Research Methodology

Last updated: July 17, 2026 · Author: Jeff Gray, Cyborama LLC

No Target Attribution Passive Only Defanged Data Shodan API Only

Overview

Control Systems Security publishes OT/ICS threat intelligence derived from a fully automated pipeline. All research is passive — we never connect to, scan directly, or interact with industrial systems. All data comes from public sources with all identifying information removed.

1. Threat Intelligence Pipeline

Sources

We monitor 21 curated sources for OT/ICS cybersecurity news and advisories:

Additional sources are added and removed based on signal-to-noise analysis. Each source is scored for OT relevance before inclusion.

Scraping Pipeline

The pipeline runs every 12 hours (cron: 0 */12 * * *) and executes the following steps:

StepScriptOutputGate
1. Scrapescraper.pyintel.db (raw items)Noise filter (cloud, non-OT)
2. Analyzeanalyze.pyAdvisory .md (surge detection)Z-score vs 30-day baseline
3. Transformtransform.pyDefanged JSONStaging → approval required
4. Metricsmetrics.pymetrics.jsonAutomated
5. Deploydeploy_frontend.shnginx reload + verifyHTTP 200 check
6. Approveapprove.pyStaging → live + archiveHuman approval gate
7. Notifynotify.pyWebhook alertsOn error/info only

Database

2,940+ items across 21 sources (~249 OT-tagged). Updated bi-weekly.

2. Z-Score Anomaly Detection

Surge Detection Logic

Each OT security topic is scored against a 30-day baseline using Z-score (σ) statistics:

Deduplication (KFC Effect)

After publishing a threat advisory, follow-up media coverage often generates additional articles about the same CVE or advisory. These are not new threats — they are the KFC Effect (Knowledge → Fix → Create cycle). Our surge detector deduplicates by:

Full analysis: The KFC Effect: How One Advisory Creates Five More

3. Shodan OT Scans

Methodology

All Shodan data is collected through the Shodan Developer API tier only. We never connect to, probe, or interact with industrial systems directly.

Cloud Noise Filtering

Approximately 53% of reported ICS exposure is cloud/VM noise (AWS, Azure, Alibaba Cloud). We filter these from OT-relevant counts. Only devices on production-grade ASN blocks are counted as genuine OT exposure.

Full analysis: 447K Write-Capable ICS Devices

Anomaly Scoring

Shodan findings are scored on weirdness (1-10) based on:

Full methodology and raw anomaly data available on request. Contact: contact@controlsystemssecurity.com

4. Defanged Data Policy

No Target Attribution

We never attribute vulnerabilities to specific facilities, companies, or victims. All published data includes:

What We Do NOT Publish

5. Data Sources & Datasets

Public Endpoints

All non-sensitive outputs are served as public JSON under https://controlsystemssecurity.com/assets/:

Raw Datasets

Full raw dataset exports (defanged, anonymized) are available upon request for research collaboration. Contact: contact@controlsystemssecurity.com

6. Quality Assurance

Pipeline Verification

External Review

Our methodology and findings undergo quarterly external review by OT security practitioners. If you have expertise in industrial control systems and would like to review our methodology, please contact us.

7. About This Research

Author

Jeff Gray — Founder, Cyborama LLC

Air Force veteran with 16 years experience in control systems security, critical infrastructure protection, and industrial incident response. Background in designing advanced protective controls for energy and water sectors, and developing next-generation detection capabilities for operational technology.

Full bio and credentials →

Contact

Email: contact@controlsystemssecurity.com
LLC: Cyborama LLC (Alabama, EIN: 41-4427011)