The Landscape of Industrial Control Systems (ICS) Devices on the Internet

Abstract

Industrial control systems are employed in numerous critical infrastructure assets. Originally designed for closed systems, these protocols do not have built-in security. If these systems are the target of a cyberattack, it will cause serious damage to the physical world, However, there is an increasing number of ICS devices on the Internet. In order to study the number, distribution and trend of these systems, we analyzed the Censys scanning data for the five protocols of Modbus, Siemens S7, DNP3, BACnet, Tridium Fox. We find that there are still a large number of devices exposed on the Internet, distributed in more than 100 countries around the world, and the overall number of devices has been on the rise in the last two years. Separately, in the past two years, the number of Modbus and Siemens S7 protocol continued to grow rapidly, the number of DNP3 protocol devices has declined, and the number of BACnet and Tridium Fox protocol devices has basically remained unchanged. By analyzing the IP addresses of these devices, we find that some of the devices are continually exposed to the Internet, and some of the devices are temporarily exposed. We also find some Conpot honeypot records in these data.