Running a fake power plant on the internet for a month

About the simulator

I decided to simulate a programmable logic controller, or PLC for short. In particular, a PLC that acts like a value regulator in a nuclear installation. PLCs interface with actuators and sensors to open valves, run motors and start pumps. They can be found everywhere from the rollercoasters in your local theme park to control boards for huge industrial pumpjacks. PLCs both act in the digital and physical space. This could make them very interesting for malicious actors, as a faulty system could potentially have catastrophic physical outcomes.

How it works

Siemens PLCs use SZL for showing other machines what type of PLC it is. SZL stands for SystemZustandsListe and is German for system information list. Internet scanners make use of this by making two requests. A module ID request and component ID request. The response is then decoded by the (internet) scanners and used for indexing. See results from Censys and Shodan below.

(old) test setup with two Siemens S7 1200 PLCs
Setting up communications to the PLC
Retrieving SLZ information using Nmap
PORT    STATE SERVICE
102/tcp open iso-tsap
| s7-info:
| Module: 6ES7 518-4AP00-0AB0
| Basic Hardware: 6ES7 518-4AP00-0AB0
| Version: 2.6.0
| System Name: INTERN_VALVE_REG_O1
| Serial Number: S C-N5820302
| Plant Identification: NUCL_POWER_GEN_05
|_ Copyright: Original Siemens Equipment
Service Info: Device: specialized
Nmap done: 1 IP address (1 host up) scanned in 0.57 seconds

Probe example

This is what the Nmap probes look like from the Honeypot’s side of view.

{
“category”: “s7comm”,
“date”: “2020–12–08T21:23:32.541508039+01:00”,
“destination-ip”: “x.x.x.x”,
“destination-port”: 102,
“payload-hex”: “0300002102f080320700000000000800080001120411440100ff09000400110001,
“payload-length”: 33,
“request.ID”: “17”,
“request.type”: “module ID request”,
“sensor”: “services”,
“source-ip”: “x.x.x.x”,
“source-port”: 53662,
“token”: “bssglu3k2l04oeabnus0”,
“type”: “ics”
}

Getting indexed by internet scanners

After initial setup I waited for the system to be indexed by scanning services such as Shodan and Censys. These are search engines for actual machines instead of webpages. Setting aside the differences, the goal is the same: to be recorded in online search engines for all of the internet to find. Preferably as an actual nuclear reactor instead of a honeypot.

About the data…

Most traffic received in the month of operation originated from the United States. This was expected, as most internet scanners are hosted there. Especially Censys using their ZGrab2 scanners is quite active, but ipip.net wins with an average count of two scans a day.

Top 10 hosts connecting to the honeypot
Total amount of requests received by category

Conclusion

There is active scanning for industrial equipment on the internet. Not only by big companies that index the whole IPv4 space, but also by individuals and organisations interested in which machines are available. Luckily most traffic received is from researchers scanning the whole IPv4 space for systems in the vein of responsible disclosure. However, this does not exclude that there are real people looking for industrial machines on the internet as well.

Questions & Answers

ISO — OSI classification

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store