Emily Austin

Honeypots, HMIs, and Havoc? Investigating the Real Threat Landscape of Internet-Exposed Control Systems

What do we learn about the threat landscape of internet-exposed industrial control systems (ICS) when we combine information from internet-wide scan data with hyper-realistic emulations of critical control systems of a shell utility company? In this research, we paint a holistic picture of the current ICS threat landscape using Censys’ internet scan data and GreyNoise’s observed attack telemetry against these targets.

For years, security researchers have sounded the alarm about ICS being exposed to the internet. Reports on the number of devices that speak protocols like Modbus and Siemens S7 are often used to express how dire the problem is. Recent attacks on internet-connected human-machine interfaces (HMIs) in the water and wastewater sector, such as those in Aliquippa, Pennsylvania, and Muleshoe, Texas, have made headlines. Despite this reporting, we find there is still a dearth of comprehensive information about the threat landscape of critical internet-exposed control systems.

Recent research at Censys has found that while many hosts expose ICS protocols directly to the internet, many aren’t critical control systems. Often, they are honeypots or part of lab settings, not actually connected to systems like our electrical grid or water supply. Further, by focusing solely on ICS protocols, exposure of systems targeted in recent attacks (e.g., HMIs) may be overlooked as they often run over HTTP or VNC. These interfaces require no special knowledge to access and are easy targets for anyone who knows their IP address and port.

Using this more nuanced understanding of internet-exposed control systems, what do we discover when GreyNoise emulates these real-world conditions and collects attack telemetry? Are the attacks and threats playing out as anticipated based on industry assumptions, or are there disconnects between perceived risks and the reality of what threat actors are targeting?

Emily is a Principal Researcher at Censys, where she studies security threats and other interesting Internet phenomena. Previously, she was a security engineer focused on threat hunting, detection, and incident response. Emily is interested in the application of data science and analytics techniques to problems in security, and in the past has worked on projects related to anti-abuse, fraud, and malicious web app traffic detection.