Understanding the Usage of Industrial Control System Devices on the Internet

Abstract

Industrial control system (ICS) devices play a crucial role in critical infrastructures, such as power grid. In recent years, numerous ICS devices are accessible on the Internet, resulting in potential security issues. However, there is a lack of deep understanding of these devices’ characteristics in the cyberspace. In this paper, we take the first step in this direction by investigating these visible ICS devices on the Internet. Because of the critical nature of ICSs, the detection of online ICS devices should be done in a nonintrusive and timely manner. We first analyze 17 industrial protocols widely used in ICSs and train a probability model through the learning algorithm to improve detection accuracy. Then, we discover online ICS devices in the IPv4 space while reducing the negative effects caused by industrial honeypots and dynamic IP addresses. To observe the dynamics of ICS devices in a relatively long run, we have deployed our discovery system on Amazon EC2 and detected online ICS devices in the whole IPv4 space for eight times from August 2015 to March 2016. Based on the ICS device data collection, we conduct a comprehensive data analysis to characterize the usage of ICS devices, especially in answer to the following three questions: 1) what are the distribution features of ICS devices; 2) who use these ICS devices; and 3) what are the functions of these ICS devices.