CISPA
Browse

Assessing the Use of Insecure ICS Protocols via IXP Network Traffic Analysis

Download (462.58 kB)
conference contribution
posted on 2023-11-29, 18:18 authored by Giovanni Barbieri, Mauro Conti, Nils Ole TippenhauerNils Ole Tippenhauer, Federico Turrin
Modern Industrial Control Systems (ICSs) allow remote communication through the Internet using industrial protocols that were not designed to work with external networks. To understand security issues related to this practice, prior work usually relies on active scans by researchers or services such as Shodan. While such scans can identify publicly open ports, they cannot identify legitimate use of insecure industrial traffic. In particular, source-based filtering in Network Address Translation or Firewalls prevent detection by active scanning, but do not ensure that insecure communication is not manipulated in transit. In this work, we compare Shodan-only analysis with large- scale traffic analysis at a local Internet Exchange Point (IXP), based on sFlow sampling. This setup allows us to identify ICS endpoints actually exchanging industrial traffic over the Internet. Besides, we are able to detect scanning activities and what other type of traffic is exchanged by the systems (i.e., IT traffic). We find that Shodan only listed less than 2% of hosts that we identified as exchanging industrial traffic, and only 7% of hosts identified by Shodan actually exchange industrial traffic. Therefore, Shodan does not allow to understand the actual use of insecure industrial protocols on the Internet and the current security practices in ICS communications. We show that 75.6% of ICS hosts still rely on unencrypted communications without integrity protection, leaving those critical systems vulnerable to malicious attacks.

History

Preferred Citation

Giovanni Barbieri, Mauro Conti, Nils Tippenhauer and Federico Turrin. Assessing the Use of Insecure ICS Protocols via IXP Network Traffic Analysis. In: International Conference on Computer Communications and Networks (ICCCN). 2021.

Primary Research Area

  • Threat Detection and Defenses

Name of Conference

International Conference on Computer Communications and Networks (ICCCN)

Legacy Posted Date

2022-04-23

Open Access Type

  • Green

BibTeX

@inproceedings{cispa_all_3611, title = "Assessing the Use of Insecure ICS Protocols via IXP Network Traffic Analysis", author = "Barbieri, Giovanni and Conti, Mauro and Tippenhauer, Nils Ole and Turrin, Federico", booktitle="{International Conference on Computer Communications and Networks (ICCCN)}", year="2021", }

Usage metrics

    Categories

    No categories selected

    Exports

    RefWorks
    BibTeX
    Ref. manager
    Endnote
    DataCite
    NLM
    DC