Threat Intelligence Generation Using Network Telescope Data for Industrial Control Systems

Industrial Control Systems (ICSs) are cyber-physical systems that offer attractive targets to threat actors due to the scale of damages, both physical and cyber, that successful exploitation can cause. As such, ICSs often find themselves victims to reconnaissance campaigns - coordinated scanning activity that targets a wide subset of the Internet - that aim to discover vulnerable systems. As these campaigns likely scan broad netblocks of the Internet, some traffic is directed to network telescopes, which are routable, allocated, and unused IP space. In this paper, we explore the threat landscape of ICS devices by analyzing and investigating network telescope traffic. Our network traffic analysis tool takes darknet traffic and generates threat intelligence on scanning campaigns targeting ICSs in the form of campaign fragments, which we leverage in new ways to get more in-depth knowledge of the cybersecurity threats. We investigate the payloads of the identified campaigns using a custom Deep Packet Inspection (DPI) technique to dissect and analyze the packets. We found 13 distinct payload templates and deduced their purpose, and by extension the campaign goals. We use machine learning to classify the sources behind the campaigns and identify threat actors such as botnets, malicious attackers, or researchers, and establish a methodology to rank our campaigns to prioritize our analysis. To conduct our analysis of the threats targeting ICSs, we have leveraged 12.85 TB (330 days) of network traffic received by our observed darknet IP space. Combining these investigative threads, we provide a thorough overview of the threat landscape targeting ICS systems.