A groundbreaking study has uncovered approximately 150,000 industrial control systems (ICS) exposed to the public internet across the globe, raising significant cybersecurity concerns for critical infrastructure worldwide.
This extensive research, published in 2024, reveals that these vulnerable systems span 175 countries, with varying concentrations and protocol distributions, highlighting a widespread security issue affecting industrial operations across sectors including power grids, manufacturing facilities, and water supply networks.
The exposure of these systems presents substantial risk, as ICS protocols are not inherently secure by design, often exchanging traffic in plain text or with minimal authentication.
.png
)
The implications are severe – compromised ICS devices can lead to catastrophic outcomes, as demonstrated by past incidents like Stuxnet, which damaged Iran’s nuclear program, and the 2015 power outage in Ukraine that resulted from a SCADA-targeted cyberattack.
With critical infrastructure increasingly dependent on digitalized control systems, these exposed entry points provide potential attackers with pathways into systems controlling essential services.
Researchers from Cybersecurity Delft University of Technology and Information Security and Communication Technology at Norwegian University of Science and Technology conducted the comprehensive scan, applying sophisticated methodology to distinguish genuine industrial systems from honeypots – decoy systems designed to detect and study malicious activities.
Their approach challenges previous studies which may have inflated exposure numbers by failing to properly identify honeypots in their datasets.
The United States leads in exposed systems with over 45,000 devices, representing approximately one-third of all identified vulnerable ICS globally.
Other countries with significant exposure include Turkey, China, and Brazil, though the distribution and dominant protocols vary significantly by region.
These findings demonstrate that industrial system vulnerability is not limited to specific geographic areas but constitutes a global challenge requiring coordinated response.
Modbus emerged as the most prevalent protocol among exposed systems, accounting for 38.3% of real ICS devices identified in the study. Other widely exposed protocols include Niagara Fox (16.1%), EtherNet/IP (9.7%), and BACnet (8.9%).
.webp)
The researchers note significant geographical differences in protocol preferences, with Niagara Fox dominating in the US, IEC 60870-5-104 prevalent in Russia and Turkey, and BACnet leading in Canada.
Honeypot Identification Methodology
A critical innovation in this research was the development of an advanced method to distinguish between actual industrial systems and honeypots that emulate ICS protocols.
The study revealed that 15% to 25% of systems that appear to be exposed ICS devices are actually honeypots designed to lure attackers.
This finding significantly alters our understanding of industrial exposure statistics reported in previous research.
The detection methodology employed multiple indicators to classify suspected honeypots with varying confidence levels.
For high-confidence identification, the researchers utilized protocol-specific signatures that detect inaccuracies in emulated protocols or default configuration values characteristic of known honeypot software like Conpot.
Medium-confidence indicators included unusual network locations (such as hosting providers rather than industrial networks) and systems with an abnormally high number of open ports – genuine ICS devices typically have fewer than ten open ports, while many honeypots exhibited dozens or even thousands.
This methodological breakthrough enables more accurate assessment of industrial cybersecurity risks while also providing honeypot operators insights to improve their systems’ stealthiness.
As Martin Mladenov, lead researcher from Delft University of Technology: “Our results challenge previous ICS studies which either partially considered or completely overlooked honeypots, leading to an inflated number of detected exposed ICS devices.”
The findings underscore the need for improved security practices in industrial environments, particularly isolation of control systems from public internet access through air-gapping or implementation of strong virtual private networks with robust authentication mechanisms.
Equip your SOC team with deep threat analysis for faster response -> Get Extra 𝗦𝗮𝗻𝗱𝗯𝗼𝘅 𝗹𝗶𝗰𝗲𝗻𝘀𝗲𝘀 for Free
