Sorry, Shodan is not Enough! Assessing ICS Security via IXP Network Traffic Analysis

Modern Industrial Control Systems (ICSs) allow remote communication through the Internet using industrial protocols that were not designed to work with external networks. To understand security issues related to this practice, prior work usually relies on active scans by researchers or services such as Shodan. While such scans can identify public open ports, they are not able to provide details on configurations of the system related to legitimate Industrial Traffic passing the Internet (e.g., source-based filtering in Network Address Translation or Firewalls). In this work, we complement Shodan-only analysis with large-scale traffic analysis at a local Internet Exchange Point (IXP), based on sFlow sampling. This setup allows us to identify ICS endpoints actually exchanging Industrial Traffic over the Internet. Besides, we are able to detect scanning activities and what other type of traffic is exchanged by the systems (i.e., IT traffic). We find that Shodan only listed less than 2% of hosts that we identified as exchanging Industrial Traffic. Even with manually triggered scans, Shodan only identified 7% of them as ICS hosts. This demonstrates that active scanning-based analysis is insufficient to understand current security practices in ICS communications. We show that 75.6% of ICS hosts rely on unencrypted communications without integrity protection, leaving those critical systems vulnerable to malicious attacks.

[1]  Shingo Abe,et al.  Security threats of Internet-reachable ICS , 2016, 2016 55th Annual Conference of the Society of Instrument and Control Engineers of Japan (SICE).

[2]  Parikshit N. Mahalle,et al.  Security Issues in IIoT: A Comprehensive Survey of Attacks on IIoT and Its Countermeasures , 2018, 2018 IEEE Global Conference on Wireless Computing and Networking (GCWCN).

[3]  Budi Rahardjo,et al.  Attack scenarios and security analysis of MQTT communication protocol in IoT system , 2017, 2017 4th International Conference on Electrical Engineering, Computer Science and Informatics (EECSI).

[4]  Marcin Nawrocki,et al.  Uncovering Vulnerable Industrial Control Systems from the Internet Core , 2019, NOMS 2020 - 2020 IEEE/IFIP Network Operations and Management Symposium.

[5]  Hans D. Schotten,et al.  Evaluation of Machine Learning-based Anomaly Detection Algorithms on an Industrial Modbus/TCP Data Set , 2018, ARES.

[6]  Hussein Al-Bahadili,et al.  Vulnerability scanning of IoT devices in Jordan using Shodan , 2017, 2017 2nd International Conference on the Applications of Information Technology in Developing Renewable Energy Processes & Systems (IT-DREPS).

[7]  Sebastian Obermeier,et al.  ICS Threat Analysis Using a Large-Scale Honeynet , 2015, ICS-CSR.

[8]  Mauro Conti,et al.  Evaluation of Machine Learning Algorithms for Anomaly Detection in Industrial Networks , 2019, 2019 IEEE International Symposium on Measurements & Networking (M&N).

[9]  Threat Landscape for Industrial Automation Systems in H 2 , 2017 .

[10]  Mauro Conti,et al.  KingFisher: an Industrial Security Framework based on Variational Autoencoders , 2019, SenSys-ML.

[11]  Aiko Pras,et al.  Online Discoverability and Vulnerabilities of ICS/SCADA Devices in the Netherlands , 2020, ArXiv.

[12]  Qiang Li,et al.  Characterizing industrial control system devices on the Internet , 2016, 2016 IEEE 24th International Conference on Network Protocols (ICNP).

[13]  Michail Maniatakos,et al.  Attacking the smart grid using public information , 2016, 2016 17th Latin-American Test Symposium (LATS).

[14]  Theodore J. Williams,et al.  The Purdue Enterprise Reference Architecture , 1992, DIISM.

[15]  Robin Berthier,et al.  An Internet-wide view of ICS devices , 2016, 2016 14th Annual Conference on Privacy, Security and Trust (PST).