Passive inference of attacks on SCADA communication protocols

Abstract

The security of industrial Cyber-Physical Systems (CPS) has been recently receiving significant attention from the research community. While the majority of such attention originates from the control theory domain, very few works proposed viable approaches to the problem from the practical perspective. In this work, we do not claim that we propose a particular solution to a specific problem related to CPS security, but rather present a first look into what can help shape these solutions in the future. Indeed, our vision and ultimate goal is to attempt to merge or at least diminish the gap between highly theoretical solutions and practical approaches derived from insightful empirical experimentation, for securing CPS. Towards this goal, in this work, we present what we believe is the first specimen ever of passive measurements of real attacks on CPS communication protocols. By analyzing a recent one-week dataset rendered by 20 GB of unsolicited real traffic targeting half a million routable, allocated but unused Internet Protocol (IP) addresses, we shed the light on attackers' intention and actual attacks targeting CPS. Specifically, we characterize such attacks in terms of their types, their frequency, their target protocols and possible orchestration behavior. Our results demonstrate a staggering 3 thousand scanning attempts and close to 2 thousand denial of service attacks on various CPS communication protocols. One insightful observation from our work is the fact that attackers are not interested in exploiting the Modbus protocol; in contrast to most literature works that are extensively dedicating their research efforts to devise secure models for Modbus. We hope that this paper motivates the literature to design secure and tailored CPS models that leverage tangible attacks and vulnerabilities inferred from empirical measurements, to achieve truly reliable and secure CPS.