Ddos 
Before 2010, Industrial Control Systems (ICS) mostly operated within isolated Operational Technology (OT) networks and received little attention from mainstream security communities or vendors. Few vulnerabilities were disclosed during this period. That changed in July 2010 when the Stuxnet worm swept through Iranian nuclear facilities, sparking global interest in ICS security. In the following years, vendors like Siemens saw a surge in CVE disclosures, marking the beginning of accelerated ICS security research. Today, as power systems increasingly connect to the internet, these “never-meant-to-be-online” systems are quietly being exposed to attackers.
In May 2025, India’s power system was hit by a cyberattack known as “Operation Sindoor.” The Indian government later revealed that over 200,000 cyberattacks targeting national power infrastructure were intercepted in that month alone [1] . The incident shook India and served as a warning to the world: power systems have become high-value targets for advanced threat actors, and ICS devices are the weakest link.
Based on data retrieved from the ZoomEye platform on June 23, 2025, researchers identified more than 143,941 devices directly exposed to the public internet across five representative ICS systems commonly used in the power sector. This article presents insights on distribution trends, vulnerability risks, and recommended security practices.
Why Are ICS Devices Clustered Around Certain Countries?
ICS deployments often concentrate in the vendor’s home country or dominant market, driven by supply chain control and localization inertia.
Scan results reveal strong geographical clustering in global ICS deployments. This pattern is closely linked to the vendor’s country of origin and market dominance:
- Siemens SIMATIC WinCC (Germany, Siemens): Germany ranks second globally in deployments;
- Rockwell MicroLogix Series (USA, Rockwell): Most widely deployed in the U.S.;
- Mitsubishi MELSEC Q/iQ-R Series (Japan, Mitsubishi): Japan leads in global deployments;
- Nordex Control (Germany): As a wind power control system, it is mainly deployed in Germany;
- Wind River VxWorks is an exception. This embedded real-time OS is widely integrated into ICS devices. Its deployments are globally dispersed—with China and the U.S. leading—while the top ten countries span Asia, Europe, North and South America, and Africa.
This vendor-country deployment structure implies that a major vulnerability in a given system could lead to regionally concentrated risks, placing disproportionate exposure pressure on the power sectors of certain countries.
Should We Be Worried About Publicly Exposed ICS Devices?
Many ICS systems suffer from legacy vulnerabilities, some with publicly available proof-of-concept (PoC)—public internet exposure significantly increases the threat level.
Research shows that many ICS systems used in the power industry run outdated versions containing high-risk vulnerabilities. Some systems have gone years without updates or hardening.
Key findings include:
- A total of 210 public CVEs across the five systems;
- 37 vulnerabilities with publicly available proof-of-concept (PoC);
- High and critical severity vulnerabilities account for over 60% of all CVEs.
More critically, ICS systems often face “unpatchable” conditions in real-world operations: closed environments, complex approval processes, and high downtime costs. Even when patches exist, timely deployment is difficult.
This persistent unpatched exposure makes internet-facing ICS devices prime targets—especially when known exploits and toolchains exist.
Why Are ICS Devices Exposed on the Public Internet?
ICS platforms were originally designed to operate in isolation, but operational and connectivity needs are pushing them online.
By design, ICS systems are meant to run in isolated OT networks without internet connectivity. However, exposure is becoming increasingly common, due to:
- Centralized, remote operations;
- Demand for third-party monitoring and cloud integration;
- Lack of standardized cybersecurity governance across multi-vendor, multi-protocol environments;
- Blurred administrative boundaries—some systems are directly assigned public IPs, registered with domain names, or issued SSL certificates.
Scan results show that many ICS systems expose common service ports (e.g., 21, 502, 80, 8080) and remain online continuously. These systems are readily indexed by Shodan, ZoomEye, and similar platforms, with minimal obfuscation.
This unintended exposure is gradually eroding the traditional physical boundary between OT and IT environments.
What Should We Done to Secure Exposed Power ICS Systems?
The power sector must shift from passive hardening to continuous operations—building detection, monitoring, and response capabilities powered by data.
Port blocking and IP blacklisting are no longer sufficient. The industry must adopt a systematic approach to attack surface management and continuous cybersecurity operations:
- Build risk-based asset scanning mechanisms, leveraging platforms like Shodan and ZoomEye;
- Regularly conduct vulnerability scanning and patch tracking to identify critical risks;
- Implement ICS protocol identification and anomaly detection to counter lateral movement and remote hijacking;
- Strengthen access controls through least-privilege principles, 2FA, and access logging;
- Foster vendor collaboration for vulnerability disclosure and response, ensuring end-to-end protection from production to deployment.
The Security Window for Power ICS Is Rapidly Closing
Scan data shows that large number of core ICS systems in the global power sector are already exposed to the public internet. The scale of exposure is significant, and the risks are real.
These systems are no longer hidden inside facilities—they are detectable and potentially weaponizable in cyberspace.
From the wake-up call of Stuxnet to real-world incidents like Operation Sindoor, and now with quantifiable scan data, ICS platforms have proven to be among the most fragile components of national critical infrastructure.
The debate over whether these systems should be exposed is already moot.
The question is not whether they’re visible—but whether we’re prepared.
References
[1] India Blocks 200,000 Cyberattacks on Power Grid During “Operation Sindoor”
Donate