Exposed Infrastructures: Discovery, Attacks and Remediation of Insecure ICS Remote Management Devices

Takayuki Sasaki, Akira Fujita, C. Hernandez Ganan, M.J.G. van Eeten, Katsunari Yoshioka, Tsutomu Matsumoto

Research output: Chapter in Book/Conference proceedings/Edited volumeConference contributionScientificpeer-review

3 Citations (Scopus)
212 Downloads (Pure)


Geographically distributed infrastructures, such as buildings, dams, and solar power plants, are commonly maintained via Internet-connected remote management devices. Previous studies on detecting and securing industrial control systems (ICS) have overlooked these remote management devices, as they do not expose ICS-specific services like Modbus and BACnet and thus do not show up in Internet-wide scans for such services. In this paper, we implement and validate a discovery method for these devices via their Web User Interface (WebUI) and detect 890 devices in Japan alone. We also show that many of these devices are highly insecure. Many allow access to the status or even the control over industrial systems without proper authentication. Taking a closer look at three prevalent remote management devices, we discovered 13 0-day vulnerabilities, several of which were rated as medium or high severity. They have been responsibly disclosed to the manufacturers. By using honeypots that imitate these systems, we show that over time, only a small number of attackers enter these systems, but some do change critical parameters. Attackers appear to interact more with the system when more facility information is displayed on the WebUI. Finally, we notified operators of 317 vulnerable remote management devices by email and telephone. We reached 212 persons in charge of the devices and received confirmation that our method had correctly identified the device. 50% of the persons in charge of the devices stated that they mitigated or will mitigate the problem. We confirmed their actions via a followup scan for vulnerable devices and found that measures were taken for 58% of the devices when we could reach the persons in charge of the device.
Original languageEnglish
Title of host publicationProceedings - 43rd IEEE Symposium on Security and Privacy, SP 2022
Number of pages18
ISBN (Electronic)9781665413169
Publication statusPublished - 2022
Event43rd EEE Symposium on Security and Privacy (SP) - San Francisco, United States
Duration: 22 May 202226 May 2022
Conference number: 43


Conference43rd EEE Symposium on Security and Privacy (SP)
Country/TerritoryUnited States
CitySan Francisco
Internet address

Bibliographical note

Green Open Access added to TU Delft Institutional Repository 'You share, we take care!' - Taverne project
Otherwise as indicated in the copyright section: the publisher is the copyright holder of this work and the author uses the Dutch legislation to make this work public.


Dive into the research topics of 'Exposed Infrastructures: Discovery, Attacks and Remediation of Insecure ICS Remote Management Devices'. Together they form a unique fingerprint.

Cite this