Characterization Of Cyberattacks Aimed At Integrated Industrial Control And Enterprise Systems: A Case Study

Industrial control system (ICS) security has been a topic of research for several years now and the growing interconnectedness with enterprise systems (ES) is exacerbating the existing issues. Research efforts, however, are impeded by the lack of data that integrate both types of systems. This paper presents an empirical analysis of malicious activities aimed at integrated ICS and ES environment using the dataset created and released by the SANS Institute. The contributions of our work include classification of the observed malicious activities according to several criteria, such as the number of steps (i.e., single-step vs. multi-step), targeted technology (i.e., ICS, ES or both), types of cyber-probes and cyberattacks (e.g., port scan, vulnerability scan, information disclosure, code injection, and SQL injection), and protocols used. In addition, we quantified the severity of the attacks' impact on systems. The main empirical findings include: (1) More sophisticated multi-step attacks which leveraged multiple vulnerabilities had higher success rate and led to more severe consequences than single-step attacks; (2) Most malicious cyber activities targeted the embedded servers running on ICS devices rather than the ICS protocols. Specifically, cyber activities based only on ICS protocols accounted for a mere 2% of the total malicious traffic. We conclude the paper with a description of a sample of cybersecurity controls that could have prevented or weakened most of the observed attacks.