Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Number of industrial control systems on the internet is lower then in 2020...but still far from zero SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Number of industrial control systems on the internet is lower then in 2020...but still far from zero

With the recent ransomware attack that impacted operation of one of the major US pipelines[1], I thought it might be a good time to revisit the old topic of internet-connected industrial systems. Since operational technologies are generally used to support/control processes that directly impact the physical world, the danger of successful attacks on them should be self-evident, as should the need to protect them.

While it is true that not all ICS, Industrial IoT devices and other similar systems are made equal, since some of them support highly critical processes, while others only control minor functions such as central heating in private residences, compromise of any of them would certainly not be desirable. One would therefore hope that - if nothing else - most such systems would not be directly accessible from the internet, especially since they are usually controlled with the help of specialized industrial protocols, that lack any kind of inbuilt security controls or even authentication and authorization checks.

As you have probably guessed, however, the number of internet-connected industrial systems is unfortunately much higher than one might wish.

Since (especially) many of the Industrial IoT devices are controlled only through web interfaces, it would be difficult to count all such systems on the internet. We may, however, at least look at the number of the public IPs where devices that communicate using different industrial protocols recognized by Shodan and Censys are/were accessible.


At the time of writing, Shodan detects approximately 80.8k public IP addresses where some sort of industrial system is accessible[2], while Censys sees about 74.2k such IPs[3]. Although this is hardly a “good” result, the numbers are significantly lower then they were 12 months ago, as the following chart based on data collected from Shodan using TriOp[4] shows.

While the overall situation seems to be slowly getting better, it is still far from ideal.

Although it would probably be too optimistic to expect it to improve significantly in the near future, perhaps the attention that the recent attacks on the pipeline and a water treatment plant in Florida[5] have gotten will have some positive effect in this area, as it may provide an impulse for organizations to at least check whether some their public IPs don’t allow direct access to their critical OT systems to anyone connected to the internet. Since such a check could be as simple as an nmap scan of relevant public IP ranges, it wouldn’t necessarily even cost that much in terms of time.

We can, however, only hope...


Jan Kopriva
Alef Nula


55 Posts
ISC Handler
May 12th 2021
This should be far better by now, obviously the industry has been largely ignoring the advice of the InfoSec community for decades. I remember Eric Cole and others speaking about this in 2003 when I took the GSEC class and exam and was working on my masters in Information Assurance. Here we are nearly 2 decades later and while improving, I'd be willing to bet the current numbers of internet connected SCADA systems still far exceed the numbers from 2003. Of course Ransomware is a newer development but the threat of systems shutdown or damage is the same. Other examples of industrial attacks include nation state attacks such as Stuxnet.

These events were not unforeseen, just ignored. It may be time for legislature to mandate controls on critical infrastructure as the industry seems slow to respond to the threat.

Sign Up for Free or Log In to start participating in the conversation!