Characterizing industrial control system devices on the Internet

Industrial control system (ICS) devices with IP addresses are accessible on the Internet and play a crucial role for critical infrastructures like power grid. However, there is a lack of deep understanding of these devices' characteristics in the cyberspace. In this paper, we take a first step in this direction by investigating these accessible industrial devices on the Internet. Because of critical nature of industrial control systems, the detection of online ICS devices should be done in a real-time and non-intrusive manner. Thus, we first analyze 17 industrial protocols widely used in industrial control systems, and train a probability model through the learning algorithm to improve detection accuracy. Then, we discover online ICS devices in the IPv4 space while reducing the noise of industrial honeypots. To observe the dynamics of ICS devices in a relatively long run, we have deployed our discovery system on Amazon EC2 and detected online ICS devices in the whole IPv4 space for eight times from August 2015 to March 2016. Based on the ICS device data collection, we conduct a comprehensive data analysis to characterize the usage of ICS devices, especially in the answer to the following three questions: (1) what are the distribution features of ICS devices, (2) who use these ICS devices, and (3) what are the functions of these ICS devices.

[1]  Christos Faloutsos,et al.  Analysis of the Clustering Properties of the Hilbert Space-Filling Curve , 2001, IEEE Trans. Knowl. Data Eng..

[2]  Coroiu Nicolae,et al.  SCADA: Supervisory Control and Data Acquisition , 2015 .

[3]  Nong Ye,et al.  Naïve Bayes Classifier , 2013 .

[4]  Gordon Fyodor Lyon,et al.  Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning , 2009 .

[5]  郑肇葆,et al.  基于Naive Bayes Classifiers的航空影像纹理分类 , 2006 .

[6]  Fang Yu,et al.  How dynamic are IP addresses? , 2007, SIGCOMM '07.

[7]  Eric Wustrow,et al.  ZMap: Fast Internet-wide Scanning and Its Security Applications , 2013, USENIX Security Symposium.

[8]  Dmitri Loguinov,et al.  Demystifying service discovery: implementing an internet-wide scanner , 2010, IMC '10.

[9]  Ramesh Govindan,et al.  Census and survey of the visible internet , 2008, IMC '08.

[10]  Dawn Xiaodong Song,et al.  Fig: Automatic Fingerprint Generation , 2007, NDSS.

[11]  Douglas Comer,et al.  Probing TCP Implementations , 1994, USENIX Summer.

[12]  Fang Yu,et al.  Populated IP addresses: classification and applications , 2012, CCS.

[13]  Vinay M. Igure,et al.  Security issues in SCADA networks , 2006, Comput. Secur..

[14]  SpitznerLance The Honeynet Project , 2003, S&P 2003.

[15]  Brian W. Kernighan,et al.  The Go Programming Language , 2015 .

[16]  John S. Heidemann,et al.  Understanding passive and active service discovery , 2007, IMC '07.

[17]  Dafydd Stuttard,et al.  The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws , 2007 .

[18]  Raheem A. Beyah,et al.  Who's in Control of Your Control System? Device Fingerprinting for Cyber-Physical Systems , 2016, NDSS.

[19]  Vern Paxson,et al.  The Matter of Heartbleed , 2014, Internet Measurement Conference.

[20]  Mourad Debbabi,et al.  Cyber Scanning: A Comprehensive Survey , 2014, IEEE Communications Surveys & Tutorials.

[21]  Christopher M. Bishop,et al.  Pattern Recognition and Machine Learning (Information Science and Statistics) , 2006 .

[22]  Vern Paxson,et al.  A brief history of scanning , 2007, IMC '07.

[23]  T. Kohno,et al.  Remote physical device fingerprinting , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).