Otpot

This is part of an ongoing series documenting observations from otpot, an OT-focused honeypot project. If you missed the intro, start there. otpot had been running for less than 24 hours before the first EtherNet/IP probes arrived. Censys and Shodan index everything, and a convincing Allen-Bradley 1756-L61 ControlLogix identity response is apparently interesting enough to attract regular visits. What I didn’t expect was that buried inside each of those requests was something useful: a consistent, scanner-specific value that makes it possible to identify who’s knocking purely from the protocol payload — no IP intelligence required. ...

First, Some Context: What Is a Honeypot and Why Does It Matter? If you’ve spent your career on the OT side — programming PLCs, commissioning HMIs, integrating SCADA systems — cybersecurity might feel like someone else’s department. That’s changing fast, and if you’re reading this, you probably already know it. Here’s the simplest way I can explain a honeypot: it’s a trap. You set up a system that looks exactly like something an attacker would want to find — an exposed PLC, an unprotected SCADA gateway, an industrial device sitting on the internet. But it’s fake. Nothing real is connected to it. When an attacker finds it and starts probing, you’re watching everything they do. ...