Who is looking for your
SCADA infrastructure?
This briefing paper contains the results of a brief review of the scans for some well known SCADA ports seen
in Team Cymru Darknets for 2008.
Supervisory Control and Data Acquisition (SCADA) systems have been used for decades to monitor,
communicate with, and control equipment used for energy generation and distribution. Older systems were
never designed to be secure and, as with the Internet as a whole, retrofitting security has proven to be a
complex and expensive process. This effort has been made even more difficult by the plethora of different
manufacturers, each with their own proprietary implementations of different protocols and equipment
specifications. Newer open protocols (DNP3, IEC 60870.5-104, UCA) address many of these concerns but as
with all protocols there are potential vulnerabilities that arise.
The situation has been made more dangerous as older closed SCADA related communications methods
(fiber, radio transmission, dedicated modem, satellite, microwave, PSTN, cellular, wireless, powerline carrier)
are increasingly being replaced by the public Internet due to the considerable cost saving advantages
afforded by that change. The communication protocols and implementation details of the various proprietary
SCADA protocols are generally not available to researchers, and a wide variety of ports and methods are
used amongst the various vendors. This does not significantly hinder the miscreants, who will simply scan for
wide ranges of well-known SCADA-related ports, and tailor their attacks to the results they find.
Team Cymru manages an extensive Darknet project. A Darknet is a portion of routed, allocated IP space in
which no active services or servers reside. They are "dark" because there is, seemingly, nothing within these
networks. All traffic entering a Darknet will be malicious to some extent, as nothing legitimate should be routed
there. Traffic entering a Darknet normally comes from scans generated by automated tools and malware,
looking for vulnerable ports with nefarious intent. See www.team-cymru.org/Services/darknets.html for more
information.
Overall
Most of the charts shown below are in the form of 'heatmaps', meaning the white (hot) colors represent the
highest concentration of infected machines and the blue (colder) colors represent a lesser concentration of
machines in that particular area. It is essential that readers note that this does not necessarily mean that the
miscreant that is causing this scan to be made is in the “hot” location. It is entirely possible (and in many
cases probable) that a compromised computer is behind the IP address that has been recorded as the source
of the scan. Also, note that each scan for a SCADA related port has been counted as one instance – this
means that one particularly active scanning node could tend to skew the overall picture if it was extremely
active for a short period of time.
The previous chart shows all the scans of our Darknet for 2008 for udp/20000, tcp/502, udp/2222, tcp/44818
and udp/44818. These ports encompass protocols that are believed to control a large section of currently
deployed SCADA systems. The IPs scanning for these ports seem to be grouped into four geographic
regions:
USA: The two main hotspots for scanning appear to emanate from IPs located in Houston, Texas and Miami,
Florida.
Western Europe: There are hotspots in London, United Kingdom, Seville, Spain, and apparently in locations
in Scandinavia and Southern France.
Eastern Europe: Hotspots in this region include St Petersburg and Moscow as well as a location in the
Ukraine and Bucharest, Romania.
Far East: By far the most concentrated grouping of hotspots, the Far East contains concentrations of SCADA
scanning IPs in Thailand, Hong Kong, Taiwan, Korea, Japan and several locations in China:
The pie chart below shows the global scanning data by country:
Distributed Network Protocol Version 3 (DNP3)
One of the newer deployed SCADA protocols, DNP3 is an open protocol that lacks any native encryption or
authentication mechanisms. Encryption is provided by wrapping DNP3 with SSL/TLS protocols in the
transport layer level or Internet Protocol Security (IPSec) in the Network layer. Both solutions have a
performance impact as well as other limitations. DNP3 is widely used in North/South America, Australia
while Europe favours IEC 60870.5 for electrical systems.
DNP3 frames with IPSec use UDP and TCP port 20000. Unfortunately, most tcp/20000 scans emanate
from miscreants that are searching for a completely non-SCADA related issue connected with tcp/10000.
This chart therefore only relates to udp/20000 scans for 2008 (note that the UDP version should only be
deployed on the LAN side of the SCADA:
Clearly there is heavy scanning activity coming from Russia (Moscow) and the Taiwan area.
MODBUS
Modicon Bus (Modbus) is an application layer messaging protocol which provides client/server
communication between devices connected on different types of buses and networks. MODBUS
Application Data Units (ADUs) use tcp/502. It is of note that, even if the end user of the SCADA system
changes this port, it must still be available. Converter units are available to use DNP3 to connect with
MODBUS systems.
Rockwell-encap
tcp/44818 and udp/44818 are used by almost all Rockwell-Automation PLC products. Unfortunately such
high port numbers see lots of backscatter from other Internet traffic and this chart is therefore less useful.
Other ports used in SCADA related communications are also used extensively for other aspects of
Internet traffic. Ports such as udp/137 (netbios), and tcp/80 (http) therefore show a huge volume of scan
activity, the majority of which will not be SCADA related. udp/161 also shows a huge volume of scan
activity but the analysis requires extensive examination of ICMP packets, which is outside the scope of
this current analysis. Some apparently SCADA related ports have so little available documentation that it
would prove impossible to interpret the scan results (e.g. tcp/1330 and tcp/1331/tcp).
About Team Cymru
Team Cymru is a specialized Internet security research firm dedicated to making the Internet more secure. By
researching the 'who' and 'why' of malicious Internet activity worldwide, Team Cymru helps organizations
identify and eradicate problems in their networks. Request to be added to our free quarterly postal mailing list
by contacting us at
[email protected], and you’ll receive more unique insight like you’ve just read.
All maps courtesy of NASA. All data Copyright Team Cymru 2009
Other ports