73% of globally exposed ICS systems are in the US and Europe, with the US leading at 38%. Vulnerabilities in outdated protocols and exposed HMIs put critical infrastructure at severe risk, says Censys.
The Internet has revolutionized numerous industries, including manufacturing, energy, and water treatment. However, as more and more industrial control systems (ICS) are connected to the internet, they become increasingly vulnerable to cyberattacks.
According to Censys’ annual State of the Internet Report, shared with Hackread.com, internet-exposed human-machine interfaces (HMIs) are the emerging new threat in ICS security. For your information, HMIs are the graphical interfaces used to monitor and control industrial systems.
Researchers at Censys, a leading internet intelligence company, observed that HMIs have become increasingly connected to the internet to enable remote access and management. This connectivity has opened the door to cyberattacks. This is concerning as in 2023 and 2024, we witnessed a series of attacks targeting internet-exposed HMIs, demonstrating the potential for significant disruption and damage.
One notable attack was carried out by the CyberAv3ngers, an Iranian hacking group, who targeted a water treatment facility in Pennsylvania, exploited a vulnerable HMI to gain control of the system and defaced it with an anti-Israel message. Another significant attack was from the Cyber Army of Russia Reborn, which attacked water facilities in Texas, manipulating HMIs to cause water storage tanks to overflow.
Censys’ report reveals that there are over 145,000 exposed ICS services worldwide, and over 40,000 Internet-connected ICS located in the United States with over half of them linked to building control and automation protocols.
“38% of these services are in North America, 35% are in Europe, and 22% are in Asia. The U.S. alone is responsible for over one-third of global ICS service exposures,” Censys’ report read.
The study also found that 18,000 exposed devices were more likely to control industrial systems. In the UK, approximately 1,500 control systems exposed on the public Internet were identified through scans of 18 automation protocols. Over 80% of these administration interfaces are for building controls.
Additionally, over 50% of hosts running low-level automation protocols are concentrated in ISPs, while over 80% of hosts running exposed HMIs are found in wireless networks like Verizon and AT&T. Moreover, about half of the HMIs associated with Water and Wastewater could be manipulated without authentication.
These exposed systems become a tempting target for cybercriminals and nation-state actors who could potentially disrupt critical infrastructure.
Researchers have also observed a high prevalence of outdated and insecure protocols. Many of these protocols, such as Modbus, S7, and IEC 60870-5-104, are decades old and lack advanced security features. Researchers discovered nearly 200 hosts running HMIs that were also running products from vendors explicitly prohibited by the US’s National Defense Authorization Act (NDAA) Section 889.
The report highlights the need for operators to be mindful of what products and software they allow to run alongside industrial processes. Researchers recommend that security teams must examine the exposure of these protocols and HMIs, which for a vital component of the security of industrial control systems.
