An Internet-wide view of ICS devices

Industrial control systems have become ubiquitous, enabling the remote, electronic control of physical equipment and sensors. Originally designed to operate on closed networks, the protocols used by these devices have no built-in security. However, despite this, an alarming number of systems are connected to the public Internet and an attacker who finds a device often can cause catastrophic damage to physical infrastructure. We consider two aspects of ICS security in this work: (1) what devices have been inadvertently exposed on the public Internet, and (2) who is searching for vulnerable systems. First, we implement five common SCADA protocols in ZMap and conduct a survey of the public IPv4 address space finding more than 60K publicly accessible systems. Second, we use a large network telescope and high-interaction honeypots to find and profile actors searching for devices. We hope that our findings can both motivate and inform future work on securing industrial control systems.

[1]  Gabor Karsai,et al.  A testbed for secure and robust SCADA systems , 2008, SIGBED.

[2]  Harish Balasubramanian,et al.  Incremental Design Migration Support in Industrial Control Systems Development , 2014 .

[3]  J. Alex Halderman,et al.  An Internet-Wide View of Internet-Wide Scanning , 2014, USENIX Security Symposium.

[4]  Sandip C. Patel,et al.  Improving the cyber security of SCADA communication networks , 2009, CACM.

[5]  Jose M. Such,et al.  Assurance Techniques for Industrial Control Systems (ICS) , 2015, CPS-SPC '15.

[6]  Jeffrey L. Hieb,et al.  Cyber security risk assessment for SCADA and DCS networks. , 2007, ISA transactions.

[7]  Stefan Savage,et al.  You've Got Vulnerability: Exploring Effective Vulnerability Notifications , 2016, USENIX Security Symposium.

[8]  Sebastian Obermeier,et al.  ICS Threat Analysis Using a Large-Scale Honeynet , 2015, ICS-CSR.

[9]  Eric Wustrow,et al.  ZMap: Fast Internet-wide Scanning and Its Security Applications , 2013, USENIX Security Symposium.

[10]  William H. Sanders,et al.  Usable Global Network Access Policy for Process Control Systems , 2008, IEEE Security & Privacy Magazine.

[11]  G. Ericsson,et al.  Examination of ELCOM-90, TASE.1, and ICCP/TASE.2 for inter-control center communication , 1997 .

[12]  Chen-Ching Liu,et al.  Vulnerability Assessment of Cybersecurity for SCADA Systems Using Attack Trees , 2007, 2007 IEEE Power Engineering Society General Meeting.

[13]  Thoshitha T. Gamage,et al.  Analyzing the Cyber-Physical Impact of Cyber Events on the Power Grid , 2015, IEEE Transactions on Smart Grid.

[14]  Roland C Bodenheim,et al.  Impact of the Shodan Computer Search Engine on Internet-facing Industrial Control System Devices , 2014 .

[15]  Stefan Savage,et al.  Inferring Internet denial-of-service activity , 2001, TOCS.

[16]  Yang Xiao,et al.  Cyber Security and Privacy Issues in Smart Grids , 2012, IEEE Communications Surveys & Tutorials.

[17]  Victor C. M. Leung,et al.  Specification-based Intrusion Detection for home area networks in smart grids , 2011, 2011 IEEE International Conference on Smart Grid Communications (SmartGridComm).

[18]  Felix C. Freiling,et al.  The Nepenthes Platform: An Efficient Approach to Collect Malware , 2006, RAID.

[19]  Derek Harp,et al.  The State of Security in Control Systems Today , 2015 .

[20]  Robert C. Green,et al.  Intrusion Detection System in A Multi-Layer Network Architecture of Smart Grids by Yichi , 2015 .

[21]  Gordon Fyodor Lyon,et al.  Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning , 2009 .

[22]  Sergey Bratus,et al.  Bolt-On Security Extensions for Industrial Control System Protocols: A Case Study of DNP3 SAv5 , 2015, IEEE Security & Privacy.

[23]  Michael M Winn Constructing Cost-Effective and Targetable ICS Honeypots Suited for Production Networks , 2015 .

[24]  R.E. Mackiewicz,et al.  Overview of IEC 61850 and Benefits , 2006, 2005/2006 IEEE/PES Transmission and Distribution Conference and Exhibition.

[25]  Alfonso Valdes,et al.  Intrusion Monitoring in Process Control Systems , 2009, 2009 42nd Hawaii International Conference on System Sciences.

[26]  J. Alex Halderman,et al.  Zippier ZMap: Internet-Wide Scanning at 10 Gbps , 2014, WOOT.

[27]  M. Amin,et al.  Security challenges for the electricity infrastructure , 2002 .

[28]  Jaspreet Kaur,et al.  Securing BACnet's Pitfalls , 2015, SEC.

[29]  Sergey Bratus,et al.  Fingerprinting IEEE 802.15.4 Devices with Commodity Radios , 2014 .

[30]  Aurélien Francillon,et al.  A Large-Scale Analysis of the Security of Embedded Firmwares , 2014, USENIX Security Symposium.

[31]  Vinay M. Igure,et al.  Security issues in SCADA networks , 2006, Comput. Secur..

[32]  Farnam Jahanian,et al.  The Internet Motion Sensor - A Distributed Blackhole Monitoring System , 2005, NDSS.

[33]  S. Shankar Sastry,et al.  A Taxonomy of Cyber Attacks on SCADA Systems , 2011, 2011 International Conference on Internet of Things and 4th International Conference on Cyber, Physical and Social Computing.

[34]  Dong-Ho Kang,et al.  Cyber threats and defence approaches in SCADA systems , 2014, 16th International Conference on Advanced Communication Technology.

[35]  J. Alex Halderman,et al.  A Search Engine Backed by Internet-Wide Scanning , 2015, CCS.

[36]  Ravishankar K. Iyer,et al.  Adapting Bro into SCADA: building a specification-based intrusion detection system for the DNP3 protocol , 2013, CSIIRW '13.

[37]  Max Mühlhäuser,et al.  Did you really hack a nuclear power plant? An industrial control mobile honeypot , 2015, 2015 IEEE Conference on Communications and Network Security (CNS).

[38]  S. Mauw,et al.  Specification-based intrusion detection for advanced metering infrastructures , 2022 .