Summary:
Previous analyses of ICS exposure have focused on the automation protocols themselves, recent research explored the exposure of HMIs and web administration interfaces, which often reveal location information and other identifying details. This study also examined the networks hosting these protocols and interfaces to better understand their ownership and operation. Censys identified over 40,000 internet-connected ICS devices in the U.S., with more than half associated with protocols used for building control and automation. Excluding known building control protocols, 18,000 devices were found to likely control industrial systems. Over 50% of hosts running low-level automation protocols were concentrated in wireless and commercial/business ISPs, such as Verizon and Comcast. Additionally, over 80% of hosts with exposed HMIs were found in wireless networks like Verizon and AT&T. Nearly half of the identified HMIs associated with Water and Wastewater Systems (WWS) could be manipulated without authentication.

In the UK, Censys identified approximately 1,500 control systems exposed on the public internet through scans of 18 automation protocols, including EtherNet/IP, PCOM, and DNP3. Around 1,700 HTTP devices associated with 26 operational technology vendors were publicly accessible, many likely supporting default credentials. Preliminary investigations revealed that over 80% of these administration interfaces were for building controls.


Security Officer Comments:
In November 2023, the CyberAv3ngers, an Iranian Revolutionary Guard Corps-affiliated hacking group, compromised the Municipal Water Authority of Aliquippa, Pennsylvania. They exploited a publicly exposed Unitronics Vision Series PLC, known to have default passwords, to target a water pressure monitoring system at a remote pumping station. The group defaced the system's interface with an anti-Israel message as part of a broader campaign targeting Israeli-made Unitronics PLCs globally, in response to regional conflicts. In January 2024, the Cyber Army of Russia Reborn, purportedly linked to Russia’s military intelligence, targeted water facilities in the small Texas towns of Muleshoe and Abernathy. They claimed responsibility for manipulating human-machine interfaces (HMIs) at these facilities, resulting in the overflow of water storage tanks and causing minor, temporary disruptions in Muleshoe.

Quantifying automation protocol exposure is only part of the issue. Researchers and analysts must also consider internet-accessible administration interfaces for many ICS devices. Recent attacks demonstrate how easily these interfaces can be accessed and manipulated by threat actors, even without detailed knowledge of the systems or protocols. Many of the identified devices in the U.S. are hosted on cellular networks or commercial/business ISPs. While HMIs and web administration interfaces sometimes provide ownership clues, automation protocols rarely do, making it challenging to notify owners of device exposures.

Suggested Corrections:

1. Change Default Credentials: Immediately change default passwords on all devices and ensure that strong, unique passwords are used.
2. Network Segmentation: Segment ICS networks from corporate and public networks to limit exposure. Use firewalls and virtual LANs (VLANs) to create secure zones.
3. Implement Access Controls: Restrict access to ICS networks and devices using role-based access controls (RBAC). Ensure only authorized personnel have access.
4. Regular Patching and Updates: Keep all software and firmware up to date with the latest security patches. Regularly update ICS devices and systems to mitigate known vulnerabilities.
5. Multi-Factor Authentication (MFA): Enable multi-factor authentication for remote access to ICS networks and devices.
6. Monitor and Audit: Continuously monitor network traffic and device activity for suspicious behavior. Implement intrusion detection systems (IDS) and regularly audit access logs.

Link(s):
https://hackread.com/exposed-industrial-control-systems-us-uk-water-risk/

https://censys.com/research-report-internet-connected-industrial-control-systems-part-one/