Abstract
Industrial Control Systems (ICS) play an important role in modern Industrial manufacturing and city life, as well as an critical attack surface. However, many ICS devices are deployed without proper security consideration, such as being exposed to the public Internet without protection. Furthermore, the ICS devices are hardly updated or patched due to the stability requirements. Therefore, the Internet-accessible ICS devices generally have publicly known vulnerabilities, which makes them fragile victims. In this work, we propose a method to measure the security status of Internet-facing ICS devices in a passive way and develop a prototype ICScope. With ICScope, we can find vulnerable devices without actively scanning the ICS device, which may have negative effects on their normal operation. ICScope collects device information from multiple public search engines like Shodan, gets vulnerability information from vulnerability databases like NVD, and matches them according to the vendors, products, and versions. ICScope can deal with the incomplete device data collected from the search engines and has taken the honeypots into consideration. We use ICScope to launch a comprehensive evaluation of the ICS devices exposed to the Internet between Dec 2019 and Jan 2020, including 466K IPs. The result shows that 49.58% of Internet-facing ICS devices have at least one publicly known vulnerability. We also observed a downward trend in the number of ICS devices and their vulnerable percentage during our measurement spanning 1.5 years.
A earlier version appeared at the 7th International Conference on Information Systems Security and Privacy (ICISSP 2021) Yixiong Wu and Shangru Song contribute equally to this works.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
An internal device search engine newly developed by QiAnXin, china in 2018.
- 3.
References
Censys. https://censys.io/
Fofa. https://fofa.so/
Shodan. https://shodan.io/
Comer, D.E., Lin, J.C.: Probing TCP implementations. In: Usenix Summer, pp. 245–255 (1994)
Dong, Y., Guo, W., Chen, Y., Xing, X., Zhang, Y., Wang, G.: Towards the detection of inconsistencies in public security vulnerability reports. In: 28th \(\{\)USENIX\(\}\) Security Symposium (\(\{\)USENIX\(\}\) Security 19), pp. 869–885 (2019)
Durumeric, Z., Adrian, D., Mirian, A., Bailey, M., Halderman, J.A.: A search engine backed by internet-wide scanning. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 542–553. ACM (2015)
Durumeric, Z., Wustrow, E., Halderman, J.A.: ZMAP: fast internet-wide scanning and its security applications. In: 22nd \(\{\)USENIX\(\}\) Security Symposium (\(\{\)USENIX\(\}\) Security 13), pp. 605–620 (2013)
Fachkha, C., Bou-Harb, E., Keliris, A., Memon, N.D., Ahamad, M.: Internet-scale probing of CPS: inference, characterization and orchestration analysis. In: NDSS (2017)
Feng, X., Li, Q., Wang, H., Sun, L.: Characterizing industrial control system devices on the internet. In: 2016 IEEE 24th International Conference on Network Protocols (ICNP), pp. 1–10. IEEE (2016)
Genge, B., Enăchescu, C.: Shovat: Shodan-based vulnerability assessment tool for internet-facing services. Secur. Commun. Netw. 9(15), 2696–2714 (2016)
Guo, G., Zhuge, J., Yang, M., Zhou, G., Wu, Y.: A survey of industrial control system devices on the internet. In: 2018 International Conference on Internet of Things, Embedded Systems and Communications (IINTEC), pp. 197–202. IEEE (2018)
Kesler, B.: The vulnerability of nuclear facilities to cyber attack; strategic insights: Spring (2010)
Leverett, É., Wightman, R.: Vulnerability inheritance programmable logic controllers. In: Proceedings of the Second International Symposium on Research in Grey-Hat Hacking (2013)
