=Paper=
{{Paper
|id=Vol-3035/paper07
|storemode=property
|title=The Attack Vector on the Critical Information Infrastructure of the Fuel and Energy Complex Ecosystem
|pdfUrl=https://ceur-ws.org/Vol-3035/paper07.pdf
|volume=Vol-3035
|authors=Nikolai Korneev
}}
==The Attack Vector on the Critical Information Infrastructure of the Fuel and Energy Complex Ecosystem==
https://ceur-ws.org/Vol-3035/paper07.pdf
The Attack Vector on the Critical Information Infrastructure of
the Fuel and Energy Complex Ecosystem
Nikolai Korneev 1,2,3
1
National University of Oil and Gas Gubkin University, 65 Leninsky Prospekt, Moscow, 119991, Russia
2
Financial University under the Government of the Russian Federation, 49 Leningradsky Prospekt, Moscow,
125993, Russia
3
All-Russian Research Institute for Civil Defence of the EMERCOM of Russia, 7 Davydkovskaya Street,
Moscow, 121352, Russia
Abstract
There was carried out a comprehensive analysis and determined digital transformation tasks
of the existing infrastructure for the fuel and energy market participants. Considering digital
transformations of the existing infrastructure there were proposed ecosystem components for
major participants of the fuel and energy market. A new concept of the attack vector on the
infrastructure (in particular, the critical information infrastructure) was formulated on the
basis of the information and energy approach and there was shown its relevance in the
information security field of Automated Process Control System (APCS) and SCADA.
Practical examples demonstrated how to get an attack vector on the infrastructure using the
classical testing theory on the example of Web-Applications and Modbus serial
communication protocol. The OWASP Web-Application Security Testing Guide was used as
a guideline. It was proposed to deliberately limit the space of the attack vector on the
infrastructure by the Descartes basis of information leaks and digital footprints. Separate
Google Dorks have been developed for each manufacturer of embedded systems for APCS
and SCADA. Penetration testing was performed as an example of APCS and SCADA on port
502 of the modbus protocol using Nmap.
Keywords 1
Complex security, APCS, SCADA, digital trace, digital transformation, industry
5.0, cyberattack, society 5.0, OWASP, Nmap, Google Dorks, ecosystem
1. Introduction
The structure of information processing systems changes fundamentally which is now based on
distributed information-computing networks, connected to global data networks, convergent, hyper-
converged, neuromorphic and quantum computing systems. At the same time, regulatory
requirements are toughen, especially, in terms of complex object security: physical, economic, fire,
informational, psychological, intellectual property security, technogenic, security against terrorism,
ecological safety and power security.
For the fuel and energy complex (FEC) – this is first and foremost Energy security doctrine of the
Russian Federation (Decree of the President of the Russian Federation 13.05.2019 № 216), new
version of the information security Doctrine (Decree of the President of the Russian Federation
05.12.2016 № 646), Federal law July 26, 2017 № 187-FL "On the Security of the Russian Federation
Critical Data Infrastructure, Federal law July 21, 2011 № 256-FL "On the safety of fuel and energy
complex facilities", Federal law July 27, 2006 № 149-FL "About information, information technology
and data security ". In these documents, the priority is given to the fuel and energy complex facilities
safety, including through continuous monitoring of object operation threats [1, 2].
BIT-2021: XI International Scientific and Technical Conference on Secure Information Technologies, April 6-7, 2021, Moscow, Russia
EMAIL: niccyper@mail.ru
ORCID: 0000-0002-0254-1121
© 2021 Copyright for this paper by its authors.
Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0).
CEUR Workshop Proceedings (CEUR-WS.org)
59
� Considering the National Strategy for the development of artificial intelligence for the period up to
2030 (Decree of the President of the Russian Federation No. 490 of 10.10.2019), security issues of
critical facilities of the fuel and energy complex should be solved using data mining, where the
digitalization of business processes of the fuel and energy complex plays a central role.
In this regard, all fuel and energy market participants have to solve digital transformation problems
of the existing infrastructure.
