View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
October 5, 2023updated 06 Oct 2023 9:47am

Industrial control systems for 100,000 pieces of equipment exposed online

Such systems are often difficult to patch, meaning they can be left exposed to cybercriminals.

By Claudia Glover

Industrial control systems (ICSs) for more than 100,000 pieces of equipment are accessible from the public internet, new research claims. The systems belong to some of the world’s biggest organisations and include controls for critical national infrastructure, the report says.

Industrial control systems
Access to global CNI exposed on the public internet. (Photo by yelantsevv/Shutterstock)

The systems are used to manage technology in industrial settings and cover vital processes in power grids and water systems. The new research from security company Bitsight says that many of these systems are not adequately secured and can be accessed via a conventional web browser.

“Thousands of organisations are using ICSs directly reachable from the public internet, presenting a series of potential consequences of which private and public sector leaders should be aware,” the report says.

The vulnerabilities stem from a common problem with operational technology (OT) – the difficulty in patching such systems. “Many industrial systems – whether critical infrastructure or not – use old, hard-to-patch software but still play critical roles in societies and organisations, so patching downtime is costly or inflicts inconvenience or suffering on the population,” the Bitsight research says.

Shutting down a power grid or other pieces of critical infrastructure to fix such issues has far-reaching consequences, “typically greater in magnitude than those experienced from shutting down an IT environment”. OT systems are “therefore more complicated to secure and present unorthodox bottlenecks unlike those experienced on the IT front”, the report adds.

Bitsight found ICS problems in systems based in 96 different countries, with the four most badly affected areas being the US, Canada, Italy and the UK. 

Regulation introduced to secure industrial control systems

Derek Vadala, chief risk officer at Bitsight, said: “While the number of exposed ICSs is trending downwards, the overall threat level remains too high.

Content from our partners
DTX Manchester welcomes leading tech talent from across the region and beyond
The hidden complexities of deploying AI in your business
When it comes to AI, remember not every problem is a nail

“An attack on just one ICS device would be a potentially catastrophic event that could have far-reaching consequences.”

He added that “industrial control systems play a critical role in helping organisations avoid societal disruptions and the exposure of these devices is a serious matter.”

Critical infrastructure is a popular target for nation-state-backed hackers, and in May the UK, US and the other members of the Five Eyes security alliance warned of the threat posed by a Chinese hacking gang, Volt Typhoon, which is specifically targeting infrastructure.

Governments are trying to tackle this problem with legislation, and last year the UK government introduced new cybersecurity rules to protect national infrastructure by providing regulators with increased powers. It has also set cyber resilience targets for critical infrastructure providers with a 2025 compliance deadline.

In the meantime, Bitsight urges private companies to identify any industrial control systems deployed by their organisation and partners in their supply chain, and promptly assess the security of these systems. They should remove any exposed industrial control systems from the public internet and use safeguards like firewalls to protect against unauthorised access to their network. For public sector companies, Bitsight says organisations should use secure-by-design principles to develop safer technology.

Read more: More than 6,000 Sony employees hit by MOVEit Transfer data breach

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.