447K Write-Capable ICS Devices: What OT Defenders Need to Know

Jeff Gray · July 12, 2026 · 12 min read
Original Research · Cyborama OT Intelligence

Key Finding: Everyone reports "2.5M exposed ICS devices." We filtered the cloud noise. The real number: 447,000 write-capable devices that accept Modbus, S7COMM, and EtherNet/IP commands from the internet. 53% of reported exposure is honeypots and scanners.

What We Found

In July 2026, we analyzed internet-facing industrial control systems across seven ICS protocols using passive Shodan queries. What we found challenges the conventional narrative about OT exposure.

The Numbers

The Cloud Noise Problem

Every security report cites variations of "2.5 million exposed ICS devices." Nobody filters the noise.

We excluded cloud providers (Aliyun, Fly.io, ACEVILLE, Incapsula, M247, Google, Amazon, Azure, DigitalOcean) and found that 53% of reported devices are scanners, honeypots, and test VMs:

This means threat assessments are overstating exposure by 114%. The attack surface is half what's being reported.

Write-Capable vs "Exposed"

Most exposure reports count devices that "respond to queries." We went further: which devices accept write commands?

The 447K Breakdown

S7COMM (139,506 devices):

EtherNet/IP (183,466 devices):

Modbus TCP (~124K devices):

Critical Distinction: These aren't "misconfigured" systems. The protocols have no authentication capability. Modbus TCP, S7COMM, and EtherNet/IP were designed in the 1970s-1990s for air-gapped networks.

What We Found That Nobody Talks About

1. Protocol Siloing

In a 500-IP random sample across all seven protocols, zero IPs run multiple ICS protocols. Each host runs exactly one protocol.

Why this matters: Common threat models assume lateral movement chains (Modbus → DNP3 → S7COMM). Our data shows this doesn't exist in the wild. Attackers must target by protocol. You can't pivot from Modbus to S7 on the same host.

2. DNP3 Is Abnormally Clean

DNP3 has only 38% cloud noise vs 63-77% for IEC 104/S7COMM. This means real utility infrastructure is overrepresented in DNP3 exposure data.

Threat implication: Water/wastewater utilities using DNP3 are more exposed than grid operators using IEC 104. If you're defending water systems, DNP3 monitoring is critical.

3. BACnet Is Invisible

33,948 BACnet devices detected with zero cloud contamination in samples. BACnet controls building automation (HVAC, access control, lighting).

Why this matters: OT security vendors focus on SCADA/grid. Building automation is unmonitored. BACnet is the cleanest target list for ransomware operators pivoting to physical infrastructure.

What OT Defenders Should Do

Immediate Actions (This Week)

1. Audit Your Write-Capable Exposure

# Check if your devices are externally accessible
shodan search "org:\"Your Company\" port:502"  # Modbus
shodan search "org:\"Your Company\" port:102"  # S7COMM
shodan search "org:\"Your Company\" port:44818"  # EtherNet/IP

If you find results, assume write commands are accepted. These protocols have no auth.

2. Segment by Protocol

3. Monitor Write Operations

If you can't air-gap, at minimum log all write commands:

Tools: Zeek with ICS plugins, Nozomi Guardian, Dragos Platform, or open-source ICS parsers.

4. Whitelist Known Controllers

If external access is required (vendor support, remote monitoring):

Methodology & Validation

Data source: Shodan API passive queries, July 2026

Protocols analyzed: Modbus TCP (502), IEC 104 (2404), DNP3 (20000), S7COMM (102), EtherNet/IP (44818), BACnet (47808), Profinet (34962)

Cloud filter: Excluded Aliyun, Fly.io, ACEVILLE, Incapsula, M247, Google, Amazon, Azure, DigitalOcean, OVH, Hetzner, Cloudflare, Rackspace, Tencent

Write-capability determination: Protocol specification analysis + banner confirmation where available

Limitations: Shodan Dev tier returns minimal banner data. Counts are point-in-time (July 2026). Actual exploitation requires additional reconnaissance.


Disclaimer: All data derived from publicly accessible sources. No active scanning performed. No specific targets or companies identified. This research is for defensive purposes only.

← Back to Control Systems Security