Dive Brief:
- Nearly 200,000 industrial control systems are publicly accessible online, many of them newly activated devices with weak security, the security firm Bitsight said on Thursday.
- The number of exposed ICS devices rose 13%, from 160,000 at the beginning of 2024 to more than 180,000 at the end of 2024, according to Bitsight, which predicted that the number would cross 200,000 before the end of 2025.
- “These aren’t just forgotten legacy systems,” Bitsight researchers wrote. “We’re increasingly seeing new ICS/OT exposures going live with internet access, often with outdated or insecure protocols, minimal authentication, and implying little consideration for network segmentation or attack surface reduction.”
Dive Insight:
Internet-exposed ICS devices pose major risks to operational technology organizations in sectors ranging from energy and water to telecommunications, healthcare and manufacturing. Many cybersecurity experts have approached the exposure problem through the lens of legacy technology, warning about the dangers of forgotten or outdated industrial equipment. But Bitsight’s report illustrates how new equipment carries many of the same risks.
Internet-exposed OT devices are exhibiting a growing number of OT-specific vulnerabilities, according to Bitsight, including logic flaws, web authentication bypass flaws and vulnerabilities that could allow remote code execution. “These aren’t niche bugs,” researchers wrote. Bitsight has seen vulnerabilities with the highest possible severity score and “trivial exploit paths,” as well as flaws that could imperil “fuel infrastructure, building automation, water treatment systems, and critical manufacturing.”
Making matters worse, no single OT networking protocol is responsible for the rise in exposed devices. Instead, Bitsight saw “a slight upward trend” in exposure across most of the 13 most common protocols it studied.
The U.S. had the most exposed devices (80,000), followed by Italy (75,000) and Spain (63,000). Most of the devices exposed on the protocols that Bitsight studied were in the U.S. and Europe.
Bitsight acknowledged that some of the devices it identified could have been deliberately configured to be internet-accessible so company employees could remotely manage them, but it said the sheer number of exposed devices suggested there was a “misalignment in how ICS/OT assets are being managed and secured.”
The company offered an example of how insecure internet-facing equipment could enable real-world harm. It said its researchers found thousands of internet-accessible automatic tank gauging systems — devices at fuel stations that “monitor fuel levels, detect leaks, and even control pump relays and other peripherals” — some of which didn’t require a password to access or supported logins via insecure protocols. “In the worst-case scenario,” Bitsight warned, “these devices could be abused to cut off fuel access or tamper with safety-critical parameters at scale.”
