Malware affecting industrial control systems (ICS) has the potential to disrupt key industries underpinning modern society, warned a report released Wednesday by the cybersecurity research website Comparitech.
Internet-exposed ICS devices are a primary target for threat actors, particularly those running legacy protocols such as Modbus, according to researcher Justin Schamotta.
Schamotta identified 179 internet-exposed ICS devices in his report. “One ICS device we identified as being part of a national railway network,” he wrote. “Railways use ICS devices to help with everything from train routing to signaling. The exposure of such devices could present a serious operational and safety risk.”
“Two other devices (one in Asia and one in Europe) formed part of their respective country’s national power grid infrastructure,” he added. “In the energy supply sector, ICS devices can be used to monitor consumption and control electrical distribution.”
Schamotta noted that the United States had the most exposed industrial control devices, 57, followed by Sweden with 22 and Turkey with 19.
“Malware can cripple ICS systems and make them unusable, often until a ransom is paid,” said Comparitech Consumer Privacy Advocate Paul Bischoff.
“These systems are used in critical infrastructure and manufacturing, so attacking them can have serious consequences for the people and companies that rely on them,” he told TechNewsWorld. “Power plants, water treatment facilities, health care, traffic control, and factories are among those that could be targeted.”
Attack Fallout Spreads Quickly
“ICS malware crosses the cyber-physical divide and causes real-world kinetic damage,” observed Shujaatali Badami, a quantum-IoT research engineer in Chicago.
He cited the January 2024 attack in the Ukrainian city of Lviv, in which malware called FrostyGoop sent Modbus commands to heating controllers, cutting heat to some 600 apartment buildings during sub-zero temperatures. “We are tracking 26 OT threat groups and over 11 ICS-specific malware families now,” he told TechNewsWorld. “This is not theoretical anymore.”
“ICS environments run the physical processes behind water treatment, power generation, oil and gas pipelines, and manufacturing lines,” explained Michael Bell, CEO of Suzu Labs, in Las Vegas, a provider of AI-powered cybersecurity services.
“When an attacker gets into an IT network, you lose data,” he told TechNewsWorld. “When they get into an OT network, you lose the ability to control physical systems that keep people alive and economies running.”
Attacks on ICS environments can also have a large “blast radius.”
“The industrial sector’s reliance on highly interconnected supply chains significantly amplifies the impact of attacks,” explained Floris Dankaart, lead product manager for managed extended detection and response at the NCC Group, a global cybersecurity consultancy.
“A single successful compromise can cascade across suppliers, logistics providers, and downstream partners, magnifying disruption well beyond the initial target organization,” he told TechNewsWorld. “This interconnectedness continues to make the industrial sector an attractive target for threat actors seeking to maximize scale and impact.”
ICS Vulnerabilities Surge
The Comparitech report also cited recent research by Cyble Research & Intelligence Labs, which revealed that ICS vulnerability disclosures almost doubled between 2024 and 2025.
“ICS systems were originally designed to perform specific operational functions in isolated environments,” explained Shaila Rana, a senior member of the IEEE, a global technical professional organization.
“Security was not a primary consideration because these systems were never meant to be internet-accessible,” she told TechNewsWorld. “They were meant to be used by humans and other machines.”
Rana noted that over time, the push toward remote monitoring and Industry 4.0 connectivity eliminated that isolation, and these systems were suddenly exposed to a threat landscape they were never built to handle. “This IT/OT convergence has dramatically expanded the attack surface,” she said.
“At the same time, the security research community has been paying closer attention to OT environments. More researchers looking means more vulnerabilities being found and disclosed,” she continued. “The combination of inherently insecure legacy systems and increased scrutiny is what is driving that sharp rise in disclosures.”
Part of the increase in vulnerability disclosures is the sheer volume of newly connected targets, added Joshua Marpet, a senior product security consultant at Columbus, Ohio-based Finite State, which automates security compliance and analysis for connected device manufacturers.
“Just as IoT devices — like drones, Nest thermostats, and smart fridges — started getting connected to the internet, the same happened in the industrial world,” he told TechNewsWorld. “Operational Technology and ICS/SCADA devices were connected for remote monitoring, management, and control. With internet connectivity comes the ability for a malicious actor to see and attack those devices. So, just as some fridges got hacked, so did some factories.”
Legacy Protocol Risks
Given that the global industrial automation and control systems market is currently valued at US$226.76 billion and is projected to grow to $504.38 billion by 2033, the number of connected industrial devices is rapidly increasing, the Comparitech report noted.
This expansion presents a significant cybersecurity challenge: every newly networked device introduces potential attack surfaces that must be protected, it continued. Without proper safeguards such as firewalls, VPNs, network segmentation, and secure authentication, internet-exposed ICS devices make easy targets.
From an attacker’s perspective, devices running protocols like Modbus, DNP3, or BACnet are particularly vulnerable because they were designed for closed networks and often lack built-in authentication or encryption, it added. These devices could be exploited by attackers with limited technical expertise if exposed directly to the internet. This is particularly concerning given the critical role of some ICS devices in economic activity and essential infrastructure.
ICS security can’t be treated like traditional IT security, argued Dale Hoak, CISO of RegScale, a compliance automation software company in McLean, Va. “You can’t just patch everything,” he told TechNewsWorld. “Downtime isn’t acceptable, and safety and availability often outweigh confidentiality.”
“If I had to summarize it simply,” he added, “you don’t secure ICS by chasing threats. You secure it by continuously understanding and controlling the environment.”
Will Thomas, a senior threat intelligence advisor for Team Cymru, a threat intelligence company in Lake Mary, Fla. asserted that this is the “Era of Adoption” for ICS malware — meaning sophisticated digital weapons are now routinely used by nation-state intelligence services rather than just being experimental concepts.
“Adversaries are increasingly using Operational Relay Box networks to mask their origins and are utilizing ‘living off the land’ tactics to evade detection once inside a network,” he said. “To survive this highly capable threat landscape, organizations must recognize that legacy ICS devices should never be directly connected to the public internet.”
Perils of Longevity
One of the biggest challenges with cybersecurity in critical infrastructure is the long lifespan of the devices, noted Tim Mackey, head of software supply chain risk strategy at Black Duck Software, an applications security company in Burlington, Mass.
“Something that was designed and tested to the best practices available when it was released can easily become vulnerable to attacks using more sophisticated attacks later in its lifecycle,” he told TechNewsWorld. “In effect, legacy best practices may not be up to the task of mitigating current threats, or worse, those that might be deployed in the coming years.”
“Since attackers know that critical infrastructure providers are measured in their up-time or service availability, once a device is compromised, attackers know that they have the luxury of mapping out and planning a very targeted attack rather than just being opportunistic,” he said.
“One important point is that malware is only part of the story,” added Rosario Mastrogiacomo, chief strategy officer of Sphere Technology Solutions, a data governance software and services company in Hoboken, N.J.
“Some of the most serious OT and ICS intrusions still begin with basic issues, such as default credentials, weak remote access, poor segmentation, and insufficient visibility into exposed assets,” he told TechNewsWorld.
“NIST has warned that as OT adopts standard IT connectivity and remote access, it loses isolation and becomes more exposed, while CISA has emphasized even unsophisticated methods can work against poorly secured OT environments,” he said.
“For many operators, the biggest gains still come from fundamentals — reducing internet exposure, hardening remote access, segmenting OT from IT, knowing what assets exist, and preparing for degraded or manual operations before an incident occurs.”
Read the full article here
