Modern Industrial Control Systems (ICSs) allow remote communication through the Internet using industrial protocols that were not designed to work with external networks. To understand security issues related to this practice, prior work usually relies on active scans by researchers or services such as Shodan. While such scans can identify publicly open ports, they cannot identify legitimate use of insecure industrial traffic. In particular, source-based filtering in Network Address Translation or Firewalls prevent detection by active scanning, but do not ensure that insecure communication is not manipulated in transit. In this work, we compare Shodan-only analysis with large- scale traffic analysis at a local Internet Exchange Point (IXP), based on sFlow sampling. This setup allows us to identify ICS endpoints actually exchanging industrial traffic over the Internet. Besides, we are able to detect scanning activities and what other type of traffic is exchanged by the systems (i.e., IT traffic). We find that Shodan only listed less than 2% of hosts that we identified as exchanging industrial traffic, and only 7% of hosts identified by Shodan actually exchange industrial traffic. Therefore, Shodan does not allow to understand the actual use of insecure industrial protocols on the Internet and the current security practices in ICS communications. We show that 75.6% of ICS hosts still rely on unencrypted communications without integrity protection, leaving those critical systems vulnerable to malicious attacks.
30th International Conference on Computer Communications and Networks, ICCCN 2021, Athens, Greece, July 19-22, 2021