Industrial control systems are the backbone of industrial operations, making their exposure to the Internet a long-standing concern for security researchers. While direct cyberattacks on ICS remain less common due to the technical expertise required, the potential consequences of such breaches, when successful, can be devastating.
Recently, however, threat actors have turned their attention to an easier target: Human Machine Interfaces (HMIs). These graphical interfaces allow operators to control and monitor ICS machinery, but many are connected to the public Internet to facilitate remote access. Unfortunately, their convenience often comes at a cost—weak authentication measures and user-friendly interfaces create opportunities for threat actor intrusion.
In the third annual State of the Internet Report, the Censys Research Team set out to illustrate the extent of these global ICS exposures in a measured, non-sensational way, to provide actionable insights for operators and defenders. In this blog, we offer a preview of what the team uncovered and what these findings suggest about the state of critical infrastructure security.
Prefer to jump to the full report? Download your copy of the full 2024 State of the Internet Report here.
1. Human-Machine Interface (HMI) Exposures: A Growing Risk
The risk of exposed Human-Machine Interfaces (HMIs) is often overlooked. Yet, as the Censys Research Team writes in their report, “HMIs represent the most concerning and compelling exposures in the ICS space.”
HMIs are essential for monitoring and managing industrial systems, and their increasing internet connectivity to enable remote access has turned them into an easy target for threat actors. What makes HMIs particularly vulnerable is their lack of robust security measures. Many are accessible without authentication or rely on weak default configurations, making them an attractive target for attackers. The simplicity of accessing and manipulating exposed HMIs has led to notable attacks, like those on municipal water systems in 2023 and 2024.
In The 2024 State of the Internet Report, the Censys Research Team identified over 7,700 exposed HMIs across 80 countries, with nearly 70% located in North America.
Among the 20 HMI software types observed, the team took a closer look at the most prevalent, AutomationDirect C-More HMIs, to learn more about industry impact.
C-More HMIs run a public web server with a read-only view of each programmed screen. They also run a proprietary protocol built specifically to program the HMIs, which is enabled by default and has weak or no authentication.
In looking at industries running C-More HMIs, Censys found that more than one-third of exposures were water and wastewater related.
Recent research from GreyNoise Intelligence on HMI exposure aligns with Censys’ findings on the risks HMIs present. In their blog article, which includes coverage of The 2024 State of the Internet Report, GreyNoise shares that they observed Internet-connected HMIs were scanned and probed more quickly than baseline sensors. GreyNoise further states that, “Over 30% of IPs that touched the HMIs before a typical GreyNoise sensor were later identified as malicious.”
2. ICS Exposure: A Persistent Security Challenge
This year’s State of the Internet Report also analyzes the widespread exposure of ICS protocols, also known as automation protocols, which as mentioned, are foundational to industrial operations but notoriously insecure.
Globally, Censys observed over 148,000 ICS services across 175 countries, with North America hosting 38% and Europe 35% of these exposures. While this underscores the significant opportunity the U.S. has to address protocol exposures, the U.S. also has the greatest number of allocated IPv4 addresses. When ICS services are examined as a ratio to total Internet footprint, Lithuania, Belarus, and Turkey are at the top of the list.
Key vulnerable ICS protocols include:
- Modbus: Widely used across industries, but often lacks encryption and authentication.
- IEC 60870-5-104: Essential for power systems but increasingly targeted in malware campaigns.
- CODESYS and OPC UA: Advanced protocols integral to automation but frequently exposed due to misconfigurations.
These protocols, though designed decades ago, remain critical for industrial processes. Unfortunately, their legacy design and lack of modern security make them ripe for exploitation.
3. Regional Differences and Global Trends in ICS Exposure
Censys finds that ICS exposures vary by region. In Europe, legacy protocols like Modbus dominate, while North America shows higher usage of consumer-grade ISPs and mobile networks for ICS connectivity.
A significant number of exposed devices run on 5G or LTE networks, complicating attribution and making it difficult to determine ownership.
This reliance on mobile networks for ICS connectivity introduces unique challenges. Threat actors can exploit the lack of metadata associated with these devices, making it harder for security teams to detect and attribute malicious activity.
Looking Ahead: Securing Critical Infrastructure
As our 2024 State of Internet Report makes clear, exposures across the global ICS attack surface abound. While the vulnerabilities of Human-Machine Interfaces and ICS protocols differ, they share a common challenge—exposure to the internet is increasing the likelihood of attacks.
To stay ahead, ICS operators and security teams need to:
- Identify and secure exposed HMIs and ICS protocols.
- Avoid connecting ICS protocols and HMIs to the Internet when possible.
- Avoid using weak or default credentials.
- Leverage real-time internet intelligence to monitor and address emerging threats.
Download the full 2024 State of the Internet Report for even more detailed findings and actionable insights.
Get Report
Interested in hearing directly from the Censys Research Team? Join our special 2024 State of the Internet Report Webinar event on December 11, 2024 at 1pm EST! Save Your Spot.
