More Web Proxy on the site http://driver.im/

research-article

Industrial control protocols in the Internet core: : Dismantling operational practices

Authors:

Marcin Nawrocki,

Thomas C. Schmidt,

Matthias WählischAuthors Info & Claims

International Journal of Network Management, Volume 32, Issue 1

https://doi.org/10.1002/nem.2158

Published: 10 January 2022 Publication History

Summary

Industrial control systems (ICS) are managed remotely with the help of dedicated protocols that were originally designed to work in walled gardens. Many of these protocols have been adapted to Internet transport and support wide‐area communication. ICS now exchange insecure traffic on an inter‐domain level, putting at risk not only common critical infrastructure but also the Internet ecosystem (e.g., by DRDoS attacks). In this paper, we measure and analyze inter‐domain ICS traffic at two central Internet vantage points, an IXP and an ISP. These traffic observations are correlated with data from honeypots and Internet‐wide scans to separate industrial from non‐industrial ICS traffic. We uncover mainly unprotected inter‐domain ICS traffic and provide an in‐depth view on Internet‐wide ICS communication. Our results can be used (i) to create precise filters for potentially harmful non‐industrial ICS traffic and (ii) to detect ICS sending unprotected inter‐domain ICS traffic, being vulnerable to eavesdropping and traffic manipulation attacks. Additionally, we survey recent security extensions of ICS protocols, of which we find very little deployment. We estimate an upper bound of the deployment status for ICS security protocols in the Internet core.

Graphical Abstract

Industrial control systems exchange insecure traffic over the Internet which makes them prone to various attacks. By utilizing multiple data sources (IXP, ISP, honeypots, and scan projects), we detect and analyze inter‐domain ICS traffic exchanged by real deployments. We survey recent security extensions of ICS protocols, of which we find very little deployment, and estimate an upper bound of the deployment status for ICS security protocols in the Internet core.

References

[1]

Bodenheim RC. Impact of the Shodan computer search engine on internet‐facing industrial control system devices. Tech. Rep., Wright‐Patterson, Air Force Institute of Technology Wright‐Patterson AFB OH Graduate School of Engineering and Management; 2014.

[2]

Mirian A, Ma Z, Adrian D, Tischer M, Chuenchujit T, Yardley T, Berthier R, Mason J, Durumeric Z, Halderman JA, Bailey M. An Internet‐wide view of ICS devices. In: 2016 14th annual conference on privacy, security and trust, pst 2016. Institute of Electrical and Electronics Engineers Inc. IEEE; 2016; United States:96‐103.

[3]

Nawrocki M, Schmidt TC, Wählisch M. Uncovering vulnerable industrial control systems from the Internet core. In: Proc. of 17th ieee/ifip network operations and management symposium (noms). IEEE Press IEEE; 2020; Piscataway, NJ, USA.

[4]

Meixell B, Forner E. Out of control: demonstrating SCADA exploitation. Black Hat USA; 2013.

[5]

Klick J, Lau S, Marzin D, Malchow J‐O, Roth V. Internet‐facing PLCs—a new back orifice. Black Hat USA; 2015.

[6]

Miller B, Rowe D. A Survey SCADA of and critical infrastructure incidents. In: Proceedings of the 1st annual conference on research in information technology. Association for Computing Machinery ACM; 2012; New York, NY, USA:51‐56. https://doi.org/10.1145/2380790.2380805

[7]

Vasilomanolakis E, Srinivasa S, Mühlhäuser M. Did you really hack a nuclear power plant? An industrial control mobile honeypot. In: Communications and network security (cns) conference. IEEE IEEE; 2015:729‐730.

[8]

Wilhoit K. Who's Really Attacking Your ICS Equipment? Trend Micro Research Paper; 2013:1. https://www.trendmicro.com.tr/media/wp/whos-really-attacking-your-ics-equipment-whitepaper-en.pdf

[9]

Winn MM. Constructing cost‐effective and targetable ICS honeypots suited for production networks, Wright Patterson, Air Force Institute of Technology Wright‐Patterson AFB OH Graduate School of Engineering and Management; 2015.

[10]

Bernieri G, Conti M, Pascucci F. MimePot: a model‐based honeypot for industrial control networks. In: 2019 IEEE International Conference on Systems, Man and Cybernetics (SMC) IEEE; 2019:433‐438.

