Aperture Podcast: Mauro Conti on Assessing the Use of Insecure ICS Protocols
By Michael Mimoso | March 11, 2021
As more companies connect industrial networks and devices to the internet, they’re doing so over insecure protocols that are often vulnerable by design, most notably lacking encryption and authentication services.
A research paper published in 2020 explores the severity of this issue, and unlike past work that depended on active-scanning services such as Shodan to detect exposed industrial control systems, this one was able to passively access traffic from an Internet Exchange Point in order to get a clearer picture of industrial traffic.
The results were not encouraging. Professor Mauro Conti of the University of Padua, Italy, joins this episode of the Aperture Podcast, to discuss the results he and his colleagues uncovered, as well as the risks they pose to industrial networks and critical infrastructure.
The paper, “Assessing the Use of Insecure ICS Protocols via IXP Network Traffic Analysis,” was written by Conti, Giovanni Barbieri, Nils Ole Tippenhauer, and Federico Turrin of the University of Padua in Italy and the CISPA Helmholtz Center for Information Security in Germany. It points out the reality that the presence of network address translation (NAT) and firewalls may prevent Shodan and other popular services—used to scan the TCP/IP space—from scanning, discovering, and querying industrial devices connected to the internet.
The researchers developed a framework and deployed it at an Italian IXP accessible to the University of Padua that identifies traffic emanating from an industrial host. As it turns out, Shodan listed only 2% of the hosts the researchers’ framework identified as exchanging industrial traffic. Of the traffic listed by the framework, 75.6% of those hosts were using vulnerable ICS communication protocols; protocols such as EtherCAT, PROFINET, ENIP, Modbus, and others do not implement encryption, authentication, or integrity protection by default. This exposes that traffic to attackers who would be able to eavesdrop, and theoretically, modify those packets on the wire.
Many of these organizations also expose network ports reserved for IT systems (64%), many of those affected by a number of CVEs described in the paper.
“Active scanning of the IP address space performed by services such as Shodan is a common practice to detect exposed ICS, however it does not properly represent the real use of insecure industrial protocols,” the researchers wrote.
Conti explored a number of other areas throughout this conversation, including:
- Details about the framework, how it was developed, deployed, and how it collected information
- Whether adversaries would need some sophistication to exploit industrial traffic
- How engineers, operators, and plant managers should look at the takeaways from this paper