Connect with us

Hi, what are you looking for?



Number of Internet-Exposed ICS Drops Below 100,000: Report

The number of internet-exposed ICS has dropped below 100,000, a significant decrease from the 140,000 in 2019.

The number of internet-exposed industrial control systems (ICS) has continued to decrease over the past years, dropping below 100,000 as of June 2023, according to a report from cybersecurity ratings company Bitsight.

Companies and researchers regularly scan the internet for exposed ICS, and in the past decade they have reported seeing tens of thousands and even millions of systems, depending on their methodology and length of the study.

However, it’s interesting to see year-over-year trends from the same company, which presumably has a consistent methodology. 

Bitsight has been tracking the number of internet-facing ICS, mapping these systems to its inventory of global organizations. It’s worth noting that while the company refers to the identified systems as ICS, they include — based on the targeted protocols — not only systems used in industrial environments, but also IoT, building management and automation devices, and other operational technology (OT). 

The company’s analysis showed that the number of exposed systems has gradually decreased from roughly 140,000 in 2019 to less than 100,000 in June 2023. 

“This is a positive development, suggesting that organizations may be properly configuring, switching to other technologies, or removing previously exposed ICSs from the public internet,” Bitsight noted.

In addition, the number of exposed organizations has dropped from approximately 4,000 to 2,300 over the same period. Entities that still have public-facing systems include organizations across 96 countries, including Fortune 1000 companies.

The top 10 impacted countries are the United States, Canada, Italy, the UK, France, the Netherlands, Germany, Spain, Poland and Sweden.  

The most impacted sectors are education, technology, government, business services, manufacturing, utilities, real estate, energy, tourism, and finance. 

Advertisement. Scroll to continue reading.

In 2023, the most commonly observed protocols were Modbus, KNX, BACnet, Niagara Fox, Siemens’ S7, Ethernet/IP, Lantronix, Automatic Tank Gauge (ATG), Moxa’s NPort, and Codesys.

In the case of the education sector, for instance, the most commonly seen protocols were BACnet, Niagara Fox and Lantronix, which are typically used for building automation and physical security systems. 

“While the aggregate number of exposed ICSs has been trending downward, we detected unique behavior on a protocol-by-protocol basis,” Bitsight explained. “Exposed systems and devices communicating via the Modbus and S7 protocols are more common in June 2023 than before, with the former increasing in prevalence from 2020 and the latter more recently from mid-2022.”

“However, exposed industrial control systems communicating via Niagara Fox have been trending downward since roughly 2021. Organizations should be aware of these changes in prevalence to inform their OT/ICS security strategies. One of the first steps in mitigating OT risk is knowing where the risk is likely to lie,” the company added.

Bitsight also noted that companies should focus on securing specific protocols based on their location. For instance, systems using Codesys, KNX, Nport and S7 protocols are mainly in the European Union, while ATG and BACnet are primarily seen in the United States.

Learn More at SecurityWeek’s ICS Cyber Security Conference
The leading global conference series for Operations, Control Systems and OT/IT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.
ICS Cybersecurity Conference
October 23-26, 2023 | Atlanta

Related: SANS Survey Shows Drop in 2023 ICS/OT Security Budgets

Related: NIST Publishes Final Version of 800-82r3 OT Security Guide

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.


Wago has patched critical vulnerabilities that can allow hackers to take complete control of its programmable logic controllers (PLCs).


Cybersecurity firm Forescout shows how various ICS vulnerabilities can be chained for an exploit that allows hackers to cause damage to a bridge.

Cybersecurity Funding

Internet of Things (IoT) and Industrial IoT security provider Shield-IoT this week announced that it has closed a $7.4 million Series A funding round,...


More than 1,300 ICS vulnerabilities were discovered in 2022, including nearly 1,000 that have a high or critical severity rating.