Malicious actors could cause serious damage to organizations in the energy and water sectors by targeting their human-machine interfaces (HMIs), according to a report released by Trend Micro on Tuesday.
The security firm’s researchers have used the Shodan search engine and other sources to find Internet-exposed industrial control systems (ICS), particularly HMIs. They showed how attackers could find the physical location of energy and water companies using public sources, and then map the locations to IP addresses through geolocation services such as Maxmind.
Experts noted that while these geolocation services are not very accurate, they do provide a list of possible IP addresses, which the attacker can validate using Shodan or port scans.
They discovered tens of devices used by oil and gas, power systems, water utility, and biogas organizations located in Europe, the United States and other parts of the world. Researchers found that in many cases the HMIs were accessible via unauthenticated VNC servers, allowing potential attackers to interact with their interface using VNC viewer applications.
The number of exposed devices was relatively small and all systems were housed by small and medium-size companies. However, researchers warn that these smaller companies can have a significant impact on the security posture of large corporations as they are often part of the supply chain.
Learn More About Exposed ICS at SecurityWeek’s ICS Cyber Security Conference
Many of the identified HMIs included critical functionality, including for alarms, changing parameters, and starting or stopping processes. If malicious hackers gain access to these systems, they could easily cause failures or inflict significant damage.
For example, one of the exposed HMIs was used by a water treatment plant. An attack on the facility via the exposed system could lead to drinking water shortages or a public health crisis caused by waterborne diseases, Trend Micro said.
Another exposed HMI belonged to an oil and gas company. An attacker with access to this device could shut down oil and gas wells, potentially causing a state-level or national shortage, the security firm warned.
Similarly damaging attacks could also be launched against solar farms, power plants, and hydroelectric facilities controlled and monitored using the HMIs identified by researchers.
In addition to hijacking the HMI and conducting various activities via its interface, experts warned that malicious actors could launch distributed denial-of-service (DDoS) attacks that cause disruptions to critical processes and result in serious material damage, exploit vulnerabilities in the HMI systems themselves, and abuse them for lateral movement within the targeted organization’s network.
Trend Micro researchers did not expect to find too many individuals interested in industrial systems on underground cybercrime forums, as these types of campaigns are typically the work of state-sponsored groups. However, they were surprised to see that there are some threat actors looking to acquire credentials for ICS/SCADA systems. Experts also found requests to disrupt the industrial systems of competitors, and opportunistic sellers trying to monetize data stolen from industrial facilities.
“While the number of exposed energy and water devices/systems that we discovered was relatively small, it is still a cause for concern because these systems should not be exposed online in the first place,” Trend Micro said in its report. “The good news is that we didn’t find exposed assets from the well-known big corporations and/or state owned entities that operate CI. The exposed assets that we found were mostly owned/operated by small companies. However attackers are not bound by the same restrictions that researchers are bound by — so this does not mean larger companies are necessarily fully secure. The bad news is that smaller companies frequently are part of the supply chain that feeds resources to big corporations; thus, a cyberattack against a small company can indirectly affect bigger corporations.”
Related: Plaintext Passwords Often Put Industrial Systems at Risk
Related: Oil and Gas Industry Increasingly Hit by Cyber-Attacks

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- High-Severity Privilege Escalation Vulnerability Patched in VMware Workstation
- GoAnywhere MFT Users Warned of Zero-Day Exploit
- UK Car Retailer Arnold Clark Hit by Ransomware
- EV Charging Management System Vulnerabilities Allow Disruption, Energy Theft
- Unpatched Econolite Traffic Controller Vulnerabilities Allow Remote Hacking
- Google Fi Data Breach Reportedly Led to SIM Swapping
- Microsoft’s Verified Publisher Status Abused in Email Theft Campaign
- British Retailer JD Sports Discloses Data Breach Affecting 10 Million Customers
Latest News
- Big China Spy Balloon Moving East Over US, Pentagon Says
- Former Ubiquiti Employee Who Posed as Hacker Pleads Guilty
- Cyber Insights 2023: Venture Capital
- Atlassian Warns of Critical Jira Service Management Vulnerability
- High-Severity Privilege Escalation Vulnerability Patched in VMware Workstation
- Exploitation of Oracle E-Business Suite Vulnerability Starts After PoC Publication
- China Says It’s Looking Into Report of Spy Balloon Over US
- GoAnywhere MFT Users Warned of Zero-Day Exploit
