BREAKING

2.78 Million Industrial Control Systems Exposed to Internet

Real Shodan Data (July 12, 2026)

New research reveals 2.52 million industrial control systems (ICS) directly accessible from the public internet. This includes critical infrastructure controlling power grids, water treatment, manufacturing, and building automation worldwide.

Exposed Devices by Protocol:

  • 843,231 electrical substation controllers (DNP3 protocol)
  • 601,483 power grid SCADA systems (IEC 60870-5-104)
  • 376,981 Siemens PLCs (S7COMM protocol)
  • 363,029 Rockwell/Allen-Bradley controllers (EtherNet/IP)
  • 303,231 Modbus industrial devices
  • 293,100 building automation systems (Niagara Fox)

This data is FREE. Commercial vendors like Dragos, Nozomi, and Claroty charge $50,000-$500,000/year for similar threat intelligence.

Why This Matters for Critical Infrastructure Security

Industrial control systems were designed decades ago with the assumption of network isolation ("air gap"). Today, remote monitoring, cloud analytics, and IT/OT convergence have eliminated that protection.

The result: Millions of devices controlling power grids, water treatment, manufacturing, and building automation are now directly accessible to attackers worldwide.

Attack Surface by Sector:

  • Energy & Utilities: DNP3 and IEC 104 protocols control substation breakers, protection relays, and grid automation. Remote manipulation could trigger cascading power failures.
  • Manufacturing: Siemens S7 PLCs and Rockwell controllers manage production lines, safety systems, and quality control. Compromise could halt operations or damage equipment.
  • Water/Wastewater: Modbus devices control chemical dosing, pressure systems, and filtration. Attackers could manipulate water chemistry or disable treatment.
  • Building Automation: Niagara Fox systems manage HVAC, lighting, and physical access control in offices, hospitals, and data centers.

Immediate Actions for Asset Owners

1. Discover Your Exposed Assets (Today)

Use Shodan or Censys to search for your organization's internet-facing ICS devices:

shodan search "org:YOUR_ORG_NAME port:502"  # Modbus
shodan search "org:YOUR_ORG_NAME port:102"  # S7COMM
shodan search "org:YOUR_ORG_NAME port:44818" # EtherNet/IP

2. Implement Network Controls (This Week)

  • IP whitelisting: Only allow known engineering workstations
  • VPN requirement: No direct internet access
  • Firewall rules: Default deny inbound
  • Change default credentials: On every device, immediately

3. Long-Term Hardening

  • Unidirectional gateways: Data out only, nothing in
  • Network segmentation: Isolate OT from IT networks
  • Continuous monitoring: Protocol-level anomaly detection
  • Red team assessments: Test your defenses regularly

Get Tailored OT Threat Intelligence

Stop drowning in generic threat feeds. Track only the ICS vendors and protocols YOU actually use.

Professional

$149/month

Track 10 ICS components
Weekly briefings
CVE alerts within 24 hours

Enterprise

$499/month

Unlimited components
Daily updates
API access

View Full Pricing →

About This Research

Data Source: Shodan API query executed July 12, 2026 at 00:49 UTC

Methodology: Port-based protocol detection across 6 major ICS protocols (DNP3 port 20000, IEC 104 port 2404, S7COMM port 102, EtherNet/IP port 44818, Modbus port 502, Niagara Fox port 1911)

Limitations: Counts include research systems, honeypots, and cloud-hosted emulators (estimated 5-10% of total)

Ethical Disclosure: No active exploitation, no unauthorized access. Publicly available reconnaissance only.

Author: Jeff Gray, Cyborama LLC
Contact: contact@cyborama.com
Website: https://controlsystemssecurity.com