Experience shows that such an approach leads to the creation of its own artificial ecosystems that
can solve a whole range of problems, including the safety of fuel and energy complex facilities. The
example of such a system is the Sberbank ecosystem, where the services integration is achieved by
the effective use of digital technologies, taking into account financial and economic goals of digital
transformation. Major fuel and energy market players will have to similarly solve their digital
transformation tasks of the existing infrastructure.
2. The materials and approach
As ecosystem components for major players of the fuel and energy market, considering digital
transformations of the existing infrastructure, we can distinguish the following transformation tasks:
• digital means of labor, for example, digital birthplaces, digital seismic reflection, unmanned
aerial vehicles, etc.;
• digital tools, such as digital oil refineries;
• smart employees who use the ecosystem to perform their job responsibilities effectively.
Due to the dynamic development of the facility and its environment, the components composition
is not limited to the above.
Modern or large automated process control systems (APCS) are not possible without
supervisory dispatch control and data acquisition (SCADA) systems. APCS examples can be such
critical information infrastructures (CII) as: transport management systems and networks, power
supply management systems and networks, heat supply management systems and networks, fuel and
energy complex (FEC) management systems and networks, nuclear power plant management systems
and networks, etc. On the one hand, all these modern systems and networks are based on automatic
control principles [3] and use digital data in APCS and SCADA [4]. On the other hand, they are
represented as an information processing system [5] that is vulnerable to the corresponding
destabilizing factors [4, 5, 6] according to the ISO/IEC 27002 standard, including cyber attacks,
malware, such as "Triton" [7], "Irongate" [8] and modules for frameworks, such as "Autosploit" [9],
"ICSSPLOIT", "Metasploit", "Core Impact", and "Immunity Canvas".
3. Results
There are several communication protocols that are used in APCS and SCADA. Unlike Ethernet or
Internet Protocols (IP), automated control system uses several protocols that are often unique to the
PLC-controller manufacturer. The most popular are Modbus, dnp, dnp3, fieldbus, Ethernet/IP,
EtherCAT and profinet.
Primarily, such a wide specification determines the need to form a unique vector to directly
display the object and the environment state [10], based on diagnostic information on the object and
the most complete information of the environment state – available for APCS and SCADA. Further,
we will call such diagnostic information – an attack vector on the infrastructure, for example, CII.
At the same time, we cannot assume that this information is identical to the equation given in the
work [3, 10], for this reason:
𝑋𝑋�[k + 1] = Ф � �𝑋𝑋,
� 𝑈𝑈, 𝐹𝐹� , 𝑡𝑡�𝑋𝑋�[𝑘𝑘] + Г�[𝑡𝑡]𝑈𝑈[𝑘𝑘] + 𝐺𝐺� [𝑡𝑡]𝐹𝐹� [𝑘𝑘]𝑋𝑋�[𝑘𝑘 + 1], (1)
� �
where 𝑋𝑋[k + 1], 𝑋𝑋[𝑘𝑘] – the most accurate possible vectors evaluations of the object state and
environment; Ф � �𝑋𝑋,
� 𝑈𝑈, 𝐹𝐹� , 𝑡𝑡� – state transition function determined by the most accurately known
parameters of the object state and environment; 𝐹𝐹� [𝑘𝑘] – vector evaluation of direct environmental
impacts; Г�[𝑡𝑡]𝑈𝑈[𝑘𝑘], 𝐺𝐺� [𝑡𝑡]𝐹𝐹� [𝑘𝑘] – integral transformations of the most accurately represented controlling
and disturbing influences.
60
� Secondly, given specification of unique PLC-controllers for the manufacturer requires adequate
"unique" methods of information security (corresponding to the APCS and SCADA) from
destabilizing factors [4, 5, 11, 12, 13, 14] (cyberattack, malware), which consider the specified attack
vector on the infrastructure, for example, on the basis of the integrated security core [10].
Finally, it is necessary to implement proposed information security methods in the projects on
information and integrated security of CII. Methodological basis of this approach was set out in [3, 5,
10, 11, 12]. In this article we will demonstrate how to practically get such an attack vector on the
infrastructure, using the classical testing theory on the example of Web-applications and the Modbus
serial communication protocol. For this purpose, we will develop separate Google Dorks for each
manufacturer of embedded systems for APCS. In order to form the attack vector on the infrastructure,
we will conduct penetration testing for APCS and SCADA using Nmap.
