Last updated: July 17, 2026 · Author: Jeff Gray, Cyborama LLC
Control Systems Security publishes OT/ICS threat intelligence derived from a fully automated pipeline. All research is passive — we never connect to, scan directly, or interact with industrial systems. All data comes from public sources with all identifying information removed.
We monitor 21 curated sources for OT/ICS cybersecurity news and advisories:
Additional sources are added and removed based on signal-to-noise analysis. Each source is scored for OT relevance before inclusion.
The pipeline runs every 12 hours (cron: 0 */12 * * *) and executes the following steps:
| Step | Script | Output | Gate |
|---|---|---|---|
| 1. Scrape | scraper.py | intel.db (raw items) | Noise filter (cloud, non-OT) |
| 2. Analyze | analyze.py | Advisory .md (surge detection) | Z-score vs 30-day baseline |
| 3. Transform | transform.py | Defanged JSON | Staging → approval required |
| 4. Metrics | metrics.py | metrics.json | Automated |
| 5. Deploy | deploy_frontend.sh | nginx reload + verify | HTTP 200 check |
| 6. Approve | approve.py | Staging → live + archive | Human approval gate |
| 7. Notify | notify.py | Webhook alerts | On error/info only |
2,940+ items across 21 sources (~249 OT-tagged). Updated bi-weekly.
Each OT security topic is scored against a 30-day baseline using Z-score (σ) statistics:
After publishing a threat advisory, follow-up media coverage often generates additional articles about the same CVE or advisory. These are not new threats — they are the KFC Effect (Knowledge → Fix → Create cycle). Our surge detector deduplicates by:
Full analysis: The KFC Effect: How One Advisory Creates Five More
All Shodan data is collected through the Shodan Developer API tier only. We never connect to, probe, or interact with industrial systems directly.
Approximately 53% of reported ICS exposure is cloud/VM noise (AWS, Azure, Alibaba Cloud). We filter these from OT-relevant counts. Only devices on production-grade ASN blocks are counted as genuine OT exposure.
Full analysis: 447K Write-Capable ICS Devices
Shodan findings are scored on weirdness (1-10) based on:
Full methodology and raw anomaly data available on request. Contact: contact@controlsystemssecurity.com
We never attribute vulnerabilities to specific facilities, companies, or victims. All published data includes:
All non-sensitive outputs are served as public JSON under https://controlsystemssecurity.com/assets/:
Full raw dataset exports (defanged, anonymized) are available upon request for research collaboration. Contact: contact@controlsystemssecurity.com
Our methodology and findings undergo quarterly external review by OT security practitioners. If you have expertise in industrial control systems and would like to review our methodology, please contact us.
Jeff Gray — Founder, Cyborama LLC
Air Force veteran with 16 years experience in control systems security, critical infrastructure protection, and industrial incident response. Background in designing advanced protective controls for energy and water sectors, and developing next-generation detection capabilities for operational technology.
Email: contact@controlsystemssecurity.com
LLC: Cyborama LLC (Alabama, EIN: 41-4427011)