Bitsight today unveiled new research which found that nearly 100,000 industrial control systems (ICS) owned by organizations around the world are exposed to the public internet. If exploited, threat actors could gain control of physical infrastructure, potentially including power grids, traffic light systems, security systems, water systems, and more. Such a severe attack has the potential to cause significant business disruption, threats to human safety, data and intellectual property compromise, and national security threats.
The exposed organizations span 96 countries and include several Fortune 1000 organizations. Additionally, the sectors with the highest concentration of exposed ICSs include education, technology, government and politics, and business services. While Bitsight observed a steady decline in the number of internet-facing ICSs from 2019 to 2023, there remains a significant risk to organizations, their partners, and their constituents.
“Industrial control systems play a critical role in helping organizations avoid societal disruptions and the exposure of these devices is a serious matter,” said Bitsight Chief Risk Officer Derek Vadala. “This research shows that while the number of exposed ICSs is trending downwards, the overall threat level remains too high. An attack on just one ICS device would be a potentially catastrophic event that could have far-reaching consequences.”
Given the impact of a potential attack on an exposed ICS, Bitsight urges organizations to immediately engage in the following remediation efforts:
- Identify any industrial control systems deployed by their organization and/or their third-party business partners, and promptly assess the security of these systems.
- Remove any exposed industrial control systems from the public internet.
- Employ safeguards like firewalls to protect against unauthorized access to their industrial control systems.
It’s also critical that manufacturers of industrial control systems and other operational technology take action to increase the cybersecurity of the devices they create. Bitsight recommends manufacturers:
- Use secure-by-design principles to develop more secure technology.
- Improve the security posture of deployed equipment and machinery by leveraging data and insights.
- Build programs to accurately and swiftly detect misconfigured or otherwise exposed systems.
For more information, the full study can be viewed here.