{"id":86938,"date":"2024-04-23T01:49:46","date_gmt":"2024-04-23T08:49:46","guid":{"rendered":"https:\/\/forescoutstage.wpengine.com\/?p=86938"},"modified":"2025-06-26T11:56:21","modified_gmt":"2025-06-26T15:56:21","slug":"cybersecurity-threat-evolution-of-otics-and-iot-devices","status":"publish","type":"post","link":"https:\/\/www.forescout.com\/blog\/cybersecurity-threat-evolution-of-otics-and-iot-devices\/","title":{"rendered":"The global threat evolution of internet-exposed OT\/ICS"},"content":{"rendered":"

Operational technology (OT) and Industrial Control Systems (ICS) are core parts of an engine fueling critical infrastructure in industrialized nations worldwide. Water treatment facilities. Wastewater plants. Electrical transmission and distribution hubs. Nuclear power and manufacturing plants. Energy pipelines.<\/p>\n

Over the years, these traditional technologies have become more connected and integrated to information systems that use the internet \u2013 opening them up for more efficient monitoring and automation of operational processes.<\/p>\n

However, many integrated systems that emphasize automation with digital connections have been fodder for state-sponsored cyberwarfare, criminal activity and political hacktivism. In fact, opportunistic attackers are increasingly abusing OT\/ICS exposure at scale \u2014 sometimes with a very lax targeting rationale driven by trends, such as current events, copycat behavior or the emergencies found in new, off-the-shelf capabilities or hacking guides.<\/p>\n

A recent wave of attacks by the Iranian-affiliated Cyber Av3ngers hacktivist group targeted Unitronics Programmable Logic Controllers (PLCs) around the world, including at a water utility near Pittsburgh<\/a>. Unfortunately, it has brought internet-exposed OT\/ICS back into the spotlight. A majority of media attention has been focused mostly on attacks on Israel and the US, but there are more countries and regions being exposed and attacked under the surface \u2013 and it extends beyond water utilities and Unitronics PLCs.<\/p>\n

Forescout Research \u2013 Vedere Labs has been tracking internet-exposed OT\/ICS data for over seven years \u2013 and the outlook remains mostly unchanged. Despite decades of raising awareness, navigating new regulations and advisories from CISA, critical infrastructure continues to be rife with open ports and hackable devices.<\/p>\n

In a new threat briefing \u201cBetter Safe Than Sorry<\/a>\u201d, we take a fresh look at exposed OT\/ICS data between 2017 and 2024. We analyze and detail problem areas by region and offer mitigation strategies. We detail three recent cases of device exposure that we have been tracking: the Unitronics attack wave and our attempts to proactively identify and notify asset owners with exposed Schneider Electric Modicon and Wago 750 PLCs.<\/p>\n

For complete details with detailed mitigation strategies, plus our data on the exposure of devices using the Nucleus NET and NicheStack TCP\/IP stacks, access the report<\/a>.<\/p>\n

The evolution of OT\/ICS exposure between 2017 and 2024<\/h2>\n

Using Shodan\u2019s pre-configured ICS tag search filter<\/a> \u2013 which finds many but not all<\/a> exposed OT\/ICS devices \u2013 we can see close to 110,000 Internet-facing devices as of the end of January 2024. The United States has 27% of exposed devices, followed by Italy, Spain, France and Canada with a combined total of 17%.<\/p>\n

How has exposed OT\/ICS evolved since 2017? Watch our research leaders discuss on-demand<\/a>. <\/em><\/p>\n