Modbus – is a serial communication protocol originally published by Modicon (now Schneider
Electric) in 1979 to be used with its PLC-controllers. In fact, Modbus became a standard
communication protocol in APCS/SCADA.
As a methodological guide we use the OWASP Web-application security testing guide [15, 16, 17,
18], paragraphs 4.1.1. "Search engines usage for information leaks", 4.1.2. (4.1.9) "Web-server
fingerprints (application)". Thus, we will deliberately limit the space of the attack vector on the
infrastructure [10] by the Descartes basis of information leaks and digital footprints.
To form the information leaks basis we use the Shodan search engine which allows to identify
banners and information or parameters that they disclose [19]. Since Modbus works on port 502, in
the search box we write "port:502" (Figure 1).
Figure 1: Search result of devices that use Modbus
61
� Although there is no guarantee that all these IP-addresses work with Modbus, but most of them do,
because 502 is a popular port, but not the only for Modbus. The protocol can be also identified by
"Modbus Bridge", "ModbusGW", "HMS AnyBus-S WebServer", "title:'Carel pCOWeb Home Page'".
However, SCADA systems are mostly used in the global Internet. They can be determined not only
by the port, but also by the manufacturer. The "SCADA" query gives 2.925 results, but you can find
27 Schneider Electric servers with the "ClearSCADA" query.
Also, queries that can find APCS or SCADA have the following format: "port:2404 asdu address",
"I20100 port:10001", «"port:789 product:""Red Lion Controls"""», "ISC SCADA Service
HTTPserv:00001", «port:4800 'Moxa Nport'», "Reliance 4 Control Server", "Welcome to the
Windows CE Telnet Service on HMI_Panel", "Schneider Electric EGX300", etc.
To form the basis of digital footprints we use Google dorks. It is well known that Google stores
and indexes the information which finds on websites. However, Google has its own language to
extract the information [20] which we used to form Google dorks.
As an example we use Google Dork for PLC-controllers Siemens S7. It is almost the same
generation of controllers that was the target of the Stuxnet attack on Iran's uranium enrichment plants
in 2010, and probably, is the most complex attack on APCS in history [21]. Google Dork for this
controller: «inurl:/Portal/Portal.mwsl». Figure 2 shows an example of the query.
Figure 2: Google Dork work
There is no single Google Docs that would disclose every SCADA interface, instead, you need to
learn about the manufacturer and used products. Each company creates its own embedded systems for
automated process control systems. They use common protocols and procedures, but in general they
are unique. In addition, each of these companies produces several products. To find these products
used in APCS together with Google, we have developed separate Google Docs for each manufacturer
62
�and product. In Table 1, there is a short list according to manufacturers, products and developed
Google Dorks.
Table 1
Short Google Dork table of companies and their products
Manufacturer Product Google Dork(inurl:)
Codesys WebVisu Webvisu
Schleifenbauer Spbus gateway Schleifenbauer Spbus gateway
Schneider Electric Powerlogic EGX EGX100MG HMI, XP277
Schneider Electric Modicon M340 Modicon M340
Schneider Electric PowerLogic PM800 PowerLogic PM800
Schneider Electric PowerLogic PM820SD S7-300
Schneider Electric PowerLogic ECC21 Schneider Electric ECC21
Schneider Electric PowerLogic PM870SD Schneider Electric PM870SD
Siemens Simatic S7 Portal0000.htm
Siemens Simatic HMI Miniweb Miniweb Start Page
Siemens Scalance X Scalance X
Trend IQ3xcite Server: iq3
4. Experiment and Discussion
We will conduct penetration testing for APCS and SCADA using Nmap. Nmap – is one of the
main hacker tools, security researcher and penetration tester. Although Nmap has lots of features,
including Nmap (NSE) scripts, it was started as a simple port scanner and remains the best port
scanner ever. Nmap is a representative of the active method to obtain the information [22, 23, 24, 25].
