Cyber Threat Investigation of SCADA Modbus Activities

The use of inter-connectivity of Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems (ICS) networks in smart technologies have exposed them to a large variety of security threats. Furthermore, very few investigations are done in this field from the Internet (cyber) perspective. Therefore, this paper investigates unauthorized, malicious and suspicious SCADA activities by leveraging the darknet address space. In particular, this work investigates Modbus service, which is a de facto standard protocol for communication and it is the most available and used to connect electronic devices in critical and industrial infrastructures. This study is based on real Internet data collected throughout a one-month period. Among the 8 various inferred scanning activities, we find that TCP distributed portscan is the only non-typical Modbus scan. Furthermore, our analyses fingerprint a large variety of Modbus scanners and uncover 6 other services that tag along with Modbus 74% of the time. Finally, we list case studies related to synchronized and automated SCADA scanning campaigns originated from unknown sources.

[1]  Nasir D. Memon,et al.  Internet-scale Probing of CPS: Inference, Characterization and Orchestration Analysis , 2017, NDSS.

[2]  Jesse D. Kornblum Identifying almost identical files using context triggered piecewise hashing , 2006, Digit. Investig..

[3]  J. Alex Halderman,et al.  An Internet-Wide View of Internet-Wide Scanning , 2014, USENIX Security Symposium.

[4]  Shouhuai Xu,et al.  A Characterization of Cybersecurity Posture from Network Telescope Data , 2014, INTRUST.

[5]  S. Chiba,et al.  Dynamic programming algorithm optimization for spoken word recognition , 1978 .

[6]  A Dainotti,et al.  Analysis of a “/0” Stealth Scan From a Botnet , 2012, IEEE/ACM Transactions on Networking.

[7]  Mourad Debbabi,et al.  Darknet as a Source of Cyber Intelligence: Survey, Taxonomy, and Characterization , 2016, IEEE Communications Surveys & Tutorials.

[8]  Eric Wustrow,et al.  Internet background radiation revisited , 2010, IMC '10.

[9]  S. Shankar Sastry,et al.  Research Challenges for the Security of Control Systems , 2008, HotSec.

[10]  Elias Bou-Harb Passive inference of attacks on SCADA communication protocols , 2016, 2016 IEEE International Conference on Communications (ICC).

[11]  Eric Wustrow,et al.  ZMap: Fast Internet-wide Scanning and Its Security Applications , 2013, USENIX Security Symposium.

[12]  Kate Munro,et al.  Deconstructing Flame: the limitations of traditional defences , 2012 .

[13]  Vern Paxson,et al.  Towards Situational Awareness of Large-Scale Botnet Probing Events , 2011, IEEE Transactions on Information Forensics and Security.