Modern Industrial Control Systems (ICSs) allow
remote communication through the Internet using industrial
protocols that were not designed to work with external networks.
To understand security issues related to this practice, prior work
usually relies on active scans by researchers or services such as
Shodan. While such scans can identify publicly open ports, they
cannot identify legitimate use of insecure industrial traffic. In
particular, source-based filtering in Network Address Translation
or Firewalls prevent detection by active scanning, but do not
ensure that insecure communication is not manipulated in transit.
In this work, we compare Shodan-only analysis with large-
scale traffic analysis at a local Internet Exchange Point (IXP),
based on sFlow sampling. This setup allows us to identify ICS
endpoints actually exchanging industrial traffic over the Internet.
Besides, we are able to detect scanning activities and what other
type of traffic is exchanged by the systems (i.e., IT traffic).
We find that Shodan only listed less than 2% of hosts that
we identified as exchanging industrial traffic, and only 7% of
hosts identified by Shodan actually exchange industrial traffic.
Therefore, Shodan does not allow to understand the actual use
of insecure industrial protocols on the Internet and the current
security practices in ICS communications. We show that 75.6%
of ICS hosts still rely on unencrypted communications without
integrity protection, leaving those critical systems vulnerable to
malicious attacks.
History
Preferred Citation
Giovanni Barbieri, Mauro Conti, Nils Tippenhauer and Federico Turrin. Assessing the Use of Insecure ICS Protocols via IXP Network Traffic Analysis. In: International Conference on Computer Communications and Networks (ICCCN). 2021.
Primary Research Area
Threat Detection and Defenses
Name of Conference
International Conference on Computer Communications and Networks (ICCCN)
Legacy Posted Date
2022-04-23
Open Access Type
Green
BibTeX
@inproceedings{cispa_all_3611,
title = "Assessing the Use of Insecure ICS Protocols via IXP Network Traffic Analysis",
author = "Barbieri, Giovanni and Conti, Mauro and Tippenhauer, Nils Ole and Turrin, Federico",
booktitle="{International Conference on Computer Communications and Networks (ICCCN)}",
year="2021",
}