Why Control Systems Are On the Internet

A few weeks ago I asked people on Twitter what sort of new ports/ services they'd like me to add to Shodan. I received a lot of awesome feedback which resulted in Shodan now crawling for more than 170 ports (!!!). One of those requests was for the FINS protocol created by Omron:

By the way, I'm always looking to add more ports to Shodan so if there's something you'd like to see me add just let me know which port and protocol you're interested in! Anyways, I did some quick Google-ing to learn more about this FINS protocol and I stumbled across the following advice in the official Omron documentation (PDF):

Just to reiterate: they're saying that because their device (Omron PLC) isn't a Windows-based operating system that makes it impenetrable to the standard hacking methods. And I'm not sure what they mean with the following sentence about not responding to "standard ethernet protocol commands", since the FINS protocol in this case operates over UDP and/ or TCP. Either way, this is a good example of why many control systems can be found on the Internet. This document is a few years old now (released in 2009) so Omron as a company might've improved their stance on Internet-security, but control systems are a slow-moving world and this sort of mentality has lingered around for a long time.

So what about the initial request to add Omron FINS to Shodan? After reviewing the pcaps for Wireshark and trying to find a simulator, I hit a road block and stopped making progress. Fortunately, Stephen Hilt picked it up as a challenge and within a few days was able to create fully-working Nmap scripts for both TCP and UDP versions of the Omron FINS protocol. If you're interested in doing ICS analysis with Nmap, that should be your goto location for getting started. Thanks to Stephen's work, I was able to convert the NSEs into Python scripts for my crawler and it's now possible to find Omron FINS devices on the Internet via Shodan:

port:9600 response code

The data is still flowing in so the results are on the lower-bound at the moment, but it's been added to the list of services that Shodan permanently crawls for to keep track of how the exposure of these devices changes over time.

PS: If there is a port/ protocol that you'd like to see in Shodan please email me the information to jmath@shodan.io