ICScope: Detecting and Measuring Vulnerable ICS Devices Exposed on the Internet.

Industrial Control Systems (ICS) play an important role in modern Industrial manufacturing and city life, as well as an critical attack surface. However, many ICS devices are deployed without proper security consideration, such as being exposed to the public Internet without protection. Furthermore, the ICS devices are hardly updated or patched due to the stability requirements. Therefore, the Internet-accessible ICS devices generally have publicly known vulnerabilities, which makes them fragile victims. In this work, we propose a method to measure the security status of Internet-facing ICS devices in a passive way and develop a prototype ICScope. With ICScope, we can find vulnerable devices without actively scanning the ICS device, which may have negative effects on their normal operation. ICScope collects device information from multiple public search engines like Shodan, gets vulnerability information from vulnerability databases like NVD, and matches them according to the vendors, products, and versions. ICScope can deal with the incomplete device data collected from the search engines and has taken the honeypots into consideration. We use ICScope to launch a comprehensive evaluation of the ICS devices exposed to the Internet between Dec 2019 and Jan 2020, including 466K IPs. The result shows that 49.58% of Internet-facing ICS devices have at least one publicly known vulnerability. We also observed a downward trend in the number of ICS devices and their vulnerable percentage during our measurement spanning 1.5 years.