Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Building Automation Protocols Increasingly Targeted in OT Attacks: Report

Industrial automation protocols continue to be the most targeted in OT attacks, but building automation systems have been increasingly targeted. 

ICS/OT attacks

Industrial automation protocols continue to be the most targeted in attacks aimed at operational technology (OT), but building automation systems have been increasingly targeted, according to a new report from cybersecurity firm Forescout.

Forescout on Monday published its 2024 Threat Roundup report, which is based on attacks recorded by the company’s honeypots last year, including port scanning, brute force attacks, and attempts to exploit vulnerabilities. 

The report covers attacks on web services and network infrastructure devices, as well as post-exploitation actions, the coverage of CISA’s Known Exploited Vulnerabilities (KEV) catalog, attacks on OT systems and critical infrastructure. It also shares data on malware and the threat actors that launched attacks. 

In terms of OT attacks, the most targeted protocol in 2024 was Modbus, followed by Ethernet/IP, Step7, DNP3, and BACnet. The percentage aimed at Modbus increased from 33% to 40% from 2023 to 2024, and in the case of Ethernet/IP it increased from 19% to 28%. Attacks on DNP3 and Step7 decreased from 18% to 8% for both OT protocols. 

Protocols associated with industrial automation systems continue to be the most targeted, accounting for 79% of attacks (up from 71% in 2023), followed by utilities at 12% (down from 28%) and building automation at 9% (up from 1%).

“The most relevant increase is in the building automation category — especially when we look at the new protocols being attacked,” Forescout said in its report. “Last year, we discussed how attacks on building automation focused on exploiting vulnerabilities rather than interacting directly with protocols. This year, we see that the interest in building automation protocols is increasing as attackers are still exploiting vulnerabilities on those devices.”

Save the date: 2025 ICS Cyber Security Conference – October 27-30, Atlanta

Threat actors have plenty of valuable building automation vulnerabilities to pick from when conducting attacks. For instance, a researcher warned recently that a widely used building control product from ABB is impacted by over 1,000 vulnerabilities, including flaws that could expose many facilities to remote hacking.

Advertisement. Scroll to continue reading.

Overall, Forescout found that 73% of exploited vulnerabilities were not in CISA’s KEV list, up from 65% in 2023. Looking specifically at vulnerabilities affecting OT and industrial IoT products, at least 25 vulnerabilities exploited by botnets and automated attacks were not in the KEV catalog. 

This includes CVEs ranging from 2018 to 2023, affecting products from Apsystems, Carel, Chiyu, Contec, Eaton, Ecoa, Emerson, Endress+Hauser, Frangoteam, Honeywell, KevinLab, Linear, Loytec, OAS, Schneider Electric, Teltonika, Viessman, Wago, and ZKTeco. 

Related: Exploited Building Access System Vulnerability Patched 5 Years After Disclosure

Related: ICS Patch Tuesday: Security Advisories Published by Schneider, Siemens, Phoenix Contact, CISA

Related: Western Security Agencies Share Advice on Selecting OT Products

Related: Rockwell PowerMonitor Vulnerabilities Allow Remote Hacking of Industrial Systems

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

The US arm of networking giant TP-Link has appointed Adam Robertson as Director of Information and Security.

Cyber exposure management firm Armis has promoted Alex Mosher to President.

Software giant Atlassian has named David Cross as its new CISO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.