Quantitatively Assessing and Visualising Industrial System Attack Surfaces

Chapter 3
Exploring the Dataset
In this chapter, we establish some ground rules of examining the data we have filtered out
of Shodan’s dataset. Some basic quantification of results is performed, and uses for such
analysis. We cannot currently produce a complete industrial system exposure data set,
and here discuss why. We also begin asking questions of what the data set can reasonably
tell us, and note some false positives that muddy the waters.
3.1 Global inferences should not be made
There are many reasons why this data should not be used to make global inferences
about the state of industrial control system security. Firstly, it is derived ultimately
from product names, and product names primarily known to one person. As an English
speaker, it is necessarily biased towards products from the English speaking world. In
addition to being a subset of global products devoted to industrial control systems, it
is also a subset restricted to those systems that run on the four ports investigated by
Shodan. Finally, that subset is further subdivided in time. All the systems found are not
still exposed, but we know that they once were. Thus we admit we have a very limited
view of global exposure, but believe it is a functional approach to one day providing a full
view.
The key point to remember while exploring the data, is that we have a numerator of
exposed systems as counter-examples of an air-gap, with an unknown denominator of the
total number of deployed systems. This exposed list of systems and devices is only part
of the story. If we discover in the future that these counter-examples represent 1% of
the total deployments of systems worldwide, then that will be a very positive story for
the industry. This author speculates that is not the case, but admits freely that it is
speculation.
31