Modern Industrial Control Systems (ICSs) allow remote communication through
the Internet using industrial protocols that were not designed to work with
external networks. To understand security issues related to this practice,
prior work usually relies on active scans by researchers or services such as
Shodan. While such scans can identify publicly open ports, they cannot identify
legitimate use of insecure industrial traffic. In particular, source-based
filtering in Network Address Translation or Firewalls prevent detection by
active scanning, but do not ensure that insecure communication is not
manipulated in transit. In this work, we compare Shodan-only analysis with
large-scale traffic analysis at a local Internet Exchange Point (IXP), based on
sFlow sampling. This setup allows us to identify ICS endpoints actually
exchanging industrial traffic over the Internet. Besides, we are able to detect
scanning activities and what other type of traffic is exchanged by the systems
(i.e., IT traffic). We find that Shodan only listed less than 2% of hosts that
we identified as exchanging industrial traffic, and only 7% of hosts identified
by Shodan actually exchange industrial traffic. Therefore, Shodan do not allow
to understand the actual use of insecure industrial protocols on the Internet
and the current security practices in ICS communications. We show that 75.6% of
ICS hosts still rely on unencrypted communications without integrity
protection, leaving those critical systems vulnerable to malicious attacks.

By admin