Mirian, A., et al.: An internet-wide view of ICS devices. In: 2016 14th Annual Conference on Privacy, Security and Trust (PST), pp. 96–103. IEEE (2016)
O’Hare, J., Macfarlane, R., Lo, O.: Identifying vulnerabilities using internet-wide scanning data. In: 2019 IEEE 12th International Conference on Global Security, Safety and Sustainability (ICGS3), pp. 1–10. IEEE (2019)
Samtani, S., Yu, S., Zhu, H., Patton, M., Chen, H.: Identifying Scada vulnerabilities using passive and active vulnerability assessment techniques. In: 2016 IEEE Conference on Intelligence and Security Informatics (ISI), pp. 25–30. IEEE (2016)
Sasaki, T., Fujita, A., Ganan, C., van Eeten, M., Yoshioka, K., Matsumoto, T.: Exposed infrastructures: Discovery, attacks and remediation of insecure ICS remote management devices. In: 2022 2022 IEEE Symposium on Security and Privacy (SP) (SP), pp. 1308–1325. IEEE Computer Society, Los Alamitos, CA, USA, May 2022. https://doi.org/10.1109/SP46214.2022.00076, https://doi.ieeecomputersociety.org/10.1109/SP46214.2022.00076
Sasaki, T., Fujita, A., Gañán, C.H., van Eeten, M., Yoshioka, K., Matsumoto, T.: Exposed infrastructures: discovery, attacks and remediation of insecure ICS remote management devices. In: 43rd IEEE Symposium on Security and Privacy, SP 2022, San Francisco, CA, USA, 22–26 May 2022, pp. 2379–2396. IEEE (2022). https://doi.org/10.1109/SP46214.2022.9833730
Serbanescu, A.V., Obermeier, S., Yu, D.Y.: ICS threat analysis using a large-scale honeynet. In: 3rd International Symposium for ICS & SCADA Cyber Security Research 2015 (ICS-CSR 2015) 3, pp. 20–30 (2015)
Simon, K., Moucha, C., Keller, J.: Contactless vulnerability analysis using Google and Shodan. J. Univers. Comput. Sci. 23(4), 404–430 (2017). http://www.jucs.org/jucs_23_4/contactless_vulnerability_analysis_using
Thomas, A.M., Marali, M., Reddy, L.: Identification of assets in industrial control systems using passive scanning. In: Pandian, A.P., Fernando, X., Haoxiang, W. (eds.) Computer Networks, Big Data and IoT. LNDECT, vol. 117, pp. 269–283. Springer Nature Singapore, Singapore (2022). https://doi.org/10.1007/978-981-19-0898-9_21
Vasilomanolakis, E., Srinivasa, S., Cordero, C.G., Mühlhäuser, M.: Multi-stage attack detection and signature generation with ICS honeypots. In: NOMS 2016–2016 IEEE/IFIP Network Operations and Management Symposium, pp. 1227–1232. IEEE (2016)
Williams, R., McMahon, E., Samtani, S., Patton, M.W., Chen, H.: Identifying vulnerabilities of consumer internet of things (IoT) devices: A scalable approach. In: 2017 IEEE International Conference on Intelligence and Security Informatics, ISI 2017, Beijing, China, 22–24 July 2017, pp. 179–181. IEEE (2017). https://doi.org/10.1109/ISI.2017.8004904
Wu, Y., et al.: From exposed to exploited: drawing the picture of industrial control systems security status in the internet age. In: ICISSP, pp. 237–248 (2021)
Acknowledgements
This work was supported in part by National Natural Science Foundation of China under Grant U1936121. We would like to thank all anonymous reviewers for their valuable feedback that greatly helped us improve this paper. Besides, we would like to thank Yuxiang Lu, Zhenbang Ma, Yu Wang, for their helping in our work.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Wu, Y. et al. (2023). ICScope: Detecting and Measuring Vulnerable ICS Devices Exposed on the Internet. In: Mori, P., Lenzini, G., Furnell, S. (eds) Information Systems Security and Privacy. ICISSP ICISSP 2021 2022. Communications in Computer and Information Science, vol 1851. Springer, Cham. https://doi.org/10.1007/978-3-031-37807-2_1
Download citation
DOI: https://doi.org/10.1007/978-3-031-37807-2_1
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-37806-5
Online ISBN: 978-3-031-37807-2
eBook Packages: Computer ScienceComputer Science (R0)