Johnson Controls
Company Details
Linkedin ID:
johnson-controls
Website:
Employees number:
65,242
Number of followers:
1,637,506
NAICS:
3332
Industry Type:
Homepage:
johnsoncontrols.com
IP Addresses:
168
Company ID:
JOH_1596547
Scan Status:
Completed
Johnson Controls Company CyberSecurity Posture
johnsoncontrols.com
At Johnson Controls, we transform the environments where people live, work, learn and play. As the global leader in smart, healthy and sustainable buildings, our mission is to reimagine the performance of buildings to serve people, places and the planet. Building on a proud history of 140 years of innovation, we deliver the blueprint of the future for industries such as healthcare, schools, data centers, airports, stadiums, manufacturing and beyond through OpenBlue, our comprehensive digital offering. Today, Johnson Controls offers the world`s largest portfolio of building technology and software as well as service solutions from some of the most trusted names in the industry. Visit www.johnsoncontrols.com for more information.
Johnson Controls A.I CyberSecurity Scoring
Johnson Controls Risk Score (AI oriented)Between 750 and 799
Johnson Controls
Updated:
- Powered by our proprietary A.I cyber incident model
- Insurance preferes TPRM score to calculate premium
Johnson Controls Global Score (TPRM)XXXX
Johnson Controls
- Instant access to detailed risk factors
- Benchmark vs. industry & size peers
- Vulnerabilities
- Findings
Johnson Controls Company CyberSecurity News & History
Past Incidents
2
Attack Types
2
johnson-controls
Ransomware
Rankiteo Explanation
Attack limited on finance or reputation
Description: A'massive ransomware attack' reportedly affected Johnson Controls International, encrypting many company devices, including VMware ESXi servers, and negatively affecting the business operations of both the parent corporation and its subsidiaries. Development and production of industrial control systems, security tools, air conditioners, and fire safety gear are all activities of the international company Johnson Controls. However, the incident has disrupted some of the Company's business operations and is anticipated to continue doing so. The Company is evaluating the incident's potential effects on its ability to deliver its financial results for the entire fiscal year and the fourth quarter on schedule.
Johnson Controls
Vulnerability
Rankiteo Explanation
Attack that could injure or kill people
Description: Johnson Controls, a critical infrastructure provider, faced severe exposure of its industrial control systems (ICS) due to unpatched vulnerabilities and misconfigurations. The systems, integral to power grids, water treatment plants, and manufacturing operations, were left accessible online with default credentials or known flaws. This negligence enabled potential cyber intrusions capable of triggering catastrophic outcomes—such as blackouts, chemical contamination (e.g., tampering with chlorine levels in water utilities), or operational shutdowns in energy and healthcare sectors. The 2025 CISA advisory highlighted these vulnerabilities as high-severity risks, emphasizing the systemic failure to enforce air-gapping or zero-trust security models. The lapse not only jeopardized public safety but also invited state-sponsored or criminal exploitation, amplifying threats to national security. The company’s delayed mitigation efforts, coupled with regulatory gaps and legacy system dependencies, exacerbated the exposure, leaving critical infrastructure defenseless against attacks with life-threatening or war-escalating potential.
Johnson Controls Company Scoring based on AI Models
Cyber Incidents Likelihood 3 - 6 - 9 months
A.I Risk Score Likelihood 3 - 6 - 9 months
Underwriter Stats for Johnson Controls
Incidents vs Industrial Machinery Manufacturing Industry Average (This Year)
Johnson Controls has 0.0% fewer incidents than the average of same-industry companies with at least one recorded incident.
Incidents vs All-Companies Average (This Year)
Johnson Controls has 28.21% more incidents than the average of all companies with at least one recorded incident.
Incident Types Johnson Controls vs Industrial Machinery Manufacturing Industry Avg (This Year)
Johnson Controls reported 1 incidents this year: 0 cyber attacks, 0 ransomware, 1 vulnerabilities, 0 data breaches, compared to industry peers with at least 1 incident.
Incident History — Johnson Controls (X = Date, Y = Severity)
Johnson Controls cyber incidents detection timeline including parent company and subsidiaries
Johnson Controls Company Subsidiaries
At Johnson Controls, we transform the environments where people live, work, learn and play. As the global leader in smart, healthy and sustainable buildings, our mission is to reimagine the performance of buildings to serve people, places and the planet. Building on a proud history of 140 years of innovation, we deliver the blueprint of the future for industries such as healthcare, schools, data centers, airports, stadiums, manufacturing and beyond through OpenBlue, our comprehensive digital offering. Today, Johnson Controls offers the world`s largest portfolio of building technology and software as well as service solutions from some of the most trusted names in the industry. Visit www.johnsoncontrols.com for more information.
