Release the Hounds! Automated Inference and Empirical Security Evaluation of Field-Deployed PLCs Using Active Network Data

Surveying field-deployed Industrial Control System (ICS) equipment has numerous security applications, including attack-surface management and measuring the adoption of vulnerability patches. However, discovering real-world devices using massive Internetscale scan datasets is tedious and error-prone. We introduce PL-CHound, a novel ICS asset discovery solution designed to automatically reveal elusive ICS devices hiding in network data collected by Internet-scale scanners such as Censys or Shodan. Our solution systematically uncovers indirect evidence of controllers using subtle network-based indicators and temporally-resistant signatures that are often overlooked in prior work. We present PLCHound's architecture, experimentally verify its accuracy, and explore the security advantages of enhanced device discovery. We also use PL-CHound to perform the largest comprehensive examination of the publicly-reachable population of ICS devices by popular vendors. Our results reveal that the industry-accepted estimations and latest published papers undercount the true number of public devices by up to 37x. We also find that 95.88% of devices expose protocols that cause them to be remotely vulnerable to recent critical CVEs. CCS Concepts • Networks → Network protocols; • Security and privacy → Network security; • General and reference → Measurement.