Today, Censys , who provides the leading Internet Intelligence Platform for Threat Hunting and Attack Surface Management ASM, published the second half of its annual State of the Internet Report focusing on Internet-exposed Industrial Control Systems ICS. Following the launch of part one in August 2024 , this next phase of the report focuses on ICS protocols being leveraged by ICS-specific malware variants and human-machine interfaces HMI, often used as a point of entry for many threat actors.
In its research, Censys found over 145,000 exposed ICS services worldwide, with more than 48,000 located in the U.S. alone. Censys investigated the exposure landscape to help the cybersecurity community better understand the true attack surface of ICS around the world and how to best protect it.
Attacks using ICS protocols are less common and require specialized knowledge and understanding of such environments. Censys recognizes that in order to protect real-world control systems, it is essential for security teams to understand and assess the exposure of these protocols and HMIs, which constitute an often overlooked yet vital component of the security ecosystem. With Censys comprehensive internet visibility, it was able to identify
- Of the 145,000 ICS services exposed globally, 38 of devices were located in North America , 35 in Europe , and 22 in Asia
- Attack surfaces are regionally unique Modbus, S7, and IEC 60870-5-104 are more widely observed in Europe , while Fox, BACnet, ATG, and C-More are more commonly found in North America
- 34 of C-More human-machine interfaces HMIs are water and wastewater related, while 23 are associated with agricultural processes
- Nearly 200 hosts running HMIs also run products from vendors explicitly prohibited by the U.S.National Defense Authorization Act NDAA Section 889
- Most observed ICS services and HMIs run on mobile or consumer and business-grade internet service providers ISPs. Given the often remote nature of industrial facilities, a wired Internet connection may not be readily available
Many of these protocols can be dated back to the 1970s but remain foundational to industrial processes without the same security improvements the rest of the world has seen. The security of ICS devices is a critical element in protecting a countrys critical infrastructure. To protect it, we must understand the nuances of how these devices are exposed and vulnerable, said Zakir Durumeric, Co-Founder and Chief Scientist at Censys. Censys unmatched visibility into the internet makes us the only company to not only see the full extent of critical infrastructure exposure but to drive its remediation with government and commercial partners.
ICS security is consistently a focus of the cybersecurity and public sector community as its impact is far greater than many expect. As the industry continues to combat ICS-based attacks, it is critical now more than ever to understand the full ecosystem and every component of it.