Loading...
Johnson Controls Similar Companies
Parker Hannifin
Parker Hannifin is a Fortune 250 global leader in motion and control technologies. For more than a century the company has been enabling engineering breakthroughs that lead to a better tomorrow. Learn more at www.parker.com or on Twitter @parkerhannifin. Executive Officers: Jennifer A. Parmentier,
Alfa Laval
Pioneering positive impact! Our pioneering 140-year-old start-up culture is built on the idea that partnership is the key to solving complex problems and unlocking the full potential of resources. So we collaborate closely with our partners, customers, and thought leaders to create game-changing so
Bilfinger
Bilfinger is an international industrial services provider. The aim of the Group's activities is to increase the efficiency and sustainability of customers in the process industry and to establish itself as the number one partner in the market for this purpose. Bilfinger’s comprehensive portfolio co
Schindler Group
The Schindler Group is a leading manufacturer and provider of related services for elevators, escalators, and moving walkways. Founded in 1874 in Switzerland, our company is at the forefront of industry innovation, working on pushing the boundaries of technological engineering, while having a stro
GEA Group
GEA is one of the largest technology suppliers for food processing and a wide range of other industries. The global group specializes in machinery, plants, as well as process technology and components. GEA provides resource-efficient solutions for sophisticated production processes in diverse end-u
Xylem
Xylem is the global leader in advanced technologies, solutions and services that address the world’s biggest water challenges. We enable our customers to dramatically improve the way water and wastewater is used, managed, conserved, re-used and returned to nature. At every level, our global team is
Trane Technologies
Trane Technologies is a global climate innovator advancing sustainability through our leading brands Trane® and Thermo King®, which bring efficient and sustainable climate solutions to buildings, homes and transportation across the globe. Together, we are one team innovating for a better future. At
Ingersoll Rand Inc. (NYSE:IR), driven by an entrepreneurial spirit and ownership mindset, is dedicated to Making Life Better for our employees, customers, shareholders, and planet. Customers lean on us for exceptional performance and durability in mission-critical flow creation and industrial soluti
TK Elevator
𝗪𝗲𝗹𝗰𝗼𝗺𝗲 𝘁𝗼 𝗧𝗞 𝗘𝗹𝗲𝘃𝗮𝘁𝗼𝗿 – 𝗪𝗵𝗲𝗿𝗲 𝗜𝗻𝗴𝗲𝗻𝘂𝗶𝘁𝘆 𝗘𝗹𝗲𝘃𝗮𝘁𝗲𝘀 𝗨𝗿𝗯𝗮𝗻 𝗟𝗶𝘃𝗶𝗻𝗴 Engineering pioneer. Global industry leader. TK Elevator draws on a legacy of firsts – from a groundbreaking vertical conveyor in 1890 – to evolve modern mobility. TKE blends safety, reliability, and innovation to create cutting-edge s
.png)
Johnson Controls CyberSecurity News
September 24, 2025 07:00 AM
Johnson Controls appoints Todd Grabowski to lead Americas segment
Seasoned leader brings deep technical and commercial expertise to accelerate company's growth strategy. CORK, Ireland, Sept.
August 20, 2025 07:00 AM
CISA flags escalating ICS security threats as Siemens, Tigo Energy, EG4 vulnerabilities expose critical sectors
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday issued two new advisories and updated two others,...
August 11, 2025 07:00 AM
ICS systems face elevated cyber risk as CISA issues advisories covering multiple vendor vulnerabilities
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) last week released ten Industrial Control Systems (ICS) advisories,...
August 11, 2025 07:00 AM
Federal cybersecurity agency issues 10 advisories for industrial control systems
The Cybersecurity and Infrastructure Security Agency (CISA) on Aug. 7 issued 10 industrial control systems (ICS) advisories, continuing its...
August 08, 2025 07:00 AM
CISA Issues 10 ICS Advisories Detailing Vulnerabilities and Exploits
The Cybersecurity and Infrastructure Security Agency (CISA) has released ten industrial control systems (ICS) advisories on August 7, 2025,...
August 04, 2025 07:00 AM
Johnson Controls International’s AI Strategy: Analysis of JCI’s Dominance in Smart Building Technology AI
Johnson Controls' AI strategy will dominate smart building tech by fusing deep data, OpenBlue platform, and partnerships.
August 01, 2025 07:00 AM
Johnson Controls completes sale of residential and light commercial HVAC business
Transaction accelerates the company's transformation as a pure-play provider of innovative building solutions CORK, Ireland, Aug.
