In the age of escalating cyber threats, Critical National Infrastructure (CNI) operators face a daunting challenge: defending systems not originally designed for the public Internet from attackers who have unprecedented visibility into the external attack surface. Despite layered defenses and well-structured networks, inadvertent exposures—especially of Human Machine Interfaces (HMIs) and misconfigured services—have become one of the most persistent and dangerous threat vectors.
This is where External Attack Surface Management (EASM) plays a critical role.
Understanding EASM in the CNI Context
EASM refers to the continuous discovery, inventory, classification, and monitoring of Internet-facing assets that belong to an organization—whether officially deployed or accidentally exposed. While EASM is vital across industries, its application in CNI is particularly urgent due to the high-value, high-risk nature of the systems involved.
Critical sectors such as energy, water, transportation, and telecommunications are increasingly reliant on complex digital ecosystems. With digital transformation comes exposure. A forgotten dev box, an HMI with a hardcoded password, or a misconfigured VPN portal could become the digital equivalent of a backdoor left ajar.
Accidental Exposures: The Unseen Risks
While most CNI environments are built with security in mind, the reality of decentralized operations, third-party vendors, and shadow IT means that not all assets are properly tracked. Some common accidental exposures include:
- Staging or test environments spun up for a project and left connected to the Internet.
- Industrial protocols (e.g., Modbus, DNP3, BACnet) exposed over TCP/IP without encryption or authentication.
- Web-based dashboards or HMIs intended for internal-only use but reachable externally due to misconfigured access controls.
- Asset discovery agents or scanning tools inadvertently left active in production environments.
Even if these assets don’t appear immediately dangerous, they provide critical reconnaissance value to attackers—laying the groundwork for targeted intrusions.
The Purdue Model: Why EASM Still Matters Behind Firewalls
The Purdue Model for ICS Security organizes industrial control systems into hierarchical levels, with Level 0 and Level 1 representing sensors and controllers, Level 2 comprising control systems like HMIs, and Levels 3-5 covering IT and enterprise networks.
Traditionally, operators believed that lower levels (especially Level 1/0) were sufficiently protected by firewalls or air gaps. But modern interconnectivity, cloud integrations, and remote access requirements have blurred these boundaries. For example:
- An exposed Level 3 jump host could allow lateral movement into industrial DMZs.
- A remote-access VPN into Level 2 may not restrict user access adequately, granting unnecessary visibility into HMIs.
- Cloud-connected services at Level 3/4 may inadvertently bridge the Purdue model’s security layers.
This means that even assets “protected” behind firewalls can be indirectly reachable if adjacent systems—discovered and catalogued through EASM—are exploited.
Exposed HMIs: The Human Weak Link
Human-Machine Interfaces (HMIs) are among the most sensitive components in ICS environments. They present visual controls to human operators and directly influence physical processes like turbine speeds or power grid settings.
Yet HMIs are increasingly:
- Web-accessible, often through remote VNC, RDP, or web-based dashboards.
- Running on outdated operating systems (e.g., Windows XP Embedded).
- Connected to upstream cloud monitoring or analytics platforms.
In one too many cases, EASM tooling has discovered HMIs directly exposed to the Internet—sometimes even indexed in search engines like Shodan—with default credentials or no authentication.
Even if they’re not exposed directly, HMIs may be indirectly at risk if adjacent services are breached, demonstrating how exposure at Level 3 or 4 in the Purdue model can trickle down to Level 2 or even Level 1.
Building a Modern EASM Strategy for CNI
To mitigate these risks, CNI operators need a proactive EASM program that can:
- Continuously Discover and Attribute Assets
Map all known and unknown Internet-facing assets across subsidiaries, acquisitions, contractors, and legacy systems. - Correlate Findings with Network Architecture
Contextualize exposures in terms of their position in the Purdue model and evaluate the blast radius of compromise. - Monitor for Protocol and Service Exposure
Detect ICS-specific protocols and monitor for exposed RDP, VNC, or insecure HMIs. - Evaluate Firewall Assumptions
Conduct attack path analysis to identify how perimeter exposures might reach protected networks—even through complex layered firewalls. - Close the Loop with OT and IT
Integrate EASM data with SOC workflows, vulnerability management, and ICS risk frameworks for rapid response.
Censys Attack Surface Management (ASM) offers continuous comprehensive monitoring of external attack surfaces so you can discover, prioritize, and eliminate exposures with confidence. Request a demo to see Censys ASM in action.
Final Thoughts
Cyber threats to Critical National Infrastructure are no longer hypothetical. Nation-state groups, ransomware gangs, and hacktivists all have a vested interest in exploring weaknesses in these environments.
EASM shines a light on the unseen: the forgotten assets, accidental exposures, and shadow services that make CNI environments vulnerable. But it doesn’t just expose risk—it gives defenders the visibility they need to take control of their digital footprint before attackers do.
As we continue to bridge the worlds of OT and IT, EASM will be the early warning system at the edge of that convergence—reminding us that what we can’t see can hurt us.
