top of page
Search

The Unforgivable Exposure of ICS/OT: Why 2025 May Be the Tipping Point

  • Writer: Joseph Assaf Turner
    Joseph Assaf Turner
  • 2 days ago
  • 4 min read
ree

A 2025 BitSight report reveals more than 180,000 ICS/OT devices exposed online - fuel systems, smart buildings, power plants - many with CVSS 10 vulnerabilities. Here’s what that means for critical infrastructure security, and why urgent action is no longer optional.


The Wake-Up Call Nobody Wanted

One misconfigured router shouldn’t be all that stands between a power plant and disaster. Yet in 2025, that’s exactly what’s happening.

BitSight’s September 2025 TRACE report, The Unforgivable Exposure of ICS/OT, dropped a hard truth: after years of slow progress, internet-exposed industrial systems are climbing again. By the end of 2024, scans found over 180,000 unique ICS/OT endpoints online every month, up from 160,000 at the year’s start . At the current rate, exposure will cross 200,000 by the end of this year .

This isn’t legacy clutter. These are new deployments going live on the public internet, often using insecure protocols, weak authentication, or no segmentation at all .

That’s unforgivable. And that’s the phrase BitSight chose deliberately.


The Numbers Behind the Noise

  • Global surge: 12% increase in exposed ICS/OT devices during 2024 .

  • Protocol-agnostic: Modbus, KNX, BACnet, S7, EtherNet/IP, ATG, OPC UA - all showing growth .

  • Geographic hotspots:

    • United States leads in absolute exposure: 80,000 devices. Top sectors include manufacturing, utilities, smart buildings (Niagara FOX, BACnet), and fuel infrastructure via ATG .

    • Italy, Spain, Germany show some of the highest exposure density per company .

    • France, by comparison, shows far lower ratios - evidence that culture, integrator practices, and regulation matter more than GDP .

  • Sector examples: Thousands of ATG systems in US fuel stations, many with no authentication, still online .


Why It Matters: From Exposure to Exploitation

Exposing OT isn’t like exposing an email server. These systems run fuel pumps, water treatment plants, HVAC systems, and power grids. An adversary doesn’t need to exfiltrate data to cause chaos - they can change setpoints, cut off access, or damage equipment.

BitSight highlights multiple CVEs with CVSS 10.0 severity, including trivial exploit paths . DHS CISA’s Known Exploited Vulnerabilities (KEV) catalog now lists dozens of ICS-specific vulnerabilities, almost all critical .

This isn’t hypothetical. 2024 and 2025 already brought two new ICS-specific malware families:

  • FrostyGoop, which directly abuses Modbus TCP and caused heating outages across Ukraine (Dragos, Wired, SANS reporting).

  • Fuxnet, linked to operations against Moscow infrastructure, purpose-built for ICS environments .

Exposure is measurable. Exploitation is documented. Risk is no longer theoretical.


The TTPs Adversaries Keep Reusing

From the BitSight data and public incident reports, the same techniques appear again and again:

  1. Edge exploitation – Router or remote-access VPN compromise, then pivot into OT .

  2. Protocol abuse – Direct writes via Modbus, BACnet, S7 when services are reachable.

  3. Default creds on web consoles – Niagara FOX, building automation HMIs .

  4. Rapid CVE weaponization – CISA advisories show adversaries operationalizing new ICS flaws in days, not months.

  5. Integrator pathways – Vendor remote access boxes left exposed, sometimes controlling entire fleets.


Who’s Really at Fault?

BitSight doesn’t pull punches:

  • Vendors still ship products with insecure defaults - plaintext protocols, no segmentation, no access controls .

  • Integrators too often configure remote management with public reachability.

  • ISPs unknowingly host exposed OT endpoints. BitSight calls them “invisible enablers” and urges proactive detection and remediation partnerships .


Blame is shared. But the fix is possible.

Solutions: From Secure by Design to Secure in Practice

BitSight aligns with CISA’s Secure by Design and OT Cybersecurity Principles  . The roadmap is clear:

  • Vendors: stop shipping insecure defaults, phase out legacy protocols, provide hardening guides.

  • Integrators: inventory devices, remove internet exposure, segment aggressively, build incident playbooks.

  • Operators: monitor continuously, deploy protocol security (CIP Security, Secure S7, OPC UA Security), run exercises .

  • ISPs: treat exposed ICS/OT as a critical abuse category, detect unsafe deployments, notify owners .

  • Policymakers: regulate exposure as a public safety issue and incentivize secure design .



FAQs

Q: How many ICS/OT devices are exposed online in 2025?A: Over 180,000 unique endpoints monthly, projected to surpass 200,000 by year-end .

Q: Which protocols are most exposed?A: Modbus, BACnet, KNX, S7, EtherNet/IP, ATG, OPC UA - all showed growth .

Q: Which countries are most exposed?A: US leads in absolute numbers (80,000), followed by Italy, Spain, and Germany. France shows lower ratios .

Q: Why is ICS/OT exposure dangerous?A: Because attackers can directly manipulate physical processes - fuel, water, electricity - leading to outages, safety risks, or environmental damage .


What Maya Security Brings to the Table

At Maya Security, we translate exposure data into action plans:

  1. Rapid Exposure Elimination – Kill public ICS ports within 48 hours.

  2. Protocol Hardening – Deploy CIP Security, Secure S7, OPC UA Security.

  3. Advisory Pipeline – Map every CISA ICS advisory to your fleet and close gaps on SLA.

  4. Zero-Trust Remote Access – Vendor jump hosts, time-boxed sessions, session recording.

  5. Board-Grade Reporting – Metrics tailored to MoE, IEC 62443, NIS2, NERC CIP frameworks.


👉 Contact Maya Security for a resilience assessment.

👉 Engage with us for regulatory compliance and OT security programs.

👉 Join our leadership roundtables shaping the future of critical infrastructure security.


Closing Thought

BitSight’s report uses the phrase "unforgivable exposure". That’s not hyperbole. Every month, the attack surface grows. Every month, new advisories land. Every month, adversaries sharpen their tools.

The exposure problem is measurable, avoidable, and solvable. But only if boards, regulators, vendors, ISPs, and operators stop accepting insecurity as a default state.

These are not just control systems. They are the systems that control trust, safety, and continuity .

And they should never be just one misconfigured router away from compromise.


Viral Moments

  • “ICS exposure isn’t an IT problem - it’s a public safety issue.”

200,000 control systems are drifting onto the internet in 2025. Most were never designed to be there.

  • “One insecure tank gauge can cut off fuel access for an entire city.”

  • “Legacy protocols + modern exposure = unforgivable risk.”

 
 
 
bottom of page