With the addition of 8 new protocols—bringing our total Operational Technology (OT) protocol count to 16–Censys now discovers more than 100,000 publicly accessible OT services. OT is defined as the systems used to manage industrial operations. This includes Industrial Control Systems (ICS) but also the software and devices used to manage ICS infrastructure.
Many protocols that used to interface with ICS systems were developed before widespread internet connectivity and lack strong authentication or encryption mechanisms. The infrastructure used with them is also aging— the average age of a power plant in the United States is 29-years-old. This critical infrastructure has been the target of successful cyber-attack campaigns including the recent Colonial Pipeline hack. This problem is further exacerbated by the fact that organizations utilizing OT typically require vendor engagement to upgrade or modernize a delicate ecosystem of connected machinery every several years. In these environments, air gapping and network segmentation are some of the most common near-term mitigations.
Most Common OT Protocols
We can start by checking the Universal Internet Dataset using BigQuery (a Censys Enterprise feature) to see what protocols are most frequently publicly accessible. This can also be explored using this query in our search app:
SELECT DISTINCT services.service_name , count(*) as ct
FROM `censys-io.universal_internet_dataset.universal_internet_dataset` JOIN UNNEST(services) AS services
WHERE DATE(snapshot_date) = “2021-08-03”
AND services.service_name IN (
GROUP BY services.service_name
ORDER BY ct desc
Let’s go ahead and grab the number of unique hosts running these services by changing our query to:
SELECT COUNT(DISTINCT host_identifier.ipv4)
Our results show a total of 110,246 OT services, running across 101,484 unique IPv4 addresses:
We know from prior research that many services on the internet are pseudo-services running the same service on each port or honeypots that simulate having large numbers of services running. Censys truncates some service information for hosts running >100 services. Let’s filter those out hosts with truncated services by adding to our SQL query:
AND NOT services.truncated = true
Now that we have service information, we can easily calculate what percentage of OT services are truncated, thus likely not real:
More than half of Automated Tank Gauge (ATG) and Citrix services appear to be pseudo-services! Let’s investigate a little further using our search app, search.censys.io.
Filtering for legitimate services
Using the search term “services.service_name: ATG”, we immediately see a number of hosts running in the AWS cloud with 200+ HTTP services running on them! These are almost certainly not real services. We can remove them from our search by adding “and not services.truncated: true”.
Let’s dig a little deeper into what’s causing these ATG services to appear. Searching for more information about the protocol, we find an ATG honeypot released at Blackhat in 2015. GasPot is a python application that simulates a tank gauge, randomizing it’s values to mimic the behaviour of a legitimate host. It logs all connection attempts for further analysis later. The ease of running this honeypot is a likely explanation for the outsized number of ATG pseudo-services.
Where are these hosts running?
Using our search app, we can look a little deeper into where the hosts with an OT protocol are running. According to Censys’s data, 40% of services running OT protocols are located in the United States!
Breaking down the locations by city, Istanbul dominates the results with 801 services! Almost 1% of all OT protocols run there.
The distribution of services running in Istanbul is a little different than our overall distribution:
CODESYS, PCWORX, S7, IEC 60870-5-104, and Modbus are significantly overrepresented compared to the global distribution, likely due to differences in the physical infrastructure being used. Notably absent from this graph is BACnew and WDBRPC, which combined make up 20% of all OT services discovered in the Universal Internet Dataset.
We can also visualize the global distribution of legitimate hosts exposing OT services using kepler.gl:
Despite security risks, Censys’s data shows that publicly accessible OT services remain commonplace on the internet. These services pose a risk to companies’ data, continuity of operations, and public safety. Protecting OT services and critical infrastructure is an important problem, with President Biden signing a National Security Memorandum on “Improving Cybersecurity for Critical Infrastructure Control Systems.”
What Can I Do About It?
There are a number of steps organizations can take in the short term to protect their networks.
- Practice network segmentation policies, and apply firewall rules to prevent OT equipment from being exposed publicly to the internet.
- Utilize network logging tools to monitor and identify suspicious outbound traffic.
- Ensure services that do need to be publicly accessible are appropriately hardened, utilizing strong encryption and multi-factor authentication.
- View your IP ranges in Censys Search and filter for OT protocols.
- Use Censys ASM for continual external monitoring of your attack surface, including 16 common OT protocols.
Censys Search Data
Censys helps organizations, individuals, and researchers find and monitor every server on the Internet to reduce exposure and improve security. Access to our data is provided through our search platform search.censys.io, to free community users and through a commercial license for enterprise customers.
Censys Universal Internet Dataset
The Censys Universal Internet Dataset (UIDS) is the industry leading dataset of hosts and services on the Internet. Organizations use UIDS to track sophisticated threats and defend complex attack surfaces. Get access to the Universal Internet DataSet and discover “super” hosts and much more. Contact us and request a demo today!
Are you interested in doing research? We also provide access for researchers. See if you qualify here.