Analysis Summary

More than 145,000 Industrial Control Systems (ICS) in 175 nations have been found to be exposed to the Internet, with the United States alone accounting for more than one-third of these exposures, according to recent research.

38% of the devices are in North America, 35.4% are in Europe, 22.9% are in Asia, 1.7% are in Oceania, 1.2% are in South America, and 0.5% are in Africa, according to the analysis. The United States (more than 48,000), Turkey, South Korea, Italy, Canada, Spain, China, Germany, France, the United Kingdom, Japan, Sweden, Taiwan, Poland, and Lithuania are the nations having the highest exposure to ICS services.

The metrics are based on the exposure of several widely used ICS protocols, including OPC UA, CODESYS, IEC 60870-5-104, and Modbus. The attack surfaces' regional uniqueness is one significant feature that sticks out: Fox, BACnet, ATG, and C-more are more frequently encountered in North America, whereas Modbus, S7, and IEC 60870-5-104 are more frequently detected in Europe. Some ICS services that are used in both regions include EIP, FINS, and WDBRPC.

Furthermore, 23% of C-more's human-machine interfaces (HMIs) are related to agricultural activities, while 34% are related to water and wastewater. Despite being in place since the 1970s, many of these protocols are still essential to industrial operations and have not seen the same advancements in security as the rest of the world. One of the most important aspects of safeguarding a nation's vital infrastructure is the security of ICS devices. We must comprehend the subtleties of how these technologies are exposed and vulnerable to defend them.

There have only been nine malware variants found so far, making cyberattacks that target ICS systems especially rather uncommon. Despite this, ICS-centric malware has become more prevalent in recent years, particularly in the wake of the continuing conflict between Russia and Ukraine. Earlier in July, researchers disclosed that FrostyGoop, a malware that uses Modbus TCP connections to interfere with operational technology (OT) networks, had targeted an energy company in Ukraine.

Other vital infrastructure organizations, such as water authorities, have also become targets for threat actors. In a U.S. event last year, Unitronics programmable logic controllers (PLCs) that were exposed to the internet were used to compromise the Municipal Water Authority of Aliquippa, Pennsylvania, and deface systems. To facilitate remote access, researchers discovered that HMIs—which are used to monitor and communicate with ICS systems—are also increasingly being made available online. The United States is home to the majority of exposed HMIs, with Germany, Canada, France, Austria, Italy, the United Kingdom, Australia, Spain, and Poland following closely after.

Because OT and ICS networks offer a wide attack surface for threat actors to take advantage of, companies must take precautions to find and protect vulnerable OT and ICS equipment, change default login credentials, and keep an eye out for malicious behavior on networks. The threat to these environments is increased by the rise in botnet malware, such as Aisuru, Kaiten, Gafgyt, Kaden, and LOLFME, which uses OT default credentials to perform distributed denial-of-service (DDoS) attacks and erase data stored in them.

Impact

• Operational Disruption
• Denial of Service
• Data Loss

Remediation

• Ensure all systems are updated with the latest security patches to close known vulnerabilities.
• Isolate ICS networks from corporate networks and the internet using firewalls and VLANs to prevent unauthorized access.
• Use network access control lists (ACLs) to limit communications to trusted devices.
• Implement continuous network monitoring to detect and respond to unusual or unauthorized TCP traffic.
• Deploy IDS to identify suspicious activities and potential intrusions on the ICS network.
• Use strong, multi-factor authentication for accessing ICS and OT systems to reduce the risk of unauthorized access.
• Perform regular security assessments and penetration testing to identify and mitigate potential vulnerabilities.
• Develop and regularly update an incident response plan specific to ICS/OT environments to ensure quick and effective responses to security breaches.
• Provide ongoing cybersecurity training for employees, focusing on recognizing phishing attempts and other social engineering attacks.
• Regularly backup ICS configuration and critical data, ensuring backups are stored securely and tested for reliability.
• Apply security controls such as antivirus, endpoint protection, and application whitelisting on all systems interfacing with ICS devices.
• Restrict remote access to ICS networks and ensure any necessary remote connections are secure and monitored.
• Regularly review and harden the configurations of ICS devices and controllers to minimize the attack surface.