针对三菱Q系列PLC的安全分析可以参照前文，而这个就是一个控制设备跑在公网的切实的案例，同样也是本次能根据title确认的一个案例。
理论上PLC如果没设置密码是可通过编程软件是实现远程管理操作，即工程上载和下载，停止运行等。
该案例中确认了涉事地址开放的web服务为ecoserver（应该同为三菱的小型web能源监控管理系统，主要用来监视当前电力使用情况，加载java后可以查看趋势图等）通过开放的udp端口确认了PLC型号为Q系列PLC（Q12DCCPU-V）。
识别方式可以参照上一篇分析，通用批量验证的话可以使用文中的基于NMAP的nse脚本。

Web部分截图:

首页

趋势图

测点信息

利用NMAP脚本识别的信息：

NMAP通用型发现脚本

tcp版本

 

http://plcscan.org/blog/wp-content/uploads/2014/07/melsecq-discover.nse_.txt

udp版本

 

http://plcscan.org/blog/wp-content/uploads/2014/07/melsecq-discover-udp.nse_.txt






-- Nmap Scripting Engine
-- required packages for this script
-- 
local bin = require "bin"
local nmap = require "nmap"
local shortport = require "shortport"
local stdnse = require "stdnse"
local string = require "string"
local table = require "table"

--Output Example:
--PORT     STATE SERVICE                REASON
--5006/udp open  Mitsubishi/Melsoft udp syn-ack
--| melsecq-discover:
--|_  CPUINFO: Q03UDECPU


description = [[
discovery Mitsubishi Electric Q Series PLC 
GET CPUINFO
]]


author = "ICS Security Workspace(plcscan.org)"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"discovery","intrusive"}

function set_nmap(host, port)
port.state = "open"
port.version.name = "Mitsubishi/Melsoft Udp"
port.version.product = "Mitsubishi Q PLC"
nmap.set_port_version(host, port)
nmap.set_port_state(host, port, "open")

 end

function send_receive(socket, query)
local sendstatus, senderr = socket:send(query)
if(sendstatus == false) then
    return "Error Sending getcpuinfopack"
end
local rcvstatus,response = socket:receive()
if(rcvstatus == false) then
return "Error Reading getcpuinfopack"
end
return response
end

portrule = shortport.port_or_service(5006, "Melsoft/TCP", "udp")
action = function(host,port)
local getcpuinfopack = bin.pack("H","57000000001111070000ffff030000fe03000014001c080a080000000000000004" .. "0101" .. "010000000001")
local response
local output = stdnse.output_table()
local sock = nmap.new_socket()
local constatus,conerr = sock:connect(host,port)
if not constatus then
    stdnse.print_debug(1,
      'Error establishing connection for %s - %s', host,conerr
      )
    return nil
end
response  = send_receive(sock, getcpuinfopack)
local mel, pack_head = bin.unpack("C", response, 1)
--local mel, space_id = bin.unpack("C", response, 55)
local offset = 0
if ( pack_head == 0xd7) then
--if ( space_id == 0x20) then
local mel
local mel, cpuinfo = bin.unpack("z", response, 42 + offset)
output["CPUINFO"] = string.sub(cpuinfo, 1, 16)
set_nmap(host, port)
sock:close()
return output
--end
else
sock:close()
    return nil

end


end

修复方案：

内部系统和外部设备还是不应该对外