July 18, 2025 07:00 AM
CISA Releases 3 ICS Advisories Covering Vulnerabilities and Exploits
CISA issued three significant Industrial Control Systems (ICS) advisories on July 17, 2025, addressing critical vulnerabilities.
July 09, 2025 07:00 AM
Manufacturing systems at risk as CISA reveals ValveLink vulnerabilities in Emerson equipment
The US Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday disclosed multiple hardware vulnerabilities in Emerson's ValveLink products.
Frequently Asked Questions
Explore insights on cybersecurity incidents, risk posture, and Rankiteo's assessments.
Johnson Controls CyberSecurity History Information
Official Website of Johnson Controls
The official website of Johnson Controls is http://www.johnsoncontrols.com.
Johnson Controls’s AI-Generated Cybersecurity Score
According to Rankiteo, Johnson Controls’s AI-generated cybersecurity score is 778, reflecting their Fair security posture.
How many security badges does Johnson Controls’ have ?
According to Rankiteo, Johnson Controls currently holds 0 security badges, indicating that no recognized compliance certifications are currently verified for the organization.
Does Johnson Controls have SOC 2 Type 1 certification ?
According to Rankiteo, Johnson Controls is not certified under SOC 2 Type 1.
Does Johnson Controls have SOC 2 Type 2 certification ?
According to Rankiteo, Johnson Controls does not hold a SOC 2 Type 2 certification.
Does Johnson Controls comply with GDPR ?
According to Rankiteo, Johnson Controls is not listed as GDPR compliant.
Does Johnson Controls have PCI DSS certification ?
According to Rankiteo, Johnson Controls does not currently maintain PCI DSS compliance.
Does Johnson Controls comply with HIPAA ?
According to Rankiteo, Johnson Controls is not compliant with HIPAA regulations.
Does Johnson Controls have ISO 27001 certification ?
According to Rankiteo,Johnson Controls is not certified under ISO 27001, indicating the absence of a formally recognized information security management framework.
Industry Classification of Johnson Controls
Johnson Controls operates primarily in the Industrial Machinery Manufacturing industry.
Number of Employees at Johnson Controls
Johnson Controls employs approximately 65,242 people worldwide.
Subsidiaries Owned by Johnson Controls
Johnson Controls presently has no subsidiaries across any sectors.
Johnson Controls’s LinkedIn Followers
Johnson Controls’s official LinkedIn profile has approximately 1,637,506 followers.
NAICS Classification of Johnson Controls
Johnson Controls is classified under the NAICS code 3332, which corresponds to Industrial Machinery Manufacturing.
Johnson Controls’s Presence on Crunchbase
Yes, Johnson Controls has an official profile on Crunchbase, which can be accessed here: https://www.crunchbase.com/organization/johnson-controls.
Johnson Controls’s Presence on LinkedIn
Yes, Johnson Controls maintains an official LinkedIn profile, which is actively utilized for branding and talent engagement, which can be accessed here: https://www.linkedin.com/company/johnson-controls.
Cybersecurity Incidents Involving Johnson Controls
As of December 14, 2025, Rankiteo reports that Johnson Controls has experienced 2 cybersecurity incidents.
Number of Peer and Competitor Companies
Johnson Controls has an estimated 7,608 peer or competitor companies worldwide.
What types of cybersecurity incidents have occurred at Johnson Controls ?
Incident Types: The types of cybersecurity incidents that have occurred include Vulnerability and Ransomware.
What was the total financial impact of these incidents on Johnson Controls ?
Total Financial Loss: The total financial loss from these incidents is estimated to be $0.
How does Johnson Controls detect and respond to cybersecurity incidents ?
Detection and Response: The company detects and responds to cybersecurity incidents through an third party assistance with bitsight (cybersecurity firm), third party assistance with cisa (cybersecurity and infrastructure security agency), and containment measures with comprehensive asset inventories, containment measures with immediate patching of vulnerabilities, containment measures with network segmentation, and remediation measures with implementation of continuous monitoring, remediation measures with adoption of zero-trust models, remediation measures with air-gapping critical systems, and communication strategy with cisa advisories (e.g., may 2025 alert on johnson controls’ systems), communication strategy with industry reports by bitsight and cybersecurity dive, and network segmentation with advocated as a key mitigation strategy, and enhanced monitoring with organizations with continuous monitoring reduced exposure by up to 40%..
Incident Details
Can you provide details on each incident ?
Title: Massive Ransomware Attack on Johnson Controls International
Description: A significant ransomware attack affected Johnson Controls International, encrypting many company devices, including VMware ESXi servers. The incident negatively impacted the business operations of both the parent corporation and its subsidiaries.
