[nikomen]

Organizations using ICS equipment could use this tool to find their own systems that are accessible to the internet. However, I would imagine that companies that are responsible enough to perform checks like these hopefully already have procedures in place to prevent issues like this.

I wonder if there's room to use this software to provide direct feedback to the organizations and let them know without being prosecuted?

[achillean]

Shodan actually has a service that will notify you when it discovers a public industrial control system:

https://monitor.shodan.io

Shodan Monitor is to the Internet as Google Alerts is for the web. And the membership (one-time payment of $49 for a lifetime upgrade) lets you monitor up to 16 IPs.

Disclaimer: I'm the founder of Shodan.

[nickpsecurity]

Have you noticed any significant change as part of your work with Shodan? If you contact them, do the organizations even do fixes at a steady rate? What's the situation?

[achillean]

We've had great success working through other CERTs and enterprise customers that have existing relationships with affected customers. Reaching out ourselves has been a mixed bag. For us, we have more success directly working with vendors and trying to make sure that moving forward devices are properly configured. And to let them know who's impacted so they can follow-up as part of their regular support services.

[bavell]

I love how humble/modest your profile is ^_^

[foxrob92]

I know someone who works in cybersecurity for an oil company, he uses shodan to double check if they have exposed anything to the big scary internet.

[ryacko]

It depends on Polish law, and how likely they would attempt to prosecute you for a polite letter mailed to them.