This is third in a series of suggested metrics governments could use to measure OT security posture, incidents, and risk … something desperately needed and consistently avoided.
Metric 1: Impacted People Days
Metric 2: Leading Indicator Metrics
Metric 3: Internet Exposed OT
The US Government publicly states getting OT off the Internet is important; it’s 2.X in the Cybersecurity Performance Goals. They have a program to scan asset owner’s Internet address space. They issued a bulletin on the importance of this just last week. The good news is this metric is readily available from Shodan in a worldwide or by country total.
The chart below shows Internet connected ICS devices in the United State over the last seven years.
Internet Connected ICS Devices In The United States, Source: Shodan
If you dig into Shodan you will find a much larger number of IP addresses with open ICS protocol ports (Modbus TCP/502, EtherNet/IP TCP/44818). Shodan goes through the hard work of eliminating those services that are only listening on these ports or are obvious honeypots.
The good news is the trend line since 2017 is in the right direction with about 50% fewer Internet connected ICS in 2024 (55K in 2017, 27K in 2024). Most of the progress was made in the first half of 2020. It might be worth some research on what was done in those six months that made a difference. Is it worth investing more in what worked if the .gov believes this is an important metric?
The bad news, or at least lack of good news, is there has been little or no progress in reducing United States based Internet connected ICS devices in 2023 and 2024.