Abstract

Industrial control systems have become ubiquitous, enabling the remote, electronic control of physical equipment and sensors. Originally designed to operate on closed networks, the protocols used by these devices have no built-in security. However, despite this, an alarming number of systems are connected to the public Internet and an attacker who finds a device often can cause catastrophic damage to physical infrastructure. We consider two aspects of ICS security in this work: (1) what devices have been inadvertently exposed on the public Internet, and (2) who is searching for vulnerable systems. First, we implement five common SCADA protocols in ZMap and conduct a survey of the public IPv4 address space finding more than 60K publicly accessible systems. Second, we use a large network telescope and high-interaction honeypots to find and profile actors searching for devices. We hope that our findings can both motivate and inform future work on securing industrial control systems.