Industrial Control Protocols in the Internet Core: Dismantling Operational Practices

Research output: Contribution to journalResearch articleContributedpeer-review



Industrial control systems (ICS) are managed remotely with the help of dedicated protocols that were originally designed to work in walled gardens. Many of these protocols have been adapted to Internet transport and support wide-area communication. ICS now exchange insecure traffic on an inter-domain level, putting at risk not only common critical infrastructure but also the Internet ecosystem (e.g., by DRDoS attacks). In this paper, we measure and analyze inter-domain ICS traffic at two central Internet vantage points, an IXP and an ISP. These traffic observations are correlated with data from honeypots and Internet-wide scans to separate industrial from non-industrial ICS traffic. We uncover mainly unprotected inter-domain ICS traffic and provide an in-depth view on Internet-wide ICS communication. Our results can be used (i) to create precise filters for potentially harmful non-industrial ICS traffic and (ii) to detect ICS sending unprotected inter-domain ICS traffic, being vulnerable to eavesdropping and traffic manipulation attacks. Additionally, we survey recent security extensions of ICS protocols, of which we find very little deployment. We estimate an upper bound of the deployment status for ICS security protocols in the Internet core.


Original languageEnglish
Article numbere2158
JournalWiley International Journal of Network Management
Issue number1
Publication statusPublished - 1 Jan 2022

External IDs

Scopus 85103661162
ORCID /0000-0002-3825-2807/work/142241892


Research priority areas of TU Dresden

DFG Classification of Subject Areas according to Review Boards

Subject groups, research areas, subject areas according to Destatis

Library keywords