Glenn Thorpe

Honeypots, HMIs, and Havoc? Investigating Internet-Exposed Control Systems

What do we learn about the threat landscape of internet-exposed industrial control systems (ICS) when we combine information from internet-wide scan data with hyper-realistic emulations of critical control systems of a shell utility company? In this research, we paint a holistic picture of the current ICS threat landscape using Censys’ internet scan data and GreyNoise’s observed attack telemetry against these targets.

For years, security researchers have sounded the alarm about ICS being exposed to the internet. Reports on the number of devices that speak protocols like Modbus and Siemens S7 are often used to express how dire the problem is. Recent attacks on internet-connected human-machine interfaces (HMIs) in the water and wastewater sector, such as those in Aliquippa, Pennsylvania, and Muleshoe, Texas, have made headlines. Despite this reporting, we find there is still a dearth of comprehensive information about the threat landscape of critical internet-exposed control systems.

Recent research at Censys has found that while many hosts expose ICS protocols directly to the internet, many aren’t critical control systems. Often, they are honeypots or part of lab settings, not actually connected to systems like our electrical grid or water supply. Further, by focusing solely on ICS protocols, exposure of systems targeted in recent attacks (e.g., HMIs) may be overlooked as they often run over HTTP or VNC. These interfaces require no special knowledge to access and are easy targets for anyone who knows their IP address and port.

Using this more nuanced understanding of internet-exposed control systems, what do we discover when GreyNoise emulates these real-world conditions and collects attack telemetry? Are the attacks and threats playing out as anticipated based on industry assumptions, or are there disconnects between perceived risks and the reality of what threat actors are targeting?

Glenn Thorpe is the Senior Director of Security Research and Detection Engineering at GreyNoise Intelligence. His journey in the cybersecurity industry began when he fell victim to a phishing scam; this ignited his interest in protecting digital assets and infrastructure and kicked off his career of 20+ years. His passion for digital forensics, incident response, and security communications has led him to consult with organizations on detecting and responding to high-priority threats. When not at work, Glenn enjoys studying weather patterns and planning his next shark diving expedition.