Up to 25% of Internet-Exposed ICS Are Honeypots: Researchers
An analysis conducted by researchers at the Norwegian University of Science and Technology Gjøvik and the Delft University of Technology in the Netherlands showed that a significant percentage of the industrial control system (ICS) instances detected by internet scans are actually honeypots.
The researchers used the Censys search engine to identify internet-exposed ICS. They targeted 17 widely used industrial control protocols and discovered roughly 150,000 devices across 175 countries.
The researchers then applied various criteria to determine how many of those ICS instances were real and how many were likely or possibly honeypots, decoy systems designed to attract threat actors in an effort to obtain valuable information on attacker tactics, techniques, and procedures (TTPs).
While Censys was used to collect the data on internet-exposed systems, the researchers noted that their methods can be applied to any source data, including Shodan and independent scanning.
Their analysis was conducted over a period of one year, between January 2024 and January 2025. In April 2024, they determined that roughly 15% of the ICS devices they were seeing online appeared to be honeypots, and the percentage increased to 25% in January 2025.
The researchers attempted to detect honeypots based on various types of information, each enabling them to assess that a system is a honeypot with low, medium or high confidence.
For instance, honeypot software often has a specific signature, which enabled the researchers to classify the systems running this software as honeypots with high confidence.
Another clue that can reveal a honeypot is network type — real ICS should be on an industrial network and it should not have IPs associated with a hosting provider. This can be used to identify a honeypot with medium confidence.
Open ports can also provide valuable clues, as a large number of open ports on a system is unusual. The more open ports, the higher the chances of a system being an ICS honeypot rather than a real industrial device.
“Our methodology and findings challenge previous ICS studies which either partially considered or completely overlooked honeypots, leading to an inflated number of detected exposed ICS devices,” the researchers said. “It improves the detection accuracy of vulnerable ICS devices and makes researchers aware of current pitfalls in detection methods.”
Contacted by SecurityWeek, Censys Principal Security Researcher Emily Austin noted, “It can be challenging to determine the exact percentage of ICS honeypots online at a given time. These researchers used methods similar to those we use at Censys to identify deceptive services.”
“However, there are some differences in methodology–including using network classification as an indicator–that may explain why their reported ICS honeypot numbers are higher than what we typically observe. But overall, the approach to honeypot detection outlined in this paper seems very reasonable and defensible,” Austin said.
“Their observations around differences in honeypot prevalence by protocol are also similar to patterns we’ve observed in the past. Some ICS-related services are simpler to run than others or have open source honeypots available (e.g., ATG), which likely contributes to these differences,” she added.
The paper also mentions Shodan Honeyscore, a service designed for detecting honeypots. The researchers decided against using it due to errors and seemingly inaccurate results. However, Shodan’s John Matherly told SecurityWeek that Honeyscore hasn’t been an active service for years — it has been expanded and rolled into the crawlers themselves.
Matherly noted that Shodan now automatically filters out ICS honeypots so that they don’t show up in searches. “In general, honeypots have seen increased deployment over the years which I would expect to also apply to ICS,” Matherly noted.
Shodan currently shows just over 100,000 internet-exposed ICS instances, with a slight downward trend recorded over the past few years.
Related: PLCHound Aims to Improve Detection of Internet-Exposed ICS
Related: Iranian Hackers Use IOCONTROL Malware to Target OT, IoT Devices in US, Israel
Related: US Warns of Hackers Targeting ICS/SCADA at Oil and Gas Organizations
Source link