OT Hunt: Finding ICS/OT with Censys

Welcome to the 14th installment of “OT Hunt”, a series that has become a beacon for those navigating the murky waters of Industrial Control Systems/Operational Technology (ICS/OT) security. Our journey is more than a quest; it’s a mission to illuminate the hidden corners of the internet where ICS/OT devices dwell, often unnoticed and vulnerable. This exploration is not just about discovery; it’s a clarion call to action for asset owners and ICS/OT vendors, emphasizing the paramount importance of fortifying their digital fortresses.

Today’s article unveils the methodology of utilizing the Censys search engine to unearth ICS/OT devices. With a few strategic queries, known as dorks, we can expose the digital footprints of critical infrastructure components that span across various industries.

To begin your exploration, start with the following dorks in Censys:

For a broad search, use

labels: `ics`

or

labels: `scada`

For those interested in identifying specific ICS/OT protocols, Censys facilitates this with targeted filters. For example, to find devices using the Modbus protocol, apply the following filter . This approach has revealed a comprehensive list of ICS/OT protocols within my searches, including:

services.service_name= `modbus`

Here’s a list of ICS/OT protocols I discovered on Censys:

• ATG
• BACNET
• CITRIX
• CODESYS
• DIGI
• DNP3
• EIP
• FINS
• FOX
• GE_SRTP
• IEC61850_5_104
• MODBUS
• PCWORX
• PRO_CON_OS
• S7
• WDRPC

Vendor-specific searches are equally insightful. By applying this filter , for instance, one can unearth devices from notable ICS/OT manufacturers. My findings have included products from Bosch, Schneider Electric, Siemens, and Tridium, to name a few.

services.software.vendor= `siemens`

Censys also shines in its capability to search for ICS/OT product names. For example, using this dork, led me to discover several variations of the Niagara 4 products.

services.software.product= `niagara`

Exploring specific ports or services? Censys accommodates this need. A search for GE SRTP protocol hosts with FTP access can be conducted using

(services.service_name=`GE_SRTP`) and services.service_name= `ftp`

For those seeking the latest ICS/OT dorks using Censys, I invite you to follow my GitHub account: https://github.com/selmux/ICS-Security.

A noteworthy mention is Censys’s foray into artificial intelligence with “CensysGPT,” a beta feature that allows users to interact with a bot for generating search filters. While promising, it’s worth noting that this tool is in its infancy and may occasionally produce non-functional filters.

Conclusion

After extensive research and leveraging various OSINT tools for ICS/OT, Censys has proven to be an indispensable resource. Its exhaustive database and intuitive interface make it a vital tool for anyone conducting ICS/OT OSINT. The introduction of CensysGPT, despite its current limitations, showcases the potential for more interactive and intelligent search capabilities in the future.

As the field of ICS/OT security research evolves, the significance of comprehensive and user-friendly tools like Censys cannot be overstated. In parallel, I am committed to further developing ICSrank, my dedicated OSINT tool designed for discovering ICS/OT devices and assessing their cybersecurity posture. The future of ICS/OT security research is bright, with continuous advancements that promise to bolster the cybersecurity landscape significantly. Stay engaged with our journey as we delve deeper into the nexus of technology and security, making the digital world a safer place for all.