2024-08-06 –, Siena
Security researchers have warned for years about industrial control systems (ICS) connected to the Internet. Reports on the number of devices speaking ICS protocols are often used to illustrate the severity of the problem.
However, while there are indeed many ICS devices connected to the Internet, simply counting everything that looks like it may be ICS is not the most accurate method for measuring ICS exposure. There are many ICS honeypots that should be excluded from these types of analyses, which range from relatively easy to more challenging to detect. Moreover, many of the devices speaking these protocols aren't connected to critical infrastructure at all, but personal projects or lab setups.
While large numbers make for click-worthy headlines, we strive to paint a measured yet comprehensive picture of real ICS device exposure on the Internet.
In this talk, we'll discuss the analysis process from data collection to determining whether an ICS protocol is a "real" device, what these numbers mean in context, and why you really can't believe everything you see on the Internet.
Attacks against ICS devices and critical infrastructure have been increasingly making headlines, and it doesn't seem likely that such attacks will slow down anytime soon (e.g., https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-335a; https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a; https://cloud.google.com/blog/topics/threat-intelligence/apt44-unearthing-sandworm).
Over the last several years, some industry reporting on ICS exposure has centered on very large, eye-catching numbers of exposed ICS services. While those headlines garner clicks, we argue that more nuance is needed to understand the actual risk to critical infrastructure.
At Censys, we constantly scan the entire IPv4 space, providing a vast dataset that enables us to ask interesting questions about devices and services connected to the Internet. In this case, we wanted to more accurately quantify ICS exposure.
Not only is a simple count of protocols exposed to the Internet misleading, it also ignores the fact that many of the highest risk assets are hosts running control panels for ICS devices over HTTP or VNC / RDP. In some cases, hosts with control panels aren't running the actual ICS protocol, making it more challenging to accurately count these risky exposures that could have severe consequences for critical infrastructure.
Our team published some high level findings around ICS exposures in February (https://censys.com/water-ics-exposures-highlight-vulnerabilities-in-critical-infrastructure-security/).
We've continued to build on these findings, and this talk will present an in-depth look at our most up-to-date methodology for identifying real ICS devices on the Internet. My hope is that this talk will convey how we can more accurately quantify the most pressing, sensitive ICS exposures in a measured, non-sensational way.
Emily is a Principal Security Researcher at Censys, where she studies security threats and other interesting Internet phenomena. Previously, she was a security engineer focused on threat hunting, detection, and incident response. She is interested in the application of data science and analytics techniques to problems in security, and in the past has worked on projects related to anti-abuse, fraud, and malicious web app traffic detection.