447K Write-Capable ICS Devices: What OT Defenders Need to Know
Jeff Gray · July 12, 2026 · 12 min read
Original Research · Cyborama OT Intelligence
What We Found
In July 2026, we analyzed internet-facing industrial control systems across seven ICS protocols using passive Shodan queries. What we found challenges the conventional narrative about OT exposure.
The Numbers
- 2.52M devices on ICS protocol ports (raw Shodan count)
- 1.34M cloud noise filtered (53% of total)
- 1.18M real infrastructure devices
- 447K accept remote write commands (38% of real devices)
The Cloud Noise Problem
Every security report cites variations of "2.5 million exposed ICS devices." Nobody filters the noise.
We excluded cloud providers (Aliyun, Fly.io, ACEVILLE, Incapsula, M247, Google, Amazon, Azure, DigitalOcean) and found that 53% of reported devices are scanners, honeypots, and test VMs:
- IEC 104: 77% cloud noise (601K raw → 139K real)
- S7COMM: 63% cloud noise (379K raw → 140K real)
- Modbus TCP: 49% cloud noise (305K raw → 156K real)
- DNP3: 38% cloud noise (842K raw → 524K real)
This means threat assessments are overstating exposure by 114%. The attack surface is half what's being reported.
Write-Capable vs "Exposed"
Most exposure reports count devices that "respond to queries." We went further: which devices accept write commands?
The 447K Breakdown
S7COMM (139,506 devices):
- Accept PLC logic uploads
- Memory write operations
- Safety setpoint changes
- No authentication required by protocol
EtherNet/IP (183,466 devices):
- CIP tag read/write access
- Process value manipulation
- Actuator control commands
- No built-in auth mechanism
Modbus TCP (~124K devices):
- Function Codes 5/6/15/16 (coil/register writes)
- Direct PLC control
- Zero authentication by design (1979 protocol)
What We Found That Nobody Talks About
1. Protocol Siloing
In a 500-IP random sample across all seven protocols, zero IPs run multiple ICS protocols. Each host runs exactly one protocol.
Why this matters: Common threat models assume lateral movement chains (Modbus → DNP3 → S7COMM). Our data shows this doesn't exist in the wild. Attackers must target by protocol. You can't pivot from Modbus to S7 on the same host.
2. DNP3 Is Abnormally Clean
DNP3 has only 38% cloud noise vs 63-77% for IEC 104/S7COMM. This means real utility infrastructure is overrepresented in DNP3 exposure data.
Threat implication: Water/wastewater utilities using DNP3 are more exposed than grid operators using IEC 104. If you're defending water systems, DNP3 monitoring is critical.
3. BACnet Is Invisible
33,948 BACnet devices detected with zero cloud contamination in samples. BACnet controls building automation (HVAC, access control, lighting).
Why this matters: OT security vendors focus on SCADA/grid. Building automation is unmonitored. BACnet is the cleanest target list for ransomware operators pivoting to physical infrastructure.
What OT Defenders Should Do
Immediate Actions (This Week)
1. Audit Your Write-Capable Exposure
# Check if your devices are externally accessible shodan search "org:\"Your Company\" port:502" # Modbus shodan search "org:\"Your Company\" port:102" # S7COMM shodan search "org:\"Your Company\" port:44818" # EtherNet/IP
If you find results, assume write commands are accepted. These protocols have no auth.
2. Segment by Protocol
- Separate Modbus, DNP3, S7COMM, EtherNet/IP into different VLANs
- Use protocol-aware firewalls (not just port blocks)
- Deploy unidirectional gateways for monitoring-only access
3. Monitor Write Operations
If you can't air-gap, at minimum log all write commands:
- Modbus FC 5, 6, 15, 16 (coil/register writes)
- S7COMM write requests
- CIP Set_Attribute commands
Tools: Zeek with ICS plugins, Nozomi Guardian, Dragos Platform, or open-source ICS parsers.
4. Whitelist Known Controllers
If external access is required (vendor support, remote monitoring):
- Maintain IP allowlist of authorized sources
- Use VPN + multi-factor auth
- Never expose directly to internet
Methodology & Validation
Data source: Shodan API passive queries, July 2026
Protocols analyzed: Modbus TCP (502), IEC 104 (2404), DNP3 (20000), S7COMM (102), EtherNet/IP (44818), BACnet (47808), Profinet (34962)
Cloud filter: Excluded Aliyun, Fly.io, ACEVILLE, Incapsula, M247, Google, Amazon, Azure, DigitalOcean, OVH, Hetzner, Cloudflare, Rackspace, Tencent
Write-capability determination: Protocol specification analysis + banner confirmation where available
Limitations: Shodan Dev tier returns minimal banner data. Counts are point-in-time (July 2026). Actual exploitation requires additional reconnaissance.
Disclaimer: All data derived from publicly accessible sources. No active scanning performed. No specific targets or companies identified. This research is for defensive purposes only.