Identification of visible industrial control devices at Internet scale

Nowadays industrial control devices are crucial for infrastructure-critical systems such as factories, power plants, and water treatment facilities. Devices with IP addresses are visible on the Internet and they connect cyber space and physical world. The first step in protecting devices from attackers is a deep understanding of the devices' characteristics in the cyber space. In this paper, we take a first step in this direction by investigating physical devices running one of the two specific protocols that are widely adopted in industrial control systems. In order to detect these devices in real-time, we propose a two-stage discovery mechanism: first filtering out unqualified hosts from 4 billion remote hosts and then identifying physical devices from qualified candidates. We have conducted a real-world experiment to verify the mechanism and identified dozens of thousands of physical devices from the entire Internet. Results show that our method discovers all devices in 20 hours with 89.5% precision and 79.3% recall.

[1]  George Danezis,et al.  Proceedings of the 2012 ACM conference on Computer and communications security , 2012, CCS 2012.

[2]  Anja Feldmann,et al.  Building an AS-topology model that captures route diversity , 2006, SIGCOMM 2006.

[3]  Ulf Lindqvist,et al.  Using Model-based Intrusion Detection for SCADA Networks , 2006 .

[4]  Vern Paxson,et al.  The Matter of Heartbleed , 2014, Internet Measurement Conference.

[5]  Mourad Debbabi,et al.  Cyber Scanning: A Comprehensive Survey , 2014, IEEE Communications Surveys & Tutorials.

[6]  Aditya Akella,et al.  Proceedings of the 2014 Conference on Internet Measurement Conference , 2014, IMC 2014.

[7]  Yinglian Xie,et al.  How dynamic are IP addresses , 2007, SIGCOMM 2007.

[8]  G. Manimaran,et al.  Vulnerability Assessment of Cybersecurity for SCADA Systems , 2008, IEEE Transactions on Power Systems.

[9]  Gordon Fyodor Lyon,et al.  Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning , 2009 .

[10]  Eric Wustrow,et al.  ZMap: Fast Internet-wide Scanning and Its Security Applications , 2013, USENIX Security Symposium.

[11]  Bill Drury,et al.  The Control Techniques Drives and Controls Handbook , 2009 .

[12]  Doug Fisher,et al.  SCADA: Supervisory Control and Data Acquisition , 2015 .

[13]  Fang Yu,et al.  Populated IP addresses: classification and applications , 2012, CCS.

[14]  Edward A. Lee Cyber Physical Systems: Design Challenges , 2008, 2008 11th IEEE International Symposium on Object and Component-Oriented Real-Time Distributed Computing (ISORC).

[15]  M. Shalini,et al.  Security Issues And Challenges For Cyber Physical System , 2018 .

[16]  Ramesh Govindan,et al.  Census and survey of the visible internet , 2008, IMC '08.

[17]  Vinay M. Igure,et al.  Security issues in SCADA networks , 2006, Comput. Secur..

[18]  Dmitri Loguinov,et al.  Demystifying service discovery: implementing an internet-wide scanner , 2010, IMC '10.

[19]  Qiang Li,et al.  QueueSense: Collaborative recognition of queuing on mobile phones , 2014, 2014 Eleventh Annual IEEE International Conference on Sensing, Communication, and Networking (SECON).

[20]  Antonio Iera,et al.  The Internet of Things: A survey , 2010, Comput. Networks.

[21]  Qiang Li,et al.  Context-Aware Handoff on Smartphones , 2013, 2013 IEEE 10th International Conference on Mobile Ad-Hoc and Sensor Systems.

[22]  Dayu Yang,et al.  Anomaly-Based Intrusion Detection for SCADA Systems , 2006 .

[23]  Qiang Li,et al.  Collaborative Recognition of Queuing Behavior on Mobile Phones , 2016, IEEE Transactions on Mobile Computing.