Everyone reports "2.5M exposed ICS devices." We filtered the cloud noise. 53% are honeypots and scanners. The real number: 447,000 write-capable devices that accept Modbus, S7COMM, and CIP commands from the internet. We're the first to count what actually matters.
We find the one thing everyone else missed
Not "devices that respond." Devices that accept commands. Modbus Function Codes 5/6/15/16. S7COMM write operations. CIP tag manipulation. We counted remote control capability, not generic "exposure."
53% of reported ICS devices are Aliyun scanners, Fly.io test VMs, and Incapsula honeypots. IEC 104: 77% noise. S7COMM: 63% noise. We filter cloud providers and report real infrastructure.
Zero IPs run multiple ICS protocols. Perfect isolation. This invalidates common lateral movement assumptions. We found patterns Dragos, Nozomi, and Claroty don't discuss.
State actors targeting write-capable infrastructure
What we found that nobody else published
First comprehensive analysis filtering cloud honeypots from ICS exposure data. 53% of reported devices are scanners. Real attack surface: 1.176M, not 2.5M.
Threat actors compromise OT forums and vendor portals to target engineers. Pattern analysis reveals watering hole risks. Defensive measures for industrial defenders.
Documented case of ransomware run entirely by AI agent. No human operator. Implications for OT environments and critical infrastructure defense.