PNNL

Abstract

Interconnectivity has become a substratum of technology as the benefits of data-driven functionality are being realized in nearly all industries. The convergence of information and operational technology networks exacerbates the risks of increased connectivity as building automation and control systems are becoming exposed to the internet, often done inadvertently through misconfigurations as additional network devices come online. Attack surface management (ASM) tools can be used to identify exposed devices by performing external network discovery, which is commonly performed over the internet through web spider technology. These web spiders could enable big data analytics of internet of things devices as the metadata of internet-exposed equipment are archived in various searchable databases that are made publicly available through the ASM tools. There are a multitude of ASM service providers on the market and a study was conducted to evaluate several commonly known ASM tools to determine the aggregate attack surface of control systems. Queries were crafted to extract the metadata for edge controllers by targeting commonly known manufacturers and communication protocols found in operational networks. A signature-based categorization method was developed to classify exposed devices using unique identifiers located in the metadata, and each query was replicated between several ASM tool databases to target the same device types between several big data sources. Findings from this study indicate that the attack surface produced by each source individually typically has a great variance, but each source contributed unique devices when a comprehensive attack surface was derived; therefore, all sources should be used in aggregate.