New research has identified over 145,000 internet-exposed Industrial Control Systems (ICS) spanning 175 countries, with the U.S. accounting for more than one-third of the total exposures.
The study, conducted by attack surface management firm Censys, revealed that 38% of the devices are situated in North America, 35.4% in Europe, 22.9% in Asia, 1.7% in Oceania, 1.2% in South America, and 0.5% in Africa.
Countries with the highest ICS service exposures include the U.S. (over 48,000), Turkey, South Korea, Italy, Canada, Spain, China, Germany, France, the U.K., Japan, Sweden, Taiwan, Poland, and Lithuania.
The findings are based on the exposure of several widely-used ICS protocols, such as Modbus, IEC 60870-5-104, CODESYS, OPC UA, among others.
Notably, the attack surfaces exhibit regional uniqueness: protocols like Modbus, S7, and IEC 60870-5-104 are more prevalent in Europe, while Fox, BACnet, ATG, and C-more are frequently observed in North America. Some ICS protocols, such as EIP, FINS, and WDBRPC, are commonly utilized in both regions.
Furthermore, 34% of C-more human-machine interfaces (HMIs) are linked to water and wastewater systems, while 23% are associated with agricultural operations.
“Many of these protocols trace back to the 1970s and remain integral to industrial processes, yet they have not undergone the same security advancements as other technologies,” said Zakir Durumeric, Censys co-founder and chief scientist.
“The security of ICS devices is essential to safeguarding a nation’s critical infrastructure. To achieve this, we must deeply understand how these devices are exposed and where vulnerabilities lie.”
While cyberattacks on ICS systems have been relatively rare—only nine malware strains have been identified to date—there has been a growing trend in ICS-focused malware in recent years, particularly in the wake of the ongoing Russo-Ukrainian conflict.
In July, Dragos disclosed that a Ukrainian energy company was targeted by malware named FrostyGoop, which exploits Modbus TCP communications to disrupt operational technology (OT) networks.
Also referred to as BUSTLEBERM, the malware is a Windows command-line tool developed in Golang, capable of causing malfunctions in publicly exposed devices, potentially leading to a denial-of-service (DoS).
“While the malware was utilized by threat actors to target ENCO control devices, it is capable of attacking any device that communicates using Modbus TCP,” Palo Alto Networks Unit 42 researchers Asher Davila and Chris Navarrete stated in a report released earlier this week.
“The parameters required by FrostyGoop to initiate a Modbus TCP connection and issue Modbus commands to a targeted ICS device can either be specified as command-line arguments or provided in a separate JSON configuration file.”
Telemetry data collected by the company revealed that 1,088,175 Modbus TCP devices were exposed to the internet over a one-month period, from September 2 to October 2, 2024.
Threat actors have increasingly targeted other critical infrastructure entities, including water authorities. In one incident reported last year in the U.S., the Municipal Water Authority of Aliquippa, Pennsylvania, was compromised by exploiting an internet-exposed Unitronics programmable logic controller (PLC), resulting in systems being defaced with an anti-Israel message.
Censys observed that human-machine interfaces (HMIs), which facilitate monitoring and interaction with ICS systems, are being more frequently exposed online to enable remote access. The majority of exposed HMIs are located in the U.S., followed by Germany, Canada, France, Austria, Italy, the U.K., Australia, Spain, and Poland.
Interestingly, many of the exposed HMIs and ICS services are hosted on mobile or business-grade internet service providers (ISPs) such as Verizon, Deutsche Telekom, Magenta Telekom, and Turkcell, offering minimal metadata to identify the actual users of the systems.
“HMIs often display company logos or plant names, which can assist in identifying the owner and sector,” Censys stated. “ICS protocols, however, rarely provide such details, making it nearly impossible to notify owners of exposures. Cooperation from major telcos hosting these services will likely be necessary to address this issue.”
Given the broad attack surface presented by ICS and OT networks, organizations must take proactive steps to identify and secure exposed devices, update default credentials, and monitor networks for signs of malicious activity.
The risks to these environments are further exacerbated by a rise in botnet malware—such as Aisuru, Kaiten, Gafgyt, Kaden, and LOLFME—which exploit default OT credentials to execute distributed denial-of-service (DDoS) attacks and erase data on targeted systems.
This disclosure follows recent findings by Forescout, which identified Digital Imaging and Communications in Medicine (DICOM) workstations, Picture Archiving and Communication Systems (PACS), pump controllers, and medical information systems as the most vulnerable devices for healthcare delivery organizations (HDOs).
DICOM, a widely used service among Internet of Medical Things (IoMT) devices, was noted as one of the most exposed online, with a significant number of instances located in the U.S., India, Germany, Brazil, Iran, and China.
“Healthcare organizations will continue to grapple with medical devices that rely on legacy or non-standard systems,” said Daniel dos Santos, head of security research at Forescout.
“A single vulnerability can expose sensitive patient data. Identifying and classifying assets, mapping network communication flows, segmenting networks, and implementing continuous monitoring are essential to securing the expanding healthcare network landscape.”
Source: TheHackerNews
