Detection of critical infrastructure devices on the public Internet
M.A. Mladenov (TU Delft - Electrical Engineering, Mathematics and Computer Science)
Georgios Smaragdakis – Mentor (TU Delft - Cyber Security)
László Erdődi – Mentor (Norwegian University of Science and Technology (NTNU))
A Hanjalic – Graduation committee member (TU Delft - Intelligent Systems)
More Info
expand_more
Other than for strictly personal use, it is not permitted to download, forward or distribute the text or part of it, without the consent of the author(s) and/or copyright holder(s), unless the work is under an open content license such as Creative Commons.
Abstract
Supervisory Control and Data Acquisition (SCADA) systems are sometimes exposed on the public Internet. It is possible to quickly and efficiently identify such exposed services. They are commonly part of critical infrastructure, so they need to be protected against cyber attacks. In the past, researchers have scanned the Internet to detect such systems. However, such data may be biased due to honeypots set up by other researchers, which are fake hosts mimicking real industrial systems in order to detect malicious attacks.
In this paper, we develop a methodology to discover SCADA systems, classify them as real or honeypots, and analyse the metadata collected from them. We show that a large part of all exposed SCADA services are in fact likely to be honeypots, and we find correlations between independent honeypot-related indicators.