A recent global study has found nearly 150,000 industrial control systems (ICS) exposed to the public internet, creating serious cybersecurity risks for critical infrastructure around the world.
Conducted by researchers from Delft University of Technology in the Netherlands and the Norwegian University of Science and Technology, the study highlights major vulnerabilities across 175 countries. These systems are found in sectors such as energy, manufacturing, and water utilities.
Global Exposure of ICS Systems
The exposed systems use protocols that were never designed with cybersecurity in mind. Many exchange data in plain text and use little or no authentication. Attackers could exploit these systems to disrupt or take control of critical operations.
Historical incidents, like the Stuxnet attack on Iran’s nuclear program and the 2015 Ukraine power outage, show how cyberattacks on ICS devices can have devastating consequences.
With industrial operations becoming more digitized, unsecured access points present growing risks to national infrastructure and public safety.
Key Findings by Country and Protocol
The United States tops the list with more than 45,000 exposed devices, accounting for about one-third of the global total. Other heavily affected nations include Turkey, China, and Brazil.
Protocol usage varies by region. The most commonly observed protocol was:
- Modbus: 38.3%
- Niagara Fox: 16.1% (dominant in the U.S.)
- EtherNet/IP: 9.7%
- BACnet: 8.9% (dominant in Canada)
- IEC 60870-5-104: prevalent in Russia and Turkey
Improved Detection of Honeypots
A key innovation in the research was a refined method to separate real ICS devices from honeypots — fake systems designed to lure and monitor attackers.
Earlier studies often failed to filter out these decoy systems, leading to inflated exposure numbers. This study found that 15% to 25% of supposedly exposed ICS systems were actually honeypots.
To identify them, researchers used:
- High-confidence markers: protocol flaws, default settings, and signs of emulation using tools like Conpot
- Medium-confidence indicators: systems hosted on cloud services, excessive open ports (many honeypots had dozens or even thousands)
This approach provides a clearer picture of real-world risks while helping honeypot designers make their decoys more effective and realistic.
Urgent Need for Stronger Protections
Lead researcher Martin Mladenov emphasized the importance of accurate measurement, stating: “Our results challenge previous ICS studies which either partially considered or completely overlooked honeypots, leading to an inflated number of detected exposed ICS devices.”
Experts recommend that industrial organizations:
- Air-gap critical control systems where possible
- Use VPNs with strong authentication
- Ensure ICS devices are not directly accessible from the internet
The findings highlight the global scale of industrial cyber risk and the urgent need for coordinated, proactive defenses to protect vital systems.
