Industrial Cybersecurity Alert: Surge in Internet-Exposed ICS Devices Defies Downward Trend

In a world where industrial devices chit-chat more than teenagers, the number of ICS systems online is up for debate—somewhere between “honey, we shrunk the devices” and “we might need a bigger boat.”

Hot Take:

Surf’s up on the cyber waves, folks! It turns out the number of industrial control systems (ICS) chilling on the internet beach is more crowded than a Black Friday sale at a gadget shop. While some of us were naively optimistic, thinking these devices were getting the memo to stay off the public Wi-Fi, it looks like they pulled a classic “hold my beer” and decided to party online even harder. So grab your digital surfboards; we’re diving into the sea of ICS devices riding the internet waves!

Key Points:

  • The number of internet-exposed ICS devices is estimated to be between 61 and 111 thousand, with a significant increase since 2021.
  • There’s a discrepancy among different cybersecurity services’ counts—Shadowserver’s playing it cool with 61.7k, Censys goes wild claiming 237.2k, but if we sift through the data, it’s more like 106.2k.
  • Honeypots are in the mix, making the numbers a tad sticky—out of the gang reported by Censys, 307 are known tricksters, but there are likely more in disguise.
  • Modbus protocol is the life of the party, showing a notable increase in device counts and contributing to the overall rise of detected ICS devices.
  • It’s a real rollercoaster as some countries are tucking their ICS devices in bed, while others are throwing them a rave, with no global decline in sight.

Need to know more?

Counting Sheep or ICS Devices?

Once upon a time in 2021, we thought we were witnessing a miraculous decline in internet-exposed ICS devices. Fast forward to now, and it's like counting sheep that decided to clone themselves. We've got numbers bouncing from 61.7k to a whopping 237.2k, depending on who's counting. But don't be fooled; it's not a popularity contest. Censys might be casting a wide net, but when we zoom in on devices using familiar protocols, we get a more down-to-earth 106.2k figure.

Honeypot or Not?

In the digital garden of ICS devices, not all flowers are real. Some are honeypots, designed to lure in and trap naughty cyber bees. So, while Censys spotted 307 honeypots waving their faux petals, it's a safe bet there are more playing hide and seek among the legitimate devices.

The Protocol Party

When it comes to the protocols these devices chat with, it's not all harmonious. Each cybersecurity service hosts its own protocol party, and the guest lists don't match up. BACnet seems to be the protocol everyone agrees on, but with others like Modbus, it's a different story. Shadowserver's guest list is modest, while Censys and Shodan are throwing a full-blown bash.

A Tale of Two Trends

Let's take a trip down memory lane to 2021, when we thought we saw a downward trend in ICS devices going public. Turns out, that trend was more of a fad. Data from Shodan's TriOp tool shows us that the numbers did a cannonball jump upward and have been sunbathing around the 100k mark ever since.

It's a Small (Cyber) World After All

While we're busy counting devices, let's not forget this is a global party. The overall numbers might not have dropped, but some countries are sending their ICS devices home early. The USA, for one, seems to have tightened its curfew. But if some are going down, others must be living it up, because the global count is stubbornly on the rise.

The Cyber Seesaw

Ending on a high note? Not quite. While your friendly neighborhood cybersecurity optimist hoped we'd see fewer devices taking the risky internet plunge, it seems like for every device that retreats from the online world, another one jumps in with a snorkel. Let's just cross our fingers and hope the next three years don't see these numbers doing the limbo under an even lower cybersecurity bar.

Tags: Censys, Honeypots, ICS security, industrial control systems, Internet-Exposed Devices, Modbus Protocol, Shodan