A new study found more than 145,000 industrial control systems (ICS) in 175 countries worldwide, with the US alone accounting for more than a third of the total number of infections.
The analysiswhich comes from attack surface management company Censys, found that 38% of devices are located in North America, 35.4% in Europe, 22.9% in Asia, 1.7% in Oceania, 1.2% in South America and 0.5% in Africa.
Countries with the highest number of ICS services: USA (over 48,000), Turkey, South Korea, Italy, Canada, Spain, China, Germany, France, UK, Japan, Sweden, Taiwan, Poland and Lithuania.
The metrics are derived from the use of several widely used ICS protocols such as Modbus, IEC 60870-5-104, CODESYS, OPC UA and others.
One important aspect that stands out is that the attack surfaces are regionally unique: Modbus, S7 and IEC 60870-5-104 are more common in Europe, while Fox, BACnet, ATG and C- more are more common in North America. Some of the ICS services used in both regions include EIP, FINS, and WDBRPC.
Moreover, 34% of C-more Human Machine Interfaces (HMI) are related to water supply and sanitation, and 23% are related to agricultural processes.
“Many of these protocols may date back to the 1970s, but remain fundamental to industrial processes without the same security improvements the rest of the world has seen,” Zakir Durumerik, Censys co-founder and chief scientist, said in a statement.
“The security of ICS devices is a critical element in protecting the nation’s critical infrastructure. To protect it, we need to understand the nuances of how these devices are exposed and vulnerable.”
Cyberattacks specifically targeting ICS systems have been relatively rare, with only nine strains of malware detected to date. However, recent years have seen an increase in the number of malware targeting ICS, especially after the protracted Russian-Ukrainian war.
Earlier in July of this year, Dragos revealed that an energy company located in Ukraine had been targeted by malware known as FrostyGoopwhich was found to be using Modbus TCP communication disrupt the operational technology (OT) of the network.
The malware, also known as BUSTLEBERM, is a Windows command-line tool written in Golang that can crash publicly exposed devices and eventually lead to a Denial of Service (DoS).
“Although the attackers used malware to attack ENCO control devices, the malware can attack any other type of device that communicates over Modbus TCP,” Palo Alto Networks Division 42 researchers Asher Davila and Chris Navarrete said in a report released earlier this week.
“The details required by FrostyGoop to establish a Modbus TCP connection and send Modbus commands to the target ICS device can be provided as command line arguments or included in a separate JSON configuration file.”
According to telemetry data obtained by the company, 1,088,175 Modbus TCP devices were connected to the Internet during one month from September 2 to October 2, 2024.
Threat actors have also targeted other critical infrastructure facilities, such as water utilities. In an incident reported in the US last year, the Aliquippa Municipal Water Authority, Pennsylvania, suffered is broken using online Unitronics programmable logic controllers (PLCs) to corrupt the systems with an anti-Israel message.
Censys has found that HMIs used to monitor and interact with ICS systems are also becoming increasingly available over the Internet to support remote access. The majority of exposed HMIs are located in the US, followed by Germany, Canada, France, Austria, Italy, the UK, Australia, Spain and Poland.
Interestingly, most of the identified HMI and ICS services are hosted by mobile or business-class Internet Service Providers (ISPs) such as Verizon, Deutsche Telekom, Magenta Telekom and Turkcell among others, offering little metadata about who is actually using the system .
“HMIs often contain company logos or plant names that can help identify the owner and the industry,” Censys said. “ICS protocols rarely offer the same information, making it nearly impossible to identify and notify owners of exposure. This probably requires collaboration with the major telecommunications companies that host these services.”
The fact that ICS and OT networks provide a wide attack surface that attackers can exploit requires that organizations take steps to identify and protect exposed OT and ICS devices, update default credentials, and monitor networks for malicious activity.
The risk for such an environment is compounded by a a surge in botnet malware – Aysuru, Kaiten, Gafgit, Kaden and LOLFME – exploiting default OT credentials to not only use them to launch Distributed Denial of Service (DDoS) attacks, but also to erase the data contained in them.
The disclosure comes weeks after Forescout found that digital imaging and communications in medicine (DICOM) workstations, picture archiving and communication systems (PACS), pump controllers and health information systems are the medical devices most exposed to risks to health care organizations (HDOs).
The cybersecurity firm noted that DICOM is one of the most widely used Internet of Medical Devices (IoMT) services and one of the most vulnerable on the Internet, with significant instances located in the United States, India, Germany, Brazil, Iran, and China.
“Healthcare organizations will continue to face challenges related to medical devices that use outdated or non-standard systems,” Daniel dos Santos, head of security research at Forescout. said.
“A single weak spot could open the door to sensitive patient data. That’s why asset identification and classification, network communication flow mapping, network segmentation and continuous monitoring are critical to securing growing healthcare networks.”