As an aim, we chose shodan results by the search of "port:502 modbus", obtained earlier in Figure
1. Further, there is a fragment of the Nmap output in Figure 3.
Figure 3: Fragment of the Nmap output
63
� As we can see, Nmap can identify nodes as HMS Anybus-CC Modbus-TCP (2-Port) 1.04.01 and
detected each of the nodes. It provides the intruder with valuable information, not only identifying the
PLC-controller and version, but also the communication protocol and structure. Since attacks require
deep knowledge of the automated control system technology, this information is sufficient to create
an attack vector on the infrastructure.
5. Conclusion
There was formulated a new concept of the attack vector on the infrastructure (in particular,
critical information infrastructure) on the basis of the information and energy approach and
demonstrated its relevance in the field of information security of APCS and SCADA. It was proposed
to deliberately limit the space of the attack vector on the infrastructure by the Descartes basis of
information leaks and digital footprints. We developed separate Google Dorks for each manufacturer
of embedded systems for APCS and SCADA. Penetration testing was performed as an example of
APCS and SCADA on port 502 of the modbus protocol using Nmap. We obtained practical results
that are valuable for any specialist in the information security field, as they allow to create an
information security subsystem and its components for an intelligent integrated security management
system, such as the fuel and energy complex.
6. References
[1] I. Kolosok, L. Gurina. Improvement of Cybersecurity of Smart Grid by State Estimation
Methods. Voprosy kiberbezopasnosti [Cybersecurity issues], 2018, N 3(27). P. 63-69. DOI:
10.21681/2311-3456-2018-3-63-69. (In Russ.)
[2] S. Petrenko. Cyber resilient platform for internet of things (IIoT/IoT)ed systems: survey of
architecture patterns. Voprosy kiberbezopasnosti [Cybersecurity issues]. 2021. N 2 (42). P. 81-
91. DOI: 10.21681/2311-3456-2021-2-81-91. (In Russ.)
[3] N. V. Korneev, Yu. S. Kustarev, Yu. Y. Morgovsky, Teoriya avtomaticheskogo upravleniya s
praktikumom [Theory automatic control with workshop], Academia, Moscow, 2008. URL:
https://www.academia-moscow.ru/ftp_share/_books/fragments/fragment_21122.pdf. (In Russ.).
[4] M. Shrestha, C. Johansen, J. Noll, D. Roverso, A methodology for security classification applied
to smart grid infrastructures, International Journal of Critical Infrastructure Protection 28 (2020)
100342. doi:10.1016/j.ijcip.2020.100342.
[5] N. V. Korneev, Algorithmic both program methods and tools estimation of alternative projects of
the guard data reduction system of firm on the basis of the multicriteria analysis, Sputnik+,
Moscow, 2013. (In Russ.).
[6] A. Barabanov, A. Markov, V. Tsirlov. Procedure for Substantiated Development of Measures to
Design Secure Software for Automated Process Control Systems. In Proceedings of the 12th
International Siberian Conference on Control and Communications (Moscow, Russia, May 12-
14, 2016). SIBCON 2016. IEEE, 7491660, 1-4. DOI: 10.1109/SIBCON.2016.7491660.
[7] A. S. Sani, D. Yuan, P. L. Yeoh, J. Qiu, W. Bao, B. Vucetic, Z. Y. Dong, CyRA: A real-time
risk-based security assessment framework for cyber attacks prevention in industrial control
systems, IEEE Power and Energy Society General Meeting 2019-August (2019) 8973948.
doi:10.1109/PESGM40551.2019.8973948.
[8] G. Assenza, L. Faramondi, G. Oliva, R. Setola, Cyber threats for operational technologies,
International Journal of System of Systems Engineering 10(2) (2020) 128–142.
doi:10.1504/IJSSE.2020.109127.
[9] Z. Yichao, Z. Tianyang, G. Xiaoyue, W. Qingxian, An improved attack path discovery algorithm
through compact graph planning, IEEE Access 7 (2019) 59346–59356.
doi:10.1109/ACCESS.2019.2915091.
[10] N. V. Korneev, Intelligent complex security management system FEC for the industry 5.0, IOP
Conference Series: Materials Science and Engineering 950(1) (2020) 012016. doi:10.1088/1757-
899X/950/1/012016.
64
�[11] N. Korneev, V. Merkulov. Intellectual analysis and basic modeling of complex threats. CEUR
Workshop Proceedings. 2019. Vol-2603. P. 23–28. URL: http://ceur-ws.org/Vol-
2603/paper6.pdf.