[11]

Serbanescu AV, Obermeier S, Yu D‐Y. ICS threat analysis using a large‐scale honeynet. In: Proceedings of the 3rd international symposium for ics & scada cyber security research. BCS Learning & Development Ltd.ACM; 2015; Swindon, GBR:20‐30. https://doi.org/10.14236/ewic/ICS2015.3

[12]

Ceron JM, Chromik JJ, Cardoso de Santanna JJ, Pras A. Online Discoverability and Vulnerabilities of ICS/SCADA Devices in the Netherlands. Netherlands: University of Twente; 2019. In opdracht van het Wetenschappelijk Onderzoek en Documentatiecentrum (WODC).

[13]

Ferretti P, Pogliani M, Zanero S. Characterizing background noise in ICS traffic through a set of low interaction honeypots. In: Proceedings of the acm workshop on cyber‐physical systems security & privacy, CPS‐SPC'19. Association for Computing Machinery ACM; 2019; New York, NY, USA:51‐61. https://doi.org/10.1145/3338499.3357361

[14]

Berthier R, Sanders WH. Specification‐based intrusion detection for advanced metering infrastructures. In: Ieee 17th pacific rim international symposium on dependable computing (prdc). IEEE IEEE; 2011:184‐193.

[15]

Morris T, Vaughn R, Dandass Y. A retrofit network Intrusion Detection System for MODBUS RTU and ASCII Industrial Control Systems. In: 45th hawaii international conference on system science (hicss). IEEE IEEE; 2012:2338‐2345.

[16]

Lin H, Slagell A, Di Martino C, Kalbarczyk Z, Iyer RK. Adapting Bro into SCADA: building a specification‐based intrusion detection system for the DNP3 protocol. In: Proceedings of the eighth annual cyber security and information intelligence research workshop, CSIIRW '13. Association for Computing Machinery ACM; 2013; New York, NY, USA. https://doi.org/10.1145/2459976.2459982

[17]

Bajtoš T, Sokol P, Mézešová T. Multi‐stage cyber‐attacks detection in the industrial control systems. Recent Developments on Industrial Control Systems Resilience. Cham: Springer International Publishing; 2020:151‐173. https://doi.org/10.1007/978-3-030-31328-9_8

[18]

Valdes A, Cheung S. Intrusion monitoring in process control systems. In: 42nd hawaii international conference on system sciences (hicss). IEEE IEEE; 2009:1‐7.

[19]

Zhang Y, Wang L, Sun W, Green II RC, Alam M. Distributed intrusion detection system in a multi‐layer network architecture of smart grids. IEEE Trans Smart Grid. 2011;2(4):796‐808.

[20]

Barbosa RRR, Sadre R, Pras A. A first look into SCADA network traffic. In: 2012 ieee network operations and management symposium IEEE; 2012:518‐521.

[21]

Barbosa RRR, Sadre R, Pras A. Difficulties in modeling SCADA traffic: a comparative analysis. In: Taft N, Ricciato F, eds. Passive and Active Measurement. Berlin, Heidelberg: Springer Berlin Heidelberg; 2012:126‐135.

Digital Library

[22]

Igure VM, Laughter SA, Williams RD. Security issues in SCADA networks. Comput Secur. 2006;25(7):498‐506.

Digital Library

[23]

Liu J, Xiao Y, Li S, Liang W, Chen CLP. Cyber security and privacy issues in smart grids. IEEE Commun Surv Tutor. 2012;14(4):981‐997.

[24]

Ralston PAS, Graham JH, Hieb JL. Cyber security risk assessment for SCADA and DCS networks. ISA Trans. 2007;46(4):583‐594.

[25]

Zhu B, Sastry S. SCADA‐specific intrusion detection/prevention systems: a survey and taxonomy. In: Proceedings of the 1st workshop on secure control systems (scs), cpsweek 2010 Ptolemy TRUST; 2010.

[26]

Zhu B, Joseph A, Sastry S. A taxonomy of cyber attacks on SCADA systems. In: 2011 international conference on internet of things and 4th international conference on cyber, physical and social computing. IEEE IEEE; 2011:380‐388.

[27]

Rubio JE, Alcaraz C, Roman R, Lopez J. Current cyber‐defense trends in Industrial Control Systems. Comput Secur. 2019;87:101561.

[28]

Shapiro R, Bratus S, Rogers E, Smith S. Identifying vulnerabilities in SCADA systems via fuzz‐testing. In: Critical infrastructure protection v. Springer Berlin Heidelberg Springer; 2011; Berlin, Heidelberg:57‐72.

[29]

Devarajan G. Unraveling SCADA protocols: using Sulley Fuzzer. In: Defcon 15 hacking conference. DEF CON Communications, Inc. DEF CON; 2012; Las Vegas.

