Critical infrastructure powers the systems we rely on every day — electricity, clean water, transportation. But what happens when these systems are exposed to the internet, left vulnerable to remote attacks? As a new Censys report reveals, this is the growing reality, with 145,000 industrial control systems (ICS) exposed, including thousands of unsecured human-machine interfaces (HMIs).

These findings highlight a growing problem: internet-exposed HMIs, designed to make critical systems manageable, are becoming prime targets for attackers. Often unprotected, these interfaces give malicious actors direct access to operations making the implications profound — not just for cybersecurity professionals, but for society at large. 

What the Censys Report Tells Us

The Censys report uncovers significant exposure: 

  • Thousands of HMIs exposed online: These systems are often accessible without authentication, making them easy entry points for attackers.
  • Direct access to ICS environments: By exploiting HMIs, attackers can bypass ICS protocols entirely and potentially manipulate critical systems. 
  • Concentration of exposure: North America accounts for 38% of global ICS exposures, with the U.S. hosting over one-third of these systems. 

Real-world examples in the report, such as attacks in Pennsylvania and Texas, illustrate how attackers used exposed HMIs to manipulate water systems. These cases didn’t require advanced ICS expertise — just access to an insecure HMI. 

Why This Matters

For years, ICS security has focused on protecting specialized protocols like Modbus and DNP3. But the Censys report highlights the growing risk posed by low-hanging fruit like HMIs and remote access points, which attackers can exploit to bypass more complex systems entirely. 

What Makes HMIs So Risky? 

  1. Ease of Access: HMIs are often misconfigured, left exposed, and lack even basic authentication.
  1. Direct Operational Control: Unlike protocols that require expertise to exploit, HMIs provide a user-friendly interface to manage critical systems — making them an ideal target. 
  1. Rapid Targeting by Attackers: Exposed HMIs are frequently scanned and probed within moments of discovery, potentially making them highly vulnerable. 

GreyNoise’s Findings on HMI Exposure

During the Summer of 2024, GreyNoise set up sensors emulating internet-connected HMIs to understand the attack traffic they receive. The results reinforce the urgency of securing these systems: 

  • Rapid Targeting: Internet-connected HMIs were probed and scanned more quickly than baseline control sensors. Over 30% of IPs that touched the HMIs before a typical GreyNoise sensor were later identified as malicious. 
  • Focus on Remote Access: Contrary to expectations, attackers primarily targeted common Remote Access Service (RAS) protocols rather than ICS-specific communication protocols. Virtual Network Computing (VNC) was of particular interest to threat actors. 

These findings align with the Censys report, demonstrating that HMIs and remote access points are critical insecurities that need immediate attention

What Defenders Can Do Now

The Censys report and GreyNoise findings are clear: defending ICS environments requires a shift in focus. Here are key steps to take:

  1. Identify and Secure Exposed Systems: Conduct a thorough inventory of all internet-facing systems, especially HMIs, and remove unnecessary exposure. 
  1. Strengthen Access Controls: Implement strong authentication, network segmentation, and VPNs to prevent unauthorized access to HMIs and remote access points. 
  1. Monitor for Reconnaissance: Attackers often scan systems before exploitation. Monitoring this activity can provide early warning signs and help prioritize defenses. 
  1. Focus on Practical Solutions: While protecting ICS protocols is still important, prioritize low-complexity entry points like HMIs and RAS that attackers are actively targeting. 

Acting on the Wake-Up Call

The exposures highlighted in the Censys report aren’t a technical problem — they’re societal. Critical infrastructure is the backbone of our modern world, and the risks posed by exposed systems are too great to ignore. The time to act is now: secure the basics, monitor for threats with real-time intelligence, and close the gaps attackers are exploiting.

GreyNoise’s Commitment to ICS/OT

GreyNoise is dedicated to expanding our visibility into ICS/OT environments by growing our fleet of sensors and profiles. As we enhance our coverage in 2025, we aim to provide even deeper insights to help defenders stay ahead of emerging threats. Contact us to learn more.

This article is a summary of the full, in-depth version on the GreyNoise Labs blog.
Read the full report
GreyNoise Labs logo
Link to GreyNoise Twitter account
Link to GreyNoise Twitter account