[12] N. V. Korneev, A Neurograph as a Model to Support Control over the Comprehensive Objects
Safety for BIM Technologies, IOP Conference Series: Earth and Environmental Science 224
(2019) 012021. doi:10.1088/1755-1315/224/1/012021.
[13] A. H. Dakheel, A. H. Dakheel, H. H. Abbas, Intrusion detection system in gas-pipeline industry
using machine learning, Periodicals of Engineering and Natural Sciences 7(3) (2019) 1030–1040.
doi:10.21533/pen.v7i3.512.
[14] L. Wei, K. Chuipin, N. Qiang, J. Jingguo, Z. Xionghui, A method of NC machine tools
intelligent monitoring system in smart factories, Robotics and Computer-Integrated
Manufacturing 61 (2020) 101842. doi:10.1016/j.rcim.2019.101842.
[15] V. N. Nanisura Damanik, S. U. Sunaringtyas, Secure code recommendation based on code
review result using owasp code review guide, International Workshop on Big Data and
Information Security (IWBIS), Depok, Indonesia, IEEE, 2020, pp. 153–157.
doi:10.1109/IWBIS50925.2020.9255559.
[16] K. Nagendran, A. Adithyan, R. Chethana, P. Camillus, K. B. Bala Sri Varshini, Web application
penetration testing, International Journal of Innovative Technology and Exploring Engineering
8(10) (2019) 1029–1035. doi:10.35940/ijitee.J9173.0881019.
[17] N. D. Thai, N. H. Hieu, A framework for website security assessment, ACM International
Conference Proceeding Series (ICCCM), Bangkok, АСМ, New York, NY, 2019, pp. 153–157.
doi:10.1145/3348445.3348456.
[18] A. V. Barabanov, A. S. Markov, V. L. Tsirlov. Information Security Controls Against Cross-Site
Request Forgery Attacks On Software Application of Automated Systems. Journal of Physics:
Conference Series. 2018. V. 1015. P. 042034. DOI :10.1088/1742-6596/1015/4/042034
[19] M. Bada, I. Pete, An exploration of the cybercrime ecosystem around Shodan, International
Conference on Internet of Things: Systems, Management and Security (IOTSMS), Paris, France,
IEEE, 2020, 9340224. doi:10.1109/IOTSMS52051.2020.9340224.
[20] A. K. Phulre, M. Kamble, S. Phulre, Content management systems hacking probabilities for
admin access with google dorking and database code injection for web content security,
International Conference on Data, Engineering and Applications (IDEA), Bhopal, India, IEEE,
2020, 9170655. doi:10.1109/IDEA49133.2020.9170655.
[21] L. Hartmann, S. Wendzel, Anomaly detection in ICS based on data-history analysis, ACM
International Conference Proceeding Series (EICC), Rennes, АСМ, New York, NY, 2020, рр. 1–
2. doi:10.1145/3424954.3424963.
[22] P. Manzanares-Lopez, J. P. Muñoz-Gea, J. Malgosa-Sanahuja, A. Flores-de la Cruz, A
virtualized infrastructure to offer network mapping functionality in SDN networks, International
Journal of Communication Systems 32(10) (2019) e3961. doi:10.1002/dac.3961.
[23] S. Lau, J. Klick, S. Arndt, V. Roth, POSTER: Towards highly interactive honeypots for
industrial control systems, ACM Conference on Computer and Communications Security
(CCS'16), Vienna, АСМ, New York, NY, 2016, pp. 1823–1825. doi:10.1145/2976749.2989063.
[24] Z. Ammar, A. AlSharif, Deployment of IoT-based honeynet model, ACM International
Conference Proceeding Series (ICIT 2018: IoT and Smart City), Hong Kong, АСМ, New York,
NY, 2018, pp. 134-139. doi:10.1145/3301551.3301586.
[25] L. Rosa, M. Freitas, S. Mazo, E. Monteiro, T. Cruz, P. Simoes, A comprehensive security
analysis of a SCADA protocol: From OSINT to mitigation, IEEE Access 7 (2019) 42156–42168.
doi:10.1109/ACCESS.2019.2906926.
65
