Sorry, Shodan is not Enough! Assessing ICS Security via IXP Network Traffic Analysis
share
Modern Industrial Control Systems (ICSs) allow remote communication through the Internet using industrial protocols that were not designed to work with external networks. To understand security issues related to this practice, prior work usually relies on active scans by researchers or services such as Shodan. While such scans can identify public open ports, they are not able to provide details on configurations of the system related to legitimate Industrial Traffic passing the Internet (e.g., source-based filtering in Network Address Translation or Firewalls). In this work, we complement Shodan-only analysis with large-scale traffic analysis at a local Internet Exchange Point (IXP), based on sFlow sampling. This setup allows us to identify ICS endpoints actually exchanging Industrial Traffic over the Internet. Besides, we are able to detect scanning activities and what other type of traffic is exchanged by the systems (i.e., IT traffic). We find that Shodan only listed less than 2 Traffic. Even with manually triggered scans, Shodan only identified 7 as ICS hosts. This demonstrates that active scanning-based analysis is insufficient to understand current security practices in ICS communications. We show that 75.6 integrity protection, leaving those critical systems vulnerable to malicious attacks.
READ FULL TEXT