Censys and GreyNoise teamed up for the last three months to shed new light on the real-world threats facing internet-exposed industrial control systems (ICS). At LABSCon 2024, they shared their findings, challenging some long-held assumptions about ICS security.

Earlier this year, Censys researchers identified over 40,000 internet-connected ICS devices in the U.S., including over 400 human-machine interfaces (HMIs). Many of these interfaces required no authentication at the time of observation. HMIs provide easy-to-understand and easy-to-manipulate interfaces, which make them low-hanging targets for threat actors seeking to disrupt operations. Given the relative ease of manipulation, we were curious about the actual attack traffic such interfaces receive.

To conduct preliminary research, GreyNoise set up hyper-realistic emulations of internet-connected HMIs for critical control systems, camouflaging them by geography and ASNs. Glenn Thorpe, Sr. Director, Security Research & Detection Engineering at GreyNoise analyzed forty-five days of data for these surprising and concerning findings:  

  1. Rapid Targeting: Internet-connected HMIs were probed and scanned more quickly than baseline control sensors. Over 30% of IPs that touched the HMIs before a typical GreyNoise sensor were later identified as malicious.
  1. Focus on Remote Access: Contrary to expectations, attackers primarily targeted common Remote Access Service (RAS) protocols rather than ICS-specific communication protocols. Virtual Network Computing (VNC) was of particular interest to threat actors.

Implications for ICS Security

This research highlights a potential disconnect between perceived risks and actual threat actor behavior toward internet-exposed ICS. While the industry has long focused on securing ICS-specific communication protocols, the more pressing threat may lie in more common, easily exploitable entry points like remote access services. The swift targeting suggests a prioritization for probing such devices online.

This research underscores the critical importance of securing remote access services as a frontline defense for ICS environments. The relative ease of targeting these generic entry points may often render the exploitation of specialized ICS protocols unnecessary.

GreyNoise and Censys intend to continue this research to learn more based on these experimental findings.

This article is a summary of the full, in-depth version on the GreyNoise Labs blog.
Read the full report
GreyNoise Labs logo
Link to GreyNoise Twitter account
Link to GreyNoise Twitter account