\n

Access Report <\/span><\/a>\u00a0\u00a0\u00a0Watch Webinar<\/span><\/a>\n<\/div>\n\n\n\n\n
\"\"<\/a><\/td>\n<\/tr>\n
\"\"<\/a><\/td>\n\"\"<\/a><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Figure 1 \u2013 Summary of exposed OT\/ICS<\/em><\/center>Only the US and Canada significantly reduced the number of exposed devices during the period of study: 47% in the US and 45% in Canada. The other top 10 countries increased the number of exposed devices: 82% in Spain, 58% in Italy, 26% in France, 13% in Germany and 10% in Russia.<\/p>\n\n\n\n\n
\"\"<\/a><\/td>\n\"\"<\/a><\/td>\n<\/tr>\n
\"\"<\/a><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Figure 2 \u2013 Changes in exposed OT\/ICS in the top 10 countries<\/em><\/center><\/p>\n

Manufacturing and building automation protocols make up a major portion of exposed device types.<\/h4>\n

Modbus represents 29% of exposed services, followed by three building automation protocols \u2013 KNX, BACnet and Tridium Fox \u2013 with a combined total of 32%.<\/p>\n

The top 10 types of exposed services remained mostly constant since 2017, but Tridium Fox, Lantronix and MOXA Nport saw a significant decrease in the number of devices (70% for the first two and 53% for the last) while Modbus and Siemens S7 saw an increase: 48% for Modbus and 121% for S7. Some of these reductions correlate with proactive research and government notifications<\/a>.<\/p>\n\n\n\n
\"\"<\/a><\/td>\n\"\"<\/a><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Figure 3 \u2013 Changes in the top exposed OT\/ICS services<\/em><\/center><\/p>\n

A fresh take on the Unitronics attacks: Israel and the US are not alone \u2014 and it extends way beyond water<\/h2>\n

Media focus has mostly been on the effects of the Unitronics\u2019 attacks on the US and Israeli water sectors, however, the attack waves have not been limited in geographic or sector scope. Deeper awareness has led to a reduction in exposed devices, according to our data. But the risk remains and is not limited to one flavor of PLC.<\/p>\n

This indiscriminate wave hit everything from water utilities in Ireland<\/a> and Romania<\/a>, oil pumps<\/a> and a public aquarium<\/a> in the US, a brewery<\/a> in Pittsburgh, a factory<\/a> in the Czech Republic, and various unspecified victims on the Unitronics support forum<\/a>, to several agricultural entities in Western Europe reported privately to Forescout.<\/p>\n

Back in February 2022 and April 2023<\/a> \u00a0defacement imagery on these PLCs had already targeted this equipment in agricultural water controllers and parcel distribution centers in Israel. By November 2023, there were a series of attacks on internet-exposed PLCs manufactured by Unitronics<\/a> where hacktivists defaced the interfaces on those PLCs.<\/p>\n

Secureworks<\/a> reported the hacktivist group GhostSec<\/a> also claimed to have targeted Unitronics PLCs in Israel in October 2023. In March 2023, a Telegram channel associated with GhostSec posted an ICS \/ SCADA hacking guide<\/a> explicitly showing how to identify Unitronics devices and how to use Unitronics VisiLogic<\/a> software to connect to these devices using the PCOM protocol (port 20256\/TCP) and then take control of their HMIs.<\/p>\n

We noted in November<\/a> there were over 1,800 internet-exposed Unitronics PLCs across the globe. As of early February 2024, this number has fallen to 937<\/strong> Figure 4.<\/p>\n\n\n\n
\"\"<\/a><\/td>\n\"\"<\/a><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Figure 4 \u2013 Decrease in exposed Unitronics PLCs between late 2020 and early 2024<\/em><\/center>While reduction in exposure is good news overall, we can see that the decrease in Israel started in early 2022 which coincides with the earliest attacks reported on those devices.<\/p>\n

In the US, the decrease only started at the end of 2023. To be clear, this means that if the US authorities had paid attention to the attacks in Israel in 2022, the most recent attacks in the US could have been avoided<\/strong>.<\/p>\n

The scope of PLC exposure and fresh use cases<\/h2>\n

Beyond that, we still see too many Unitronics PLCs exposed in the water and agricultural sectors, but also in building management systems, including at:<\/p>\n