A team of Georgia Tech researchers has developed an algorithm that aims to significantly improve the identification of internet-exposed industrial control systems (ICS)sho.
An analysis conducted by internet intelligence platform Censys showed over 40,000 internet-exposed ICS devices in the United States. A Shodan search shows roughly 110,000 such devices worldwide.
However, a team from the Georgia Tech School of Electrical and Computer Engineering (ECE), led by Ph.D. student Ryan Pickren, says it has come up with an algorithm that helps identify far more ICS devices — specifically programmable logic controllers (PLCs) — that are exposed to the web.
The algorithm has been named PLCHound and, according to its creators, it uses advanced natural language processing and machine learning techniques to identify devices.
According to the researchers, PLCHound enabled them to identify 37 times more internet-connected PLCs than previously estimated.
The researchers contacted some of the organizations exposing PLCs to the internet — including airports, hospitals and government organizations — and reported seeing one month later that 34% of the identified IP addresses had no longer been exposing PLC devices.
Pickren and other Georgia Tech researchers earlier this year published a paper describing malware that they had created with the goal of demonstrating that PLCs can be remotely targeted by threat actors.
The malware targeted PLCs made by Wago and exploited vulnerabilities that had previously been identified by the researchers. Building on the Wago PLC research, the experts developed PLCHound.
Pickren told SecurityWeek that, to date, PLCHound has been tested with PLCs from Wago, Allen Bradley and Omron, but he and his team believe it’s capable of finding devices from any vendor.
“You just provide a ‘seed query’ and it automatically finds more of that type of device,” Pickren explained.
It’s worth noting that PLCHound is not a standalone scanner. Instead, it generates queries that can be used with internet search engines such as Shodan and Censys.
PLCHound is currently patent-pending and the researchers are looking for partners to commercialize it.
Emily Austin, principal security researcher at Censys, told SecurityWeek that they are familiar with PLCHound and while they haven’t used it internally they are excited to see researchers finding new ways to leverage Censys data, particularly in the ICS realm.
“As the researchers behind PLCHound have pointed out, accurately identifying the total population of industrial control systems (ICS) devices exposed to the Internet is a complex problem,” Austin said.
“There are hundreds of vendors and products in use across various sectors, and innovative discovery methods like PLCHound are needed to accurately identify and measure the Internet-wide ICS attack surface. We’re excited to see more from this group and others finding creative ways to identify artifacts of interest within Censys data,” she added.
SecurityWeek has also reached out to John Matherly, founder of Shodan, to get his thoughts on PLCHound.
Matherly expressed disappointment in learning that PLCHound will be put behind a patent, which will limit its use to organizations that can afford to pay for it.
“I do think that there is a lot of room for providing tools that simplify the process of identifying different types of assets so security becomes more accessible to everyone and not just enterprise organizations,” Matherly said.
However, the Shodan founder noted that the bigger problem is not identifying exposed ICS but rather identifying owners and contacting them. Matherly expressed skepticism over the claims made by the Georgia Tech researchers regarding the 34% reduction in exposure, noting that he has not seen that sort of reduction in ICS exposure and that it’s uncharacteristic for OT services to go offline that fast.
Matherly pointed out that the number of ICS devices on Shodan has been fairly steady for a while now, with a slight decrease over time.
Related: Siemens and Rockwell Tackle Industrial Cybersecurity, but Face Customer Hesitation
Related: Critical Vulnerabilities Expose mbNET.mini, Helmholz Industrial Routers to Attacks
Related: Organizations Faster at Detecting OT Incidents, but Response Still Lacking
