Security Experts:

Connect with us

Hi, what are you looking for?



Study Shows Exposure of Critical Sectors, ICS in U.S.

A study conducted by Trend Micro using the Shodan search engine provides some useful information on the exposure of critical infrastructure and industrial systems in the United States.

A study conducted by Trend Micro using the Shodan search engine provides some useful information on the exposure of critical infrastructure and industrial systems in the United States.

The study, based on a Shodan search performed in February 2016, targeted cyber assets in critical infrastructure and other sectors (e.g. government, emergency, healthcare, utilities, financial services and education), and industrial control systems (ICS), such as the ones used for building automation, manufacturing processes, power generation and traffic system management.

Researchers determined that in the government sector a majority of the exposed cyber assets were firewalls (48%), wireless access points (13%), specialized devices (9%), routers (6%) and other security devices (6%). Several unpatched servers have been found in these organizations, including ones running Apache Tomcat, Microsoft IIS and Apache HTTPD.

The study showed that the number of cyber assets exposed in Washington, DC is smaller than in Lafayette, Louisiana, and Saint Paul, Minnesota.

Lafayette and Houston, Texas, have the highest number of exposed cyber assets associated with emergency services, although only a few hundred were discovered in each of these cities.

Firewalls, printers and routers account for a majority of the exposed devices in the emergency services sector. Trend Micro pointed out that vulnerable servers have not been identified in these organizations.

While the healthcare industry has been increasingly targeted by cybercriminals, the Shodan search showed a relatively small number of exposed assets in this sector, mainly firewalls and other security devices. On the other hand, some vulnerable servers were exposed by these organizations. The highest number of exposed assets were identified in Cambridge and New York City.

When it comes to the utilities sector, Trend Micro has determined that the exposed cyber assets are primarily located in small cities and towns. The largest number of devices, which are mainly wireless access points and firewalls, were discovered in Clarksville, Hopkinsville, Braintree, Ocala and Bismarck.

In the financial sector, New York City has the highest number of exposed assets (nearly 15,000), which is not surprising considering that the city is a global financial center. Firewalls and other security devices account for more than 90 percent of the exposed devices in this sector.

The education sector is by far the most exposed, with tens of thousands of assets in Philadelphia, Seattle, Chicago, Los Angeles, Ann Arbor and Austin.

Exposed ICS devices

Trend Micro’s study also focused on exposed industrial systems. The top four most exposed ICS-specific protocols identified by researchers are MODBUS, BACnet, Ethernet/IP and Tridium’s proprietary Fox protocol.

In the case of MODBUS, a popular application layer protocol used for interacting with programmable logic controllers (PLCs), experts identified tens of instances in Fort Lauderdale, Houston, New York and Princeton. Many of these products were BMX processor modules from Schneider Electric.

Instances of BACnet, which is used for building automation and control, were identified in Houston, Chicago and Miami. A majority of the products come from Tridium and Trane.

PLCs made by Rockwell Automation’s Allen-Bradley accounted for a majority of the systems exposing Ethernet/IP.

During its research, the security firm also identified exposed human-machine interfaces (HMI). These systems had not been compromised, but being accessible from the Internet put them at risk. The exposed HMIs were associated with a milling machine, a roller press, a water treatment plant, a conveyor belt, an air-handling system, and a power converter.

Exposed HMI

Trend Micro has also conducted a separate study focusing on all popular Internet-connected devices in the U.S., including webcams, routers, NAS devices, phones, media players, and web and email servers. The largest number of exposed cyber assets were found in Los Angeles, Houston, Chicago, Dallas, Phoenix, San Jose and New York.

Related: Learn More at the 2017 ICS Cyber Security Conference in Singapore

Correction: *Trend Micro incorrectly referenced Lafayette, Indiana in the report. The correct reference should be Lafayette, Louisiana.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


A high-severity format string vulnerability in F5 BIG-IP can be exploited to cause a DoS condition and potentially execute arbitrary code.