Half of the 40,000 internet-connected industrial control systems (ICS) devices in the U.S., more than half of which are associated with building control and automation protocols, run low-level automation protocols found in wireless and consumer access networks, including those of Verizon and Comcast.

According to the report from Censys, more than 80% of hosts with exposed human-machine interfaces (HMIs) are in wireless networks like Verizon and AT&T.

Censys researchers examined the current exposure of ICS devices in the U.S., focusing on automation protocols and HMIs.

Nearly half of the HMIs associated with Water and Wastewater Systems (WWS) can be manipulated without authentication.

The research team found automation protocols, essential for communication between various control system components, often lack authentication, while HMIs, crucial for monitoring and controlling industrial systems, increasingly support remote access, making them vulnerable.

Himaja Motheram, security researcher at Censys, said while the intent behind these exposures is hard to gauge, based on the nature of the industry, it’s likely that these are due to inadequate training and resources.

“It’s plausible that many device owners either do not realize that their systems are exposed, are unaware of the associated risks, or, despite knowing the risks, lack the necessary security and IT resources to adequately protect them while maintaining their operations,” she said.

Risk From Web Admin Interfaces

The study also highlighted the risk from web administration interfaces, many of which ship with default credentials.

Motivated by recent attacks on U.S. ICS devices by state-linked actors such as the Iranian Revolutionary Guard Corps, the People’s Republic of China and the Cyber Army of Russia Reborn, the findings underscore the critical need for enhanced security measures.

These attacks have demonstrated that internet-accessible interfaces can be easily exploited by threat actors, even those without detailed knowledge of the systems.

The report noted many devices are hosted on wireless or consumer networks, complicating the identification and notification of owners about these exposures, thereby highlighting a significant vulnerability in the current infrastructure.

Aidan Holland, Security Researcher at Censys, said while there are several well-known attacks against critical infrastructure in other nations, there’s been a sense that it couldn’t (or wouldn’t) happen in the U.S.

“These recent attacks, though relatively minor in scope, illustrate that our infrastructure is indeed susceptible to such threats,” he said.

Holland cautioned that internet-connected HMIs and administrative interfaces — particularly those with weak or no authentication — lower the bar for actors seeking to cause harm.

“The security of these systems is such that even attackers with minimal expertise can exploit them because of their accessibility,” he said.

While state-affiliated actors may have specific motivations for targeting such devices, nation-state resources are not required to carry out attacks like the recent activity seen against Internet-connected HMIs.

“These attacks could’ve been carried out by anyone with knowledge of where these services exist on the internet,” Holland explained.

From his perspective, basic security hygiene measures are key for defending against this activity.

“Operators should ensure these systems have robust authentication measures in place as a bare minimum, but ideally would protect them with a VPN or firewall and ensure they are not exposed directly to the internet,” he said.

VPNs, Network Segmentation Critical

Motheram explained the most crucial measure is to prevent exposing remote access protocols to the public internet, which can be achieved by using VPNs or other network segmentation.

“Exposing these protocols or misconfiguring them significantly increases the attack surface of an asset and can increase the likelihood of threat actors gaining unauthorized access,” she said.

She added it is good practice to carefully control and restrict who has access to each device, ensuring that only authorized personnel can connect.

Apart from security measures, the findings from the research also highlight the importance of awareness and security training for device administrators.

“More widespread emphasis on the risks associated with publicly exposing industrial devices is needed to help direct more investment of resources toward securing these devices,” Motheram said.