Industrial automation protocols continue to be the most targeted in attacks aimed at operational technology (OT), but building automation systems have been increasingly targeted, according to a new report from cybersecurity firm Forescout.
Forescout on Monday published its 2024 Threat Roundup report, which is based on attacks recorded by the company’s honeypots last year, including port scanning, brute force attacks, and attempts to exploit vulnerabilities.
The report covers attacks on web services and network infrastructure devices, as well as post-exploitation actions, the coverage of CISA’s Known Exploited Vulnerabilities (KEV) catalog, attacks on OT systems and critical infrastructure. It also shares data on malware and the threat actors that launched attacks.
In terms of OT attacks, the most targeted protocol in 2024 was Modbus, followed by Ethernet/IP, Step7, DNP3, and BACnet. The percentage aimed at Modbus increased from 33% to 40% from 2023 to 2024, and in the case of Ethernet/IP it increased from 19% to 28%. Attacks on DNP3 and Step7 decreased from 18% to 8% for both OT protocols.
Protocols associated with industrial automation systems continue to be the most targeted, accounting for 79% of attacks (up from 71% in 2023), followed by utilities at 12% (down from 28%) and building automation at 9% (up from 1%).
“The most relevant increase is in the building automation category — especially when we look at the new protocols being attacked,” Forescout said in its report. “Last year, we discussed how attacks on building automation focused on exploiting vulnerabilities rather than interacting directly with protocols. This year, we see that the interest in building automation protocols is increasing as attackers are still exploiting vulnerabilities on those devices.”
Save the date: 2025 ICS Cyber Security Conference – October 27-30, Atlanta
Threat actors have plenty of valuable building automation vulnerabilities to pick from when conducting attacks. For instance, a researcher warned recently that a widely used building control product from ABB is impacted by over 1,000 vulnerabilities, including flaws that could expose many facilities to remote hacking.
Overall, Forescout found that 73% of exploited vulnerabilities were not in CISA’s KEV list, up from 65% in 2023. Looking specifically at vulnerabilities affecting OT and industrial IoT products, at least 25 vulnerabilities exploited by botnets and automated attacks were not in the KEV catalog.
This includes CVEs ranging from 2018 to 2023, affecting products from Apsystems, Carel, Chiyu, Contec, Eaton, Ecoa, Emerson, Endress+Hauser, Frangoteam, Honeywell, KevinLab, Linear, Loytec, OAS, Schneider Electric, Teltonika, Viessman, Wago, and ZKTeco.
Related: Exploited Building Access System Vulnerability Patched 5 Years After Disclosure
Related: ICS Patch Tuesday: Security Advisories Published by Schneider, Siemens, Phoenix Contact, CISA
Related: Western Security Agencies Share Advice on Selecting OT Products
Related: Rockwell PowerMonitor Vulnerabilities Allow Remote Hacking of Industrial Systems
