{"title":"SCADA Modbus活动的网络威胁调查","authors":"Claude Fachkha","doi":"10.1109/NTMS.2019.8763817","DOIUrl":null,"url":null,"abstract":"The use of inter-connectivity of Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems (ICS) networks in smart technologies have exposed them to a large variety of security threats. Furthermore, very few investigations are done in this field from the Internet (cyber) perspective. Therefore, this paper investigates unauthorized, malicious and suspicious SCADA activities by leveraging the darknet address space. In particular, this work investigates Modbus service, which is a de facto standard protocol for communication and it is the most available and used to connect electronic devices in critical and industrial infrastructures. This study is based on real Internet data collected throughout a one-month period. Among the 8 various inferred scanning activities, we find that TCP distributed portscan is the only non-typical Modbus scan. Furthermore, our analyses fingerprint a large variety of Modbus scanners and uncover 6 other services that tag along with Modbus 74% of the time. Finally, we list case studies related to synchronized and automated SCADA scanning campaigns originated from unknown sources.","PeriodicalId":368680,"journal":{"name":"2019 10th IFIP International Conference on New Technologies, Mobility and Security (NTMS)","volume":"44 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2019-06-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"12","resultStr":"{\"title\":\"Cyber Threat Investigation of SCADA Modbus Activities\",\"authors\":\"Claude Fachkha\",\"doi\":\"10.1109/NTMS.2019.8763817\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"The use of inter-connectivity of Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems (ICS) networks in smart technologies have exposed them to a large variety of security threats. Furthermore, very few investigations are done in this field from the Internet (cyber) perspective. Therefore, this paper investigates unauthorized, malicious and suspicious SCADA activities by leveraging the darknet address space. In particular, this work investigates Modbus service, which is a de facto standard protocol for communication and it is the most available and used to connect electronic devices in critical and industrial infrastructures. This study is based on real Internet data collected throughout a one-month period. Among the 8 various inferred scanning activities, we find that TCP distributed portscan is the only non-typical Modbus scan. Furthermore, our analyses fingerprint a large variety of Modbus scanners and uncover 6 other services that tag along with Modbus 74% of the time. Finally, we list case studies related to synchronized and automated SCADA scanning campaigns originated from unknown sources.\",\"PeriodicalId\":368680,\"journal\":{\"name\":\"2019 10th IFIP International Conference on New Technologies, Mobility and Security (NTMS)\",\"volume\":\"44 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2019-06-24\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"12\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2019 10th IFIP International Conference on New Technologies, Mobility and Security (NTMS)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/NTMS.2019.8763817\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2019 10th IFIP International Conference on New Technologies, Mobility and Security (NTMS)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/NTMS.2019.8763817","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Cyber Threat Investigation of SCADA Modbus Activities
The use of inter-connectivity of Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems (ICS) networks in smart technologies have exposed them to a large variety of security threats. Furthermore, very few investigations are done in this field from the Internet (cyber) perspective. Therefore, this paper investigates unauthorized, malicious and suspicious SCADA activities by leveraging the darknet address space. In particular, this work investigates Modbus service, which is a de facto standard protocol for communication and it is the most available and used to connect electronic devices in critical and industrial infrastructures. This study is based on real Internet data collected throughout a one-month period. Among the 8 various inferred scanning activities, we find that TCP distributed portscan is the only non-typical Modbus scan. Furthermore, our analyses fingerprint a large variety of Modbus scanners and uncover 6 other services that tag along with Modbus 74% of the time. Finally, we list case studies related to synchronized and automated SCADA scanning campaigns originated from unknown sources.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
