Hello and welcome to the Tuesday, April 23rd, 2004 edition of the Sansonet Storm Center's Stormcast.

My name is Johannes Ulrich.

And today I'm recording from Jacksonville, Florida.

In today's diary, Jan is updating some work that he did three years ago.

Three years ago, Jan reported about a slight

decrease in the number of industrial control systems that were exposed to the internet.

Now, measuring that number isn't easy, and Jan is going through some details here in how he

compared and analyzed and weighted different measurements here.

In particular, Jan looked at the differences between census, Shadow Server, and Shodan,

who are three well-intended and very qualified organizations who are collecting the data.

But of course, they all have their own

methodology in how they collect the data and what they collect the data for. And that explains

some of the differences between Shadow Server on the low end with 60,000 devices and, well,

Senses and Shodan being somewhat close around 100,000 devices,

but only after Jan removed some of the devices from Senses, because, well, Senses has a

slightly different definition of what they consider an ICS device.

Well, long story short, the number of IS devices is increasing. It's increasing by about

30,000 devices over the last three years since Jan wrote up this initial sort of noted decrease

in devices. What's also interesting is that the increase and decrease is actually dependent on the country you're looking at.

So there appears to be some effect of national policy and also just the attention being spent in different countries on securing these devices better.

And currently, Blackhead Asia is going on and a talk by Schmull Cohen from Safebreach has caught some attention regarding turning an XDR into

a malicious tool. The goal here is essentially using the XDR for privilege escalation. The XDR

...