[30]

Hou Y, Such J, Rashid A. Understanding security requirements for industrial control system supply chains. In: 2019 ieee/acm 5th international workshop on software engineering for smart cyber‐physical systems (sescps) IEEE; 2019:50‐53.

[31]

Gasser O, Scheitle Q, Rudolph B, Denis C, Schricke N, Carle G. The amplification threat posed by publicly reachable BACnet devices. J Cyber Secur Mobil, River Publ. 2017;6(1):77‐104. https://doi.org/10.13052/jcsm2245-1439.614

[32]

Talos Intelligence . New VPNFilter Malware Targets at least 500K Networking Devices Worldwide. Blog: https://blog.talosintelligence.com/2018/05/VPNFilter.html; 2018.

[33]

WIDE MAWI workinggroup, wide traffic archive. Web Archive: http://mawi.wide.ad.jp/

[34]

User timyardley . ICS security tools, tips, and trade. Git Repository: https://github.com/ITI/ICS-Security-Tools; 2018.

[35]

NTOP . nDPI. Open and extensible LGPLv3 deep packet inspection library. Website: https://www.ntop.org/products/deep-packet-inspection/ndpi/; 2018.

[36]

Mursch T. Quasi networks responds as we witness the Death of The Master Needler. Bad Packets Report, online: https://badpackets.net/quasi-networks-responds-as-we-witness-the-death-of-the-master-needler-80-82-65-66-for-now/; 2017.

[37]

CONPOT ics/scada honeypot, honeynet project. http://conpot.org/

[38]

Honeytrap transport layer honeypot, honeynet project. https://www.honeynet.org/project/Honeytrap

[39]

Klick J, Lau S, Wählisch M, Roth V. Towards better Internet citizenship: reducing the footprint of Internet‐wide scans by topology aware prefix selection. In: Proc. of acm internet measurement conference (imc) ACM; 2016; New York:421‐427.

[40]

Durumeric Z, Wustrow E, Halderman JA. ZMap: Fast Internet‐wide scanning and its security applications. In: Proc. of the 22nd USENIX security symposium. USENIX Association USENIX Assoc.; 2013; Berkeley, CA, USA:605‐620. https://www.usenix.org/conference/usenixsecurity13/technical-sessions/paper/durumeric

[41]

Poese I, Uhlig S, Kaafar MA, Donnet B, Gueye B. IP Geolocation Databases: Unreliable?. SIGCOMM Comput Commun Rev (CCR). 2011;41(2):53‐56.

Digital Library

[42]

Allen‐Bradley . EtherNet/IP Secure Communication, 1201 South Second Street, Milwaukee, WI 53204‐2496 USA, Rockwell Automation; 2015. https://literature.rockwellautomation.com/idc/groups/literature/documents/um/enet-um003_-en-p.pdf

[43]

PJM Interconnection . DNP SCADA over Internet with TLS security, 2750 Monroe Boulevard Audubon, PA 19403, PJM Interconnection; 2017. https://www.pjm.com/%2D/media/etools/jetstream/jetstream%2Dguide.ashx%3Fla%3Den

[44]

Schneider Electric USA . MODBUS/TCP security, Boston, MA, Schneider Electric USA; 2018. https://modbus.org/docs/MB-TCP-Security-v21_2018-07-24.pdf

[45]

Sheffer Y, Holz R, Saint‐Andre P. Summarizing known attacks on transport layer security (TLS) and datagram TLS (DTLS). RFC. 7457, LLC 1000 N West Street, Suite 1200 Wilmington, DE 19801 USA., IETF; 2015.

[46]

Stevens J. Deploying Secure DNP3 (IEEE 1815)—what you need to know. tech. rep., 2840 Plaza Pl STE 205, Raleigh, NC 27612, USA, Triangle Microworks; 2016. https://trianglemicroworks.com/docs/default-source/referenced-documents/deploying-secure-dnp3-dtech-2016.pdf

[47]

Rosborough C, Gordon C, Waldron B. All about eve: comparing DNP3 secure authentication with standard security technologies for SCADA communications. In: Mipsycon 2019 Exelon and Schweitzer Engineering Laboratories, Inc; 2019; Minnesota, USA.

[48]

Ryba FJ, Orlinski M, Wählisch M, Rossow C, Schmidt TC. Amplification and DRDoS attack defense—a survey and new perspectives. Technical Report. arXiv:1505.07892, Open Archive: arXiv.org; 2015. http://arxiv.org/abs/1505.07892

[49]

Dusi M, Napolitano S, Niccolini S, Longo S. A closer look at Thin‐Client connections: statistical application identification for QoE detection. IEEE Commun Mag. 2012;50(11):195‐202. https://doi.org/10.1109/MCOM.2012.6353701

[50]

Velan P, Čermák M, Čeleda P, Drašar M. A survey of methods for encrypted traffic classification and analysis. Int J Netw Manag. 2015;25(5):355‐374.

