New research has uncovered more than 145,000 internet-exposed Industrial Control Systems (ICS) across 175 countries, with the U.S. alone accounting for over one-third of the total exposures.
The analysis, which comes from attack surface management company Censys, found that 38% of the devices are located in North America, 35.4% in Europe, 22.9% in Asia, 1.7% in Oceania, 1.2% in South America, and 0.5% in Africa.
The countries with the most ICS service exposures include the U.S. (more than 48,000), Turkey, South Korea, Italy, Canada, Spain, China, Germany, France, the U.K., Japan, Sweden, Taiwan, Poland, and Lithuania.
The metrics are derived from the exposure of several commonly-used ICS protocols like Modbus, IEC 60870-5-104, CODESYS, OPC UA, and others.
One important aspect that stands out is that the attack surfaces are regionally unique: Modbus, S7, and IEC 60870-5-104 are more widely observed in Europe, while Fox, BACnet, ATG, and C-more are more commonly found in North America. Some ICS services that are used in both regions include EIP, FINS, and WDBRPC.
What’s more, 34% of C-more human-machine interfaces (HMIs) are water and wastewater-related, while 23% are associated with agricultural processes.
“Many of these protocols can be dated back to the 1970s but remain foundational to industrial processes without the same security improvements the rest of the world has seen,” Zakir Durumeric, Censys co-founder and chief scientist, said in a statement.
“The security of ICS devices is a critical element in protecting a country’s critical infrastructure. To protect it, we must understand the nuances of how these devices are exposed and vulnerable.”
Cyber attacks specifically targeting ICS systems have been comparatively rare, with only nine malware strains discovered to date. That said, there has been an increase in ICS-centric malware in recent years, especially in the aftermath of the ongoing Russo-Ukrainian war.
Earlier this July, Dragos revealed that an energy company located in Ukraine was targeted by malware known as FrostyGoop, which has been found to leverage Modbus TCP communications to disrupt operational technology (OT) networks.
Also called BUSTLEBERM, the malware is a Windows command-line tool written in Golang that can cause publicly-exposed devices to malfunction and ultimately result in a denial-of-service (DoS).
“Although bad actors used the malware to attack ENCO control devices, the malware can attack any other type of device that speaks Modbus TCP,” Palo Alto Networks Unit 42 researchers Asher Davila and Chris Navarrete said in a report published earlier this week.
“The details needed by FrostyGoop to establish a Modbus TCP connection and send Modbus commands to a targeted ICS device can be provided as command-line arguments or included in a separate JSON configuration file.”
According to telemetry data captured by the company, 1,088,175 Modbus TCP devices were exposed to the internet during a one-month period between September 2 and October 2, 2024.
Threat actors have also set their sights on other critical infrastructure entities like water authorities. In an incident recorded in the U.S. last year, the Municipal Water Authority of Aliquippa, Pennsylvania, was breached by taking advantage of an internet-exposed Unitronics programmable logic controllers (PLCs) to deface systems with an anti-Israel message.
Censys found that HMIs, which are used to monitor and interact with ICS systems, are also being increasingly made available over the Internet to support remote access. The majority of exposed HMIs are located in the U.S., followed by Germany, Canada, France, Austria, Italy, the U.K., Australia, Spain, and Poland.
Interestingly, most of the identified HMIs and ICS services reside on mobile or business-grade internet service providers (ISPs) such as Verizon, Deutsche Telekom, Magenta Telekom, and Turkcell among others, offering negligible metadata on who actually is using the system.
“HMIs often contain company logos or plant names that can aid in identification of the owner and sector,” Censys said. “ICS protocols rarely offer this same information, making it nearly impossible to identify and notify owners of exposures. Cooperation from major telcos hosting these services is likely necessary to solve this problem.”
That ICS and OT networks provide a broad attack surface for malicious actors to exploit necessitates that organizations take steps to identify and secure exposed OT and ICS devices, update default credentials, and monitor networks for malicious activity.
The risk to such environments is compounded by a spike in botnet malware — Aisuru, Kaiten, Gafgyt, Kaden, and LOLFME – exploiting OT default credentials to not only use them for conducting distributed denial-of-service (DDoS) attacks, but also wipe data present within them.
The disclosure comes weeks after Forescout revealed that Digital Imaging and Communications in Medicine (DICOM) workstations and Picture Archiving and Communication Systems (PACS), pump controllers and medical information systems are the most at-risk medical devices to healthcare delivery organizations (HDOs).
DICOM is one of the most used services by Internet of medical things (IoMT) devices and one of the most exposed online, the cybersecurity company noted, with a significant number of the instances located in the U.S., India, Germany, Brazil, Iran, and China.
“Healthcare organizations will continue to face challenges with medical devices using legacy or non-standard systems,” Daniel dos Santos, head of security research at Forescout, said.
“A single weak point can open the door to sensitive patient data. That’s why identifying and classifying assets, mapping network flow of communications, segmenting networks, and continuous monitoring are essential to securing growing healthcare networks.”
