Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Building Automation Protocols Increasingly Targeted in OT Attacks: Report

Industrial automation protocols continue to be the most targeted in OT attacks, but building automation systems have been increasingly targeted. 

ICS/OT attacks

Industrial automation protocols continue to be the most targeted in attacks aimed at operational technology (OT), but building automation systems have been increasingly targeted, according to a new report from cybersecurity firm Forescout.

Forescout on Monday published its 2024 Threat Roundup report, which is based on attacks recorded by the company’s honeypots last year, including port scanning, brute force attacks, and attempts to exploit vulnerabilities. 

The report covers attacks on web services and network infrastructure devices, as well as post-exploitation actions, the coverage of CISA’s Known Exploited Vulnerabilities (KEV) catalog, attacks on OT systems and critical infrastructure. It also shares data on malware and the threat actors that launched attacks. 

In terms of OT attacks, the most targeted protocol in 2024 was Modbus, followed by Ethernet/IP, Step7, DNP3, and BACnet. The percentage aimed at Modbus increased from 33% to 40% from 2023 to 2024, and in the case of Ethernet/IP it increased from 19% to 28%. Attacks on DNP3 and Step7 decreased from 18% to 8% for both OT protocols. 

Protocols associated with industrial automation systems continue to be the most targeted, accounting for 79% of attacks (up from 71% in 2023), followed by utilities at 12% (down from 28%) and building automation at 9% (up from 1%).

“The most relevant increase is in the building automation category — especially when we look at the new protocols being attacked,” Forescout said in its report. “Last year, we discussed how attacks on building automation focused on exploiting vulnerabilities rather than interacting directly with protocols. This year, we see that the interest in building automation protocols is increasing as attackers are still exploiting vulnerabilities on those devices.”

Advertisement. Scroll to continue reading.

Save the date: 2025 ICS Cyber Security Conference – October 27-30, Atlanta

Threat actors have plenty of valuable building automation vulnerabilities to pick from when conducting attacks. For instance, a researcher warned recently that a widely used building control product from ABB is impacted by over 1,000 vulnerabilities, including flaws that could expose many facilities to remote hacking.

Overall, Forescout found that 73% of exploited vulnerabilities were not in CISA’s KEV list, up from 65% in 2023. Looking specifically at vulnerabilities affecting OT and industrial IoT products, at least 25 vulnerabilities exploited by botnets and automated attacks were not in the KEV catalog. 

This includes CVEs ranging from 2018 to 2023, affecting products from Apsystems, Carel, Chiyu, Contec, Eaton, Ecoa, Emerson, Endress+Hauser, Frangoteam, Honeywell, KevinLab, Linear, Loytec, OAS, Schneider Electric, Teltonika, Viessman, Wago, and ZKTeco. 

Related: Exploited Building Access System Vulnerability Patched 5 Years After Disclosure

Related: ICS Patch Tuesday: Security Advisories Published by Schneider, Siemens, Phoenix Contact, CISA

Related: Western Security Agencies Share Advice on Selecting OT Products

Related: Rockwell PowerMonitor Vulnerabilities Allow Remote Hacking of Industrial Systems

Written By

Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

Sherrod DeGrippo has been appointed Head of Threat Intelligence for Palo Alto Networks Unit 42.

Christopher Porter has joined Booz Allen Hamilton as Global Chief Information Security Officer.

Yael Ben Arie has joined exposure validation company Pentera as Chief Product Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.