Bitsight data shows a 12% year-over-year increase across Modbus, BACnet, and more. The report also covers regional hotspots, why devices are exposed, and practical fixes for security teams.
180,000 ICS/OT Devices and Counting: The Unforgivable Exposure
Tags:
Share:
Remember when ICS malware was “rare”? Last year we got two new families built for one thing: disruption. FrostyGoop and Fuxnet are not Mirai with a wrench taped on or your typical DDoS botnet. They were built to target and disable devices that use Meter-bus and Modbus protocols, inflicting maximum damage. If you still believe that “our PLCs aren’t on the Internet,” then this is your nudge to actually go and check.
Exposure was declining, until it wasn’t
Our latest sweep, as detailed further in The Unforgivable Exposure of ICS/OT report, shows Industrial Control System and Operational Technology (ICS/OT) exposure is climbing again. Fresh installs show up in the wild with plaintext protocols, factory creds, and “segmentation” that exists mostly in architecture diagrams. It is the usual suspects: Modbus, S7, BACnet, KNX, and ATG, to name a few. Old gear that should have retired and new gear that never should have been online. The attack surface is slowly growing and the trend is quite concerning. If nothing happens, we might be looking at 200,000 Internet exposed ICS/OT in less than a year.
Critical infrastructure, critical impact
A large number of these systems are part of our critical infrastructure. Pair that with modern ICS-aware tooling (which is increasingly easier to find), and you get a very efficient path from scan to consequence. Not theoretical. Pumps stall. Lights flicker. Heating goes off. Safety systems go to manual mode at 03:13 in the morning while someone scrambles to find the right cellphone number to ‘call in case of emergency.’
On top of more exposure, another piece of concerning news is that the number of vulnerabilities being found in these types of devices keeps growing, too. CISA keeps track of these and regularly publishes advisories on newly found vulnerabilities that affect industrial control systems. The number of CVEs being attributed is rising almost every year.
In fact, by the time we are writing this post, there are already 1,850 CVEs from CISA ICS advisories published. (Actually, the correct number is 1,853 since CISA just published 3 more on September 18, straight from Bitsight TRACE.) And the record-breaking year is not over yet, only time will tell how high we reach over the remaining three months of the year …
Also concerning is the fact that, according to CISA, almost 30% of these vulnerabilities have no patch or update available.
Learn more in the full The Unforgivable Exposure of ICS/OT report, where we break down where exposure is rising, why attribution gets messy, and what will actually bend the curve: kill public access, set sane vendor defaults, make ISPs real partners, monitor continuously.
These systems run more than plants and pumps: they run trust. Let’s stop leaving them one misconfigured router away from a bad day.
Get our full analysis and takeaways, and stay tuned for another update in early 2026 as we continue our watch on all things unforgivable when it comes to ICS/OT.
