Sorry, Shodan is not Enough! Assessing ICS Security via IXP Network Traffic Analysis

Modern Industrial Control Systems (ICSs) allow remote communication through the Internet using industrial protocols that were not designed to work with external networks. To understand security issues related to this practice, prior work usually relies on active scans by researchers or services such as Shodan. While such scans can identify public open ports, they are not able to provide details on configurations of the system related to legitimate Industrial Traffic passing the Internet (e.g., source-based filtering in Network Address Translation or Firewalls). In this work, we complement Shodan-only analysis with large-scale traffic analysis at a local Internet Exchange Point (IXP), based on sFlow sampling. This setup allows us to identify ICS endpoints actually exchanging Industrial Traffic over the Internet. Besides, we are able to detect scanning activities and what other type of traffic is exchanged by the systems (i.e., IT traffic). We find that Shodan only listed less than 2% of hosts that we identified as exchanging Industrial Traffic. Even with manually triggered scans, Shodan only identified 7% of them as ICS hosts. This demonstrates that active scanning-based analysis is insufficient to understand current security practices in ICS communications. We show that 75.6% of ICS hosts rely on unencrypted communications without integrity protection, leaving those critical systems vulnerable to malicious attacks.