Recent research has revealed that over 145,000 Industrial Control Systems (ICS) are exposed to the internet across 175 nations, with the United States representing more than one-third of these exposures. The study, conducted by the attack surface management firm Censys, indicates that 38% of these devices are situated in North America, 35.4% in Europe, 22.9% in Asia, 1.7% in Oceania, 1.2% in South America, and 0.5% in Africa.
The countries with the highest number of ICS service exposures include the United States (exceeding 48,000), Turkey, South Korea, Italy, Canada, Spain, China, Germany, France, the United Kingdom, Japan, Sweden, Taiwan, Poland, and Lithuania. The findings are based on the exposure of various widely-used ICS protocols, such as Modbus, IEC 60870-5-104, CODESYS, and OPC UA, among others.
A notable observation is that the attack surfaces exhibit regional distinctions: Modbus, S7, and IEC 60870-5-104 are predominantly found in Europe, whereas Fox, BACnet, ATG, and C-more are more prevalent in North America. Some ICS services utilized in both regions include EIP, FINS, and WDBRPC. Additionally, 34% of C-more human-machine interfaces (HMIs) are related to water and wastewater management, while 23% pertain to agricultural activities.
Zakir Durumeric, co-founder and chief scientist of Censys, remarked that “Many of these protocols can be traced back to the 1970s but continue to be essential to industrial operations, lacking the security enhancements that have been implemented in other sectors.”
The security of Industrial Control Systems (ICS) is paramount for safeguarding a nation’s critical infrastructure. To ensure this protection, it is essential to comprehend the specific vulnerabilities and exposure risks associated with these devices.
Cyber attacks aimed at ICS systems have been relatively infrequent, with only nine distinct malware variants identified thus far. However, there has been a notable rise in malware specifically targeting ICS in recent years, particularly following the ongoing conflict in Ukraine.
In July, Dragos reported that an energy firm in Ukraine fell victim to a malware variant named FrostyGoop, which exploits Modbus TCP communications to interfere with operational technology (OT) networks. This malware, also referred to as BUSTLEBERM, is a command-line tool developed in Golang that can disrupt the functionality of publicly accessible devices, potentially leading to a denial-of-service (DoS) condition.
According to researchers Asher Davila and Chris Navarrete from Palo Alto Networks Unit 42, while the malware was utilized to compromise ENCO control devices, it possesses the capability to target any device that utilizes Modbus TCP. They noted that the necessary information for FrostyGoop to initiate a Modbus TCP connection and transmit commands to a targeted ICS device can be supplied either as command-line parameters or through a separate JSON configuration file.
Telemetry data collected by the company indicates that during a one-month span from September 2 to October 2, 2024, a total of 1,088,175 Modbus TCP devices were accessible on the internet.
Threat actors have increasingly targeted essential infrastructure entities, including water authorities. A notable incident occurred in the United States last year, where the Municipal Water Authority of Aliquippa, Pennsylvania, was compromised through the exploitation of internet-exposed Unitronics programmable logic controllers (PLCs), resulting in the defacement of systems with an anti-Israel message.
Censys has observed a rising trend in the availability of Human-Machine Interfaces (HMIs), which facilitate monitoring and interaction with Industrial Control Systems (ICS), over the internet to enable remote access. The majority of these exposed HMIs are situated in the United States, followed by Germany, Canada, France, Austria, Italy, the United Kingdom, Australia, Spain, and Poland.
Notably, most of the identified HMIs and ICS services are hosted on mobile or business-grade internet service providers (ISPs) such as Verizon, Deutsche Telekom, Magenta Telekom, and Turkcell, which provide minimal metadata regarding the actual users of these systems.
Censys remarked that “HMIs often contain company logos or plant names that can aid in identification of the owner and sector.” In contrast, ICS protocols typically do not provide such information, complicating efforts to identify and alert owners about potential exposures. It is likely that collaboration with major telecommunications companies hosting these services will be essential to address this issue.
The threat to such environments is intensified by an increase in botnet malware, including Aisuru, Kaiten, Gafgyt, Kaden, and LOLFME, which exploit default credentials in operational technology (OT) systems. These malicious entities not only facilitate distributed denial-of-service (DDoS) attacks but also have the capability to erase existing data.
This information was disclosed shortly after Forescout identified that Digital Imaging and Communications in Medicine (DICOM) workstations, Picture Archiving and Communication Systems (PACS), pump controllers, and medical information systems represent the most vulnerable medical devices for healthcare delivery organizations (HDOs).
According to the cybersecurity firm, DICOM is among the most frequently utilized services by Internet of Medical Things (IoMT) devices and is significantly exposed online, with a considerable number of instances found in the United States, India, Germany, Brazil, Iran, and China.
“Healthcare organizations will persist in encountering difficulties with medical devices that operate on legacy or non-standard systems,” stated Daniel dos Santos, head of security research at Forescout. “A single vulnerability can compromise sensitive patient information. Therefore, it is crucial to identify and classify assets, map the flow of network communications, segment networks, and engage in continuous monitoring to secure the expanding healthcare networks.”