Exposed ICS/OT Devices Under Nation-State Threat: Key Findings from Team Cymru’s Research Team Cymru’s latest research reveals alarming vulnerabilities in industrial control systems (ICS) and operational technology (OT) environments, highlighting how exposed devices remain prime targets for hostile nation-state actors. The report examines three case studies demonstrating the persistent risks to critical infrastructure, driven by poor security practices and active exploitation campaigns. ### Case Study 1: Destructive Attack on Polish Power Grid In December 2025, the Russian-linked Dragonfly group targeted Poland’s power grid by exploiting Hitachi RTU560 remote terminal units critical for electrical grid stability. Attackers leveraged default credentials on internet-exposed web interfaces, a common but preventable weakness. Once inside, they deployed a "hard brick" attack, uploading corrupted firmware that forced devices into an infinite reboot loop, rendering them inoperable. While the immediate impact was limited to communication disruptions, the attack demonstrated how basic access vectors could escalate into broader infrastructure degradation. ### Case Study 2: Moxa NPort Devices Compromised via Default Credentials The same Dragonfly campaign also targeted Moxa NPort devices, which bridge legacy serial equipment with modern IP networks. Despite supporting secure protocols like TLS and SSH, many devices remained vulnerable due to unrotated factory-default logins. Attackers gained administrative access, reset devices to factory settings, and reconfigured IP addresses to 127.0.0.1, effectively cutting them off from the network. Recovery required manual intervention, causing prolonged operational downtime. ### Case Study 3: Rockwell Automation Vulnerabilities Enable Remote Exploitation In July 2023, Rockwell Automation and CISA disclosed critical vulnerabilities (CVE-2023-3595, CVE-2023-3596) in Allen-Bradley ControlLogix communication modules. These flaws, attributed to a nation-state actor, allowed remote code execution via maliciously crafted Common Industrial Protocol (CIP) messages. Security firm Dragos compared the threat to TRISIS/TRITON-level attacks, noting that compromised modules could manipulate process data, maintain persistence, and evade detection potentially leading to catastrophic failures without operator awareness. ### Exposure Landscape: Key Statistics Team Cymru’s data reveals a troubling concentration of exposed devices: - Rockwell Automation dominates with 68.1% (6,653 unique IPs) of detected targets, reflecting its widespread use in North American and global industrial automation. - Moxa accounts for 15.7% (1,532 IPs), with attackers leveraging its networking equipment to pivot deeper into OT networks. - Other major vendors include Siemens (7.3%), Schneider Electric (4.5%), Hitachi Energy (4.2%), and Mitsubishi Electric (0.1%), all critical to European and Asian infrastructure. Geographically, the U.S. leads with 45.4% of exposed devices (1,269 IPs), a concern given Dragonfly and Volt Typhoon’s history of pre-positioning in critical sectors. Russia (4.3%), Ukraine (3.0%), and Taiwan (2.6%) also rank high, reflecting ongoing cyber warfare and geopolitical tensions. ### Broader Implications The research underscores a critical gap in ICS/OT security: thousands of devices remain internet-exposed despite best practices advising against direct public access. The persistence of default credentials, unpatched vulnerabilities, and nation-state reconnaissance efforts signals an urgent need for improved IT/OT convergence and proactive threat mitigation. Without intervention, these exposures risk enabling disruptive or destructive attacks on essential services.