|
Industrial control systems have enabled the digitalization and automation of industrial production and
services, such as electric powerhouses, the electric grid,
and water supply networks. Due to their critical role, any
exposure to the public Internet makes them vulnerable to
attacks that may have catastrophic implications.
In this paper, we report that the readily available application-layer scanning on all ports opens new avenues to assess the exposure of devices that run industrial control protocols that were not possible with previously proposed active port scanning. We consider 17 widely used industrial control system protocols and develop a methodology that unveils around 150 thousand industrial control systems exposed around the globe. Our study shows that many allegedly exposed industrial control systems are honeypots that emulate industrial protocols. Our methodology infers the presence of honeypots and classifies them into three tiers based on the confidence that these act as honeypots: low-, medium-, and high-confidence. We classify them thanks to large-scale application-layer scanning on all ports and multiple independent attributes, including network information, number of open ports, and known honeypot signatures. Our results show that 15% to 25% of the exposed industrial control systems are honeypots (with two-thirds of them belonging to the medium- or high-confidence categories). Our results challenge previous reports on the prevalence and distribution of exposed industrial control systems. The developed methodology enables industry operators to assess exposed assets and aid protection teams in creating stealthier honeypots. |