Digital Library

[51]

de Toledo TR, Torrisi NM. Encrypted DNP3 Traffic classification using supervised machine learning algorithms. Mach Learn Knowl Extraction, Multidiscip Digit Publ Inst. 2019;1(1):384‐399.

Cited By

Lyu SDai XMa ZGao YHu Z(2024)Modeling and Controller Design of a Cloud-Based Control Switching System in an Uncertain Network EnvironmentJournal of Network and Systems Management10.1007/s10922-024-09850-832:4Online publication date: 8-Aug-2024
https://dl.acm.org/doi/10.1007/s10922-024-09850-8
Sun YWang BLiu HWei YWu DWang J(2022)Detecting IKEv1 Man-in-the-Middle Attack with Message-RTT AnalysisWireless Communications & Mobile Computing10.1155/2022/26056842022Online publication date: 1-Jan-2022
https://dl.acm.org/doi/10.1155/2022/2605684
Baxley SBastin NGurkan DConklin W(2022)Feasibility of critical infrastructure protection using network functions for programmable and decoupled ICS policy enforcement over WANInternational Journal of Critical Infrastructure Protection10.1016/j.ijcip.2022.10057339:COnline publication date: 1-Dec-2022
https://dl.acm.org/doi/10.1016/j.ijcip.2022.100573
Show More Cited By

Index Terms

Industrial control protocols in the Internet core: Dismantling operational practices
1. Networks
2. Security and privacy

Index terms have been assigned to the content through auto-classification.

Recommendations

Uncovering Vulnerable Industrial Control Systems from the Internet Core
NOMS 2020 - 2020 IEEE/IFIP Network Operations and Management Symposium
Industrial control systems (ICS) are managed remotely with the help of dedicated protocols that were originally designed to work in walled gardens. Many of these protocols have been adapted to Internet transport and support wide-area communication. ICS ...
Cyber In-security of Industrial Control Systems: A Societal Challenge
SAFECOMP 2015: Proceedings of the 34th International Conference on Computer Safety, Reliability, and Security - Volume 9337

Our society and its citizens increasingly depend on the undisturbed functioning of critical infrastructures CI, their products and services. Many of the CI services as well as other organizations use Industrial Control Systems ICS to monitor and control ...
Internet Security Protocols: Protecting IP Traffic

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image International Journal of Network Management

International Journal of Network Management Volume 32, Issue 1

January/February 2022

176 pages

EISSN:1099-1190

DOI:10.1002/nem.v32.1

Issue’s Table of Contents

© 2021 The Authors. International Journal of Network Management published by John Wiley & Sons Ltd.

This is an open access article under the terms of the Creative Commons Attribution‐NonCommercial‐NoDerivs License, which permits use and distribution in any medium, provided the original work is properly cited, the use is non‐commercial and no modifications or adaptations are made.

Publisher

John Wiley & Sons, Inc.

United States

Publication History

Published: 10 January 2022

Qualifiers

Research-article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

4
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 31 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Lyu SDai XMa ZGao YHu Z(2024)Modeling and Controller Design of a Cloud-Based Control Switching System in an Uncertain Network EnvironmentJournal of Network and Systems Management10.1007/s10922-024-09850-832:4Online publication date: 8-Aug-2024
https://dl.acm.org/doi/10.1007/s10922-024-09850-8
Sun YWang BLiu HWei YWu DWang J(2022)Detecting IKEv1 Man-in-the-Middle Attack with Message-RTT AnalysisWireless Communications & Mobile Computing10.1155/2022/26056842022Online publication date: 1-Jan-2022
https://dl.acm.org/doi/10.1155/2022/2605684
Baxley SBastin NGurkan DConklin W(2022)Feasibility of critical infrastructure protection using network functions for programmable and decoupled ICS policy enforcement over WANInternational Journal of Critical Infrastructure Protection10.1016/j.ijcip.2022.10057339:COnline publication date: 1-Dec-2022
https://dl.acm.org/doi/10.1016/j.ijcip.2022.100573
Nawrocki MHiesgen RSchmidt TWählisch MLevin DMislove AAmann JLuckie M(2021)QUICsandProceedings of the 21st ACM Internet Measurement Conference10.1145/3487552.3487840(283-291)Online publication date: 2-Nov-2021
https://dl.acm.org/doi/10.1145/3487552.3487840

View Options

View options

Media

Figures

Other

Tables

View Issue’s Table of Contents