | The source port used in the scan |
asn | ASN announcing the scanning IP |
geo | Country where the scanning IP resides |
region | State / Province / Administrative region where the scanning IP resides |
city | ASN of where the scanning IP resides |
hostname | PTR record of the scanning IP |
protocol | Protocol used to query ICS device, eg.: http, modbus, s7comm |
type | Type of activity observed ie. ics-scan |
dst_ip | The IP address of the target device |
dst_port | Destination port used in the scan |
dst_asn | ASN announcing the target IP |
dst_geo | Country where the target IP resides |
dst_dns | FQDN of the target, if applicable and recorded |
naics | North American Industry Classification System Code of the scanning IP |
sic | Standard Industrial Classification System Code of the scanning IP |
sector | Sector the attacking IP belongs to |
dst_sector | Sector the target IP belongs to |
public_source | Source of the data, for cases where the source accepts being credited |
sensorid | ID of sensor target device |
state | Connection state (if applicable) |
slave_id | Modbus slave id being requested (if applicable) |
function_code | Modbus function code being used (if Modbus query) |
request | Request logged |
response | Response to query |
As of 20th September 2018, the ICS Scanners report has been included in Shadowserver's reports and is being sent to 92+ National CSIRTs and 4200+ network owners as part of the free daily victim remediation feeds, in easily parsable CSV format. Anonymized samples of the reports being sent out are available here. If you are a network owner or CSIRT and wish to receive reports from SISSDEN you can either subscribe directly to Shadowserver's feeds or do so through the SISSDEN Customer Portal, which will be made available soon. Existing Shadowserver subscribers will get the free ICS Scanners daily report automatically.
This is the third SISSDEN report that is being sent out to the CSIRT community (and to all subscribed network owners) after the HTTP Scanner report (going out since 13th September 2018) and the Brute Force report which has been going out on a daily basis since April 2018.