An evaluation carried out by researchers on the Norwegian College of Science and Know-how Gjøvik and the Delft College of Know-how within the Netherlands confirmed {that a} vital share of the economic management system (ICS) cases detected by web scans are literally honeypots.
The researchers used the Censys search engine to determine internet-exposed ICS. They focused 17 extensively used industrial management protocols and found roughly 150,000 gadgets throughout 175 international locations.
The researchers then utilized varied standards to find out what number of of these ICS cases have been actual and what number of have been probably or presumably honeypots, decoy programs designed to draw menace actors in an effort to acquire beneficial data on attacker ways, methods, and procedures (TTPs).
Whereas Censys was used to gather the info on internet-exposed programs, the researchers famous that their strategies could be utilized to any supply information, together with Shodan and unbiased scanning.
Their evaluation was carried out over a interval of 1 yr, between January 2024 and January 2025. In April 2024, they decided that roughly 15% of the ICS gadgets they have been seeing on-line seemed to be honeypots, and the proportion elevated to 25% in January 2025.
The researchers tried to detect honeypots based mostly on varied kinds of data, every enabling them to evaluate {that a} system is a honeypot with low, medium or excessive confidence.
For example, honeypot software program usually has a particular signature, which enabled the researchers to categorise the programs operating this software program as honeypots with excessive confidence.
One other clue that may reveal a honeypot is community sort — actual ICS ought to be on an industrial community and it mustn’t have IPs related to a internet hosting supplier. This can be utilized to determine a honeypot with medium confidence.Commercial. Scroll to proceed studying.
Open ports may also present beneficial clues, as numerous open ports on a system is uncommon. The extra open ports, the upper the probabilities of a system being an ICS honeypot moderately than an actual industrial gadget.
“Our methodology and findings problem earlier ICS research which both partially thought-about or utterly ignored honeypots, resulting in an inflated variety of detected uncovered ICS gadgets,” the researchers stated. “It improves the detection accuracy of weak ICS gadgets and makes researchers conscious of present pitfalls in detection strategies.”
Contacted by SecurityWeek, Censys Principal Safety Researcher Emily Austin famous, “It may be difficult to find out the precise share of ICS honeypots on-line at a given time. These researchers used strategies just like these we use at Censys to determine misleading companies.”
“Nonetheless, there are some variations in methodology–together with utilizing community classification as an indicator–which will clarify why their reported ICS honeypot numbers are larger than what we usually observe. However general, the strategy to honeypot detection outlined on this paper appears very cheap and defensible,” Austin stated.
“Their observations round variations in honeypot prevalence by protocol are additionally just like patterns we’ve noticed previously. Some ICS-related companies are less complicated to run than others or have open supply honeypots obtainable (e.g., ATG), which probably contributes to those variations,” she added.
The paper additionally mentions Shodan Honeyscore, a service designed for detecting honeypots. The researchers determined in opposition to utilizing it because of errors and seemingly inaccurate outcomes. Nonetheless, Shodan’s John Matherly advised SecurityWeek that Honeyscore hasn’t been an lively service for years — it has been expanded and rolled into the crawlers themselves.
Matherly famous that Shodan now robotically filters out ICS honeypots in order that they don’t present up in searches. “Normally, honeypots have seen elevated deployment over time which I might count on to additionally apply to ICS,” Matherly famous.
Shodan at present reveals simply over 100,000 internet-exposed ICS cases, with a slight downward development recorded over the previous few years.
Associated: PLCHound Goals to Enhance Detection of Web-Uncovered ICS
Associated: Iranian Hackers Use IOCONTROL Malware to Goal OT, IoT Units in US, Israel
Associated: US Warns of Hackers Focusing on ICS/SCADA at Oil and Gasoline Organizations
