Researchers Warn of 100,000 Industrial Control Systems Exposed Online

Cyber Security Threat Summary:
About 100,000 industrial control systems (ICS) were found on the public web, exposed to attackers probing them for vulnerabilities and at risk of unauthorized access. Among them are power grids, traffic light systems, security and water systems” (Bleeping Computer, 2023).

Of the exposed ICS units exposed, many reside in critical infrastructure systems. These units include sensors, actuators, switches, building management systems, etc. This latest research comes from BitSight, who released a report detailing the threat, which they say impacts multiple sectors and many Fortune 1000 companies in 96 countries.

Security Officer Comments:
BitSight used data from mass-scale scans of the entire IP address space, which allowed them to identify multiple protocols and determine the type of system at each address. BitSight says they scan around 400 billion security events daily and monitors over 40 million organizations worldwide. While the number of vulnerable ICS systems is alarming, BitSight says the number of exposed devices has been going down since 2019. The most exposed countries in terms of how many organizations have at least one exposed ICSs in them are:

  • United States
  • Canada
  • Italy
  • United Kingdom
  • France
  • Netherlands
  • Germany
  • Spain
  • Poland
  • Sweden
In terms of which sectors are the least secure when it comes to ICS security, Bitsight says that Education, Technology, Government, Business Services, Manufacturing, Utilities, Real Estate, Energy, Hospitality, and Finance stand out.

Suggested Correction(s):
Vulnerabilities in industrial control systems are just as prevalent as those found in information technology. Kaspersky estimated that roughly 20% of all deployed ICSs are vulnerable to critical-severity flaws. Threats from state-sponsored actors and cybercriminals are real, the U.S. has issued several warnings about noted activity, and has urged system administrators to secure critical infrastructure under their control.

While BitSight’s data only shows how many ICS systems are exposed, it does not necessarily mean they are vulnerable, thought a percentage of them are likely exploitable.

For secure remote access to Industrial Control Systems (ICS), organizations should implement at least basic security measures like VPN access, multi-factor authentication (MFA), role-based access control (RBAC), and network segmentation.