Characterizing Background Noise in ICS Traffic Through a Set of Low Interaction Honeypots

Industrial Control Systems (ICS) are nowadays interconnected with various networks and, ultimately, with the Internet. Due to this exposure, malicious actors are interested into compromising ICS — not only for advanced and targeted attacks, but also in the context of more frequent network scanning and mass exploiting of directly Internet-exposed devices. To understand the level of interest towards Internet-connected ICS, we deploy a scalable network of low-interaction ICS honeypots based on the popular conpot framework, integrated with an analysis pipeline, and we analyze the in-the-wild traffic directed through a set of ICS-specific protocols. We present the results of running our honeypots for several months, showing that, although most of the traffic is originated by known, legitimate network scanners, and follows patterns similar to those of well-known ICS network mapping scripts, we found several requests from unknown actors that do not follow this pattern and may hint at malicious traffic.