State of Control Systems in the USA

I've recently added the ability to search for devices in Shodan based on the state they're located in. This provides the interesting possibility to start comparing the security posture of US states by looking at what sort of things they expose publicly. To start off, I will be taking a look at how prevalent industrial control systems (ICS) are in the various states.

Shodan currently crawls for roughly 15 different ICS protocols on more than 20 ports and within the past week or so has discovered ~40,000 of them that are publicly accessible on the Internet worldwide. I presented on a few of these protocols at 4SICS in October 2014, and you can download the data and view the maps that were generated for the talk.

Lets start taking a look at the US in particular though: so far in May Shodan has discovered 20,445 ICS devices in the US. This is definitely a lower bound and more will be discovered until the end of the month (many ICS devices have high latencies - more on that later).

The most popular protocol is Tridium's Fox, followed by BACnet and Modbus. Fox and BACnet are commonly used by building management systems (BMS), while Modbus is used across a wide range of products. The full Top 10 Protocols are as follows:

  1. Tridium Fox: 7,706
  2. BACnet: 4,525
  3. Modbus: 1,625
  4. EtherNet/IP: 1,578
  5. ProConOS: 1,018
  6. General Electric: 956
  7. OMRON FINS: 777
  8. Mitsubishi: 615
  9. Red Lion: 551
  10. Codesys: 407

By faceting on state using the Shodan API we can get a breakdown of ICS devices for each US state:

The above map chart shows a breakdown of which states have the most ICS devices on the Internet. As you'd probably expect the larger, more populous states also tend to have more devices online:

  1. CA: 2328
  2. TX: 1422
  3. NY: 739
  4. MA: 559
  5. IL: 552
  6. PA: 482
  7. OH: 466
  8. NJ: 465
  9. FL: 416
  10. MI: 390

Bigger states have more people, more devices and therefore more control systems required to provide services. This means larger states would always be at the top of any ICS ranking, which means it's not entirely fair to compare states based on absolute numbers. So lets normalize the results and look at states based on the % of devices in the state that are control systems:

And now we get a slightly different picture. Maine is at the top of the list with 0.23% of the state's devices being industrial control systems on the Internet, followed by Hawaii (0.19%) and Nebraska (0.17%). The top 10 are:

  1. Maine: 0.23%
  2. Hawaii: 0.19%
  3. Nebraska: 0.17%
  4. Vermont: 0.17%
  5. West Virginia: 0.16%
  6. Montana: 0.14%
  7. Rhode Island: 0.14%
  8. Iowa: 0.13%
  9. Arkansas: 0.12%
  10. Washington DC: 0.11%

If you want to analyze the results further or look at the data yourself, check out the Shodan API documentation for information on what you can search and facet on. There are also a bunch of libraries available in Python, Ruby, NodeJS and Go to make getting started easy.

I will be keeping track of how these numbers change in the coming months/ years, especially as federal policies change and cyber insurance becomes more popular.

PS: If your browser supports WebGL you can also check out the following visualization that was generated for my talk at the Department of Homeland Security ICS Joint Working Group conference in June 2014: