A recent study by researchers from the Norwegian University of Science and Technology Gjøvik and Delft University of Technology reveals that up to 25% of internet-exposed Industrial Control Systems (ICS) may actually be honeypots—decoy systems designed to attract cyber attackers and study their methods.

Key Findings:

• Scope of Study: The researchers analyzed approximately 150,000 ICS devices across 175 countries over a year (January 2024 to January 2025), focusing on 17 widely used industrial control protocols.
• Detection Methods: They employed various criteria to identify honeypots, including:
  • Software Signatures: Identifying known honeypot software.
  • Network Type: Assessing whether devices are on industrial networks or associated with hosting providers.
  • Open Ports: Noting an unusually high number of open ports, which is atypical for genuine ICS devices.
• Findings Over Time: In April 2024, about 15% of observed ICS devices appeared to be honeypots; this figure rose to 25% by January 2025.

Implications:

The study suggests that previous assessments of internet-exposed ICS devices may have overestimated the number of genuine systems due to not accounting for honeypots. This has significant implications for cybersecurity research and threat analysis, emphasizing the need for refined detection methodologies to distinguish between real ICS devices and decoys.

‍

Source: https://www.securityweek.com/up-to-25-of-internet-exposed-ics-are-honeypots-researchers/