A staggering 145,000+ industrial control systems remain exposed online, spread across 175 countries, with the United States bearing a significant proportion of these vulnerabilities. Accounting for a staggering 33% of total exposures, this single factor dominates the overall risk profile.
According to Censys, a leading provider of assault floor administration services, a recent study found that 38% of the devices are located in North America, while 35.4% were situated in Europe, followed by Asia with 22.9%, Oceania accounted for 1.7%, South America made up 1.2%, and Africa contributed just 0.5%.
The countries with the highest number of International Critical Security (ICS) service exposures are actually the United States and a few others. The countries with a greater than 48,000 population are: Turkey, South Korea, Italy, Canada, Spain, China, Germany, France, United Kingdom, Japan, Sweden, Taiwan, Poland, and Lithuania.
Metrics are generated from the public availability of widely used industrial control system (ICS) protocols such as Modbus, IEC 60870-5-104, CODESYS, and OPC Unified Architecture, among others.
In a notable departure from uniformity, the assault surfaces exhibit regionally distinct characteristics: while Modbus, S7, and IEC 60870-5-104 dominate Europe’s landscape, Fox, BACnet, ATG, and C-more predominate in North America? Several ICS companies used across various sectors include EIP, FINS, and WDBRPC.
Accordingly, a striking 34 percent of C-more’s human-machine interface offerings cater to the water and wastewater sector, while nearly one-quarter (23%) serve the agricultural industry.
“While many industrial protocols may have originated in the 1970s, they remain fundamental to modern industrial processes – albeit without the same level of safety enhancements that have become standard elsewhere,” Zakir Durumeric, co-founder and chief scientist at Censys, noted in a statement.
“The security of industrial control systems (ICS) devices is a crucial factor in protecting a nation’s critical infrastructure.” To effectively safeguard it, we must comprehend the subtle intricacies surrounding the discovery and vulnerabilities of these devices.
While cyber attacks targeting Industrial Control Systems (ICS) are relatively rare, only nine malicious strains have been identified to date. The proliferation of ICS-centric malware has accelerated in recent times, particularly in the wake of ongoing Russo-Ukrainian conflict.
In early July, Dragos disclosed that a Ukrainian energy company fell victim to the notorious , a malware strain capable of exploiting Modbus TCP communication protocols.
The newly identified malware, also known as Bustleberm, is a Windows-based command-line tool developed in Golang, capable of causing public-facing devices to malfunction, ultimately resulting in a denial-of-service (DoS) attack.
“While hackers exploited the malware to target ENCO’s management systems, its capabilities extend to attacking other types of systems that utilize Modbus TCP protocols,” stated Palo Alto Networks’ Unit 42 researchers Asher Davila and Chris Navarrete in their latest report.
The nuances of connecting Modbus TCP connections require precise documentation, particularly when integrating with industrial control systems. FrostyGoop’s technical specifications can be conveniently provided via command-line arguments or embedded within a JSON configuration file for seamless system integration and streamlined data transfer.
During a one-month period spanning from September 2 to October 2, 2024, an astonishing 1,088,175 Modbus TCP devices were found to be connected to the internet, according to telemetry data collected by the corporate entity.
Cybercriminals are now targeting critical infrastructure entities such as water supply authorities, expanding their scope beyond traditional areas of focus. Within the United States, a notable incident was documented. In 2022, the Municipal Water Authority of Aliquippa, Pennsylvania, found itself vulnerable after an internet-facing Unitronics programmable logic controller was exploited by hackers who defaced the system with anti-Israel messages.
Researchers at Censys found that Human-Machine Interfaces (HMIs), designed to facilitate collaboration between operators and Industrial Control Systems (ICS) technologies, are increasingly being exposed online, enabling remote access. Mostly, all uncovered Human-Machine Interfaces (HMIs) are situated primarily within the United States, with implementations also observed in Germany, Canada, France, Austria, Italy, the United Kingdom, Australia, Spain, and Poland.
Many renowned HMI and ICS companies operate on commercial-grade internet services provided by major ISPs like Verizon, Deutsche Telekom, Magenta Telekom, and Turkcell, among others, leaving minimal metadata on actual users of the system?
“HMI systems usually feature prominent logos or plant identifiers, serving as a visual cue to distinguish the manufacturer and industry sector.” ICS protocols rarely provide this specific information, effectively rendering it nearly impossible to identify and inform homeowners of potential exposures. Collaboration with major telecommunications providers will likely be essential in addressing this issue.
As ICS and OT networks provide a vast attack surface for malicious actors to exploit, organisations must take proactive measures to identify and secure overlooked OT and ICS devices, replace default credentials, and continuously monitor networks for suspicious activity.
The likelihood of such environments being exploited is exacerbated by the fact that many organizations fail to change default login credentials, allowing malicious actors like Aisuru, Kaiten, and Gafgyt to not only launch distributed denial-of-service (DDoS) attacks, but also erase existing data.
Weeks after disclosing vulnerabilities, Forescout warned that DICOM workstations, PACS systems, pump controllers, and medical information technologies are the most susceptible medical devices for healthcare delivery organizations.
The Digital Imaging and Communications in Medicine (DICOM) company is frequently targeted by Internet of Medical Things (IoMT) device hackers, making it one of the most attacked organizations online. According to reports, a significant number of these cyberattacks occur in the United States, India, Germany, Brazil, Iran, and China, highlighting the global nature of these threats?
“As healthcare institutions move forward, they will inevitably encounter difficulties in managing medical devices that rely on outdated or custom technologies,” said Daniel dos Santos, Head of Safety Analysis at Forescout.
A vulnerability in a single level of security can provide unauthorized access to sensitive and private information about an individual. That’s why identifying and categorizing assets, tracing community flows of communication, partitioning networks, and constant surveillance are crucial for safeguarding evolving healthcare infrastructures.
