BSides LV 2024: Defensive Counting: How to quantify ICS exposure on the Internet when the data is out to get you

One of two talks by Censys staff at BSides Las Vegas 2024! The abstract:

Security researchers have warned for years about industrial control systems (ICS) connected to the Internet. Reports on the number of devices speaking ICS protocols are often used to illustrate the severity of the problem. However, while there are indeed many ICS devices connected to the Internet, simply counting everything that looks like it may be ICS is not the most accurate method for measuring ICS exposure. There are many ICS honeypots that should be excluded from these types of analyses, which range from relatively easy to more challenging to detect. Moreover, many of the devices speaking these protocols aren't connected to critical infrastructure at all, but personal projects or lab setups. While large numbers make for click-worthy headlines, we strive to paint a measured yet comprehensive picture of real ICS device exposure on the Internet. In this talk, we'll discuss the analysis process from data collection to determining whether an ICS protocol is a "real" device, what these numbers mean in context, and why you really can't believe everything you see on the Internet.