Type: Ransomware
Motivation: Financial Gain
Title: Mass Exposure of Industrial Control Systems to the Open Internet
Description: Nearly 200,000 industrial control systems (ICS), critical to power grids, water treatment plants, and manufacturing lines, are exposed to the open internet due to convenience-driven configurations, outdated security practices, and lack of safeguards. These systems, often running legacy software with unpatched vulnerabilities or default credentials, are vulnerable to cyberattacks that could trigger blackouts, chemical spills, or other catastrophic failures. The trend is accelerating due to digital transformation initiatives prioritizing operational efficiency over cybersecurity, with newly deployed systems in sectors like energy, transportation, and healthcare also appearing online without firewalls or encryption. Human error, misconfigurations, and regulatory gaps further exacerbate the issue, while experts advocate for asset inventories, patching, network segmentation, and AI-driven threat detection to mitigate risks.
Type: Exposure of Critical Infrastructure
Attack Vector: Publicly Accessible DevicesDefault CredentialsUnpatched Software VulnerabilitiesLack of Firewalls/Encryption
Vulnerability Exploited: Critical CVSS-rated vulnerabilities in legacy and new ICS devicesDefault passwordsMisconfigurations in operational technology (OT) systems
What are the most common types of attacks the company has faced ?
Common Attack Types: The most common types of attacks the company has faced is Ransomware.
How does the company identify the attack vectors used in incidents ?
Identification of Attack Vectors: The company identifies the attack vectors used in incidents through Publicly accessible ICS devicesDefault credentialsUnpatched vulnerabilities.
Impact of the Incidents
What was the impact of each incident ?
Incident : Ransomware JOH174511023
Financial Loss: Potential delay in reporting financial results
Systems Affected: VMware ESXi serverscompany devices
Downtime: Ongoing disruption of business operations
Operational Impact: Significant
Incident : Exposure of Critical Infrastructure JOH4502045100625
Systems Affected: Industrial Control Systems (ICS)Programmable Logic Controllers (PLCs)Water treatment control systemsEnergy sector devices (oil pipelines, electrical substations)Transportation infrastructureHealthcare infrastructure
Operational Impact: Potential blackoutsChemical spillsManipulation of critical processes (e.g., chlorine levels in water treatment)Cascading failures in interconnected systems
Brand Reputation Impact: Erosion of public trust in critical infrastructure securityPerception of negligence in safeguarding essential services
What is the average financial loss per incident ?
Average Financial Loss: The average financial loss per incident is $0.00.
Which entities were affected by each incident ?
Incident : Ransomware JOH174511023
Entity Name: Johnson Controls International
Entity Type: Corporation
Industry: Industrial Control Systems, Security Tools, Air Conditioners, Fire Safety Gear
Incident : Exposure of Critical Infrastructure JOH4502045100625
Entity Type: Critical Infrastructure Operators, Industrial Facilities, Energy Sector Companies, Water Treatment Plants, Manufacturing Plants, Transportation Systems, Healthcare Infrastructure
Industry: Energy, Water/Wastewater, Manufacturing, Transportation, Healthcare
Location: Global (with specific emphasis on regions undergoing digital transformation)
Response to the Incidents
What measures were taken in response to each incident ?
Incident : Exposure of Critical Infrastructure JOH4502045100625
Third Party Assistance: Bitsight (Cybersecurity Firm), Cisa (Cybersecurity And Infrastructure Security Agency).
Containment Measures: Comprehensive asset inventoriesImmediate patching of vulnerabilitiesNetwork segmentation
Remediation Measures: Implementation of continuous monitoringAdoption of zero-trust modelsAir-gapping critical systems
Communication Strategy: CISA advisories (e.g., May 2025 alert on Johnson Controls’ systems)Industry reports by Bitsight and Cybersecurity Dive
Network Segmentation: Advocated as a key mitigation strategy
Enhanced Monitoring: Organizations with continuous monitoring reduced exposure by up to 40%
How does the company involve third-party assistance in incident response ?
Third-Party Assistance: The company involves third-party assistance in incident response through Bitsight (cybersecurity firm), CISA (Cybersecurity and Infrastructure Security Agency), .
Data Breach Information
What type of data was compromised in each breach ?
Incident : Ransomware JOH174511023
Data Encryption: True
Incident : Exposure of Critical Infrastructure JOH4502045100625
Data Encryption: ['Lack of encryption in exposed systems']
What measures does the company take to prevent data exfiltration ?
Prevention of Data Exfiltration: The company takes the following measures to prevent data exfiltration: Implementation of continuous monitoring, Adoption of zero-trust models, Air-gapping critical systems, .
How does the company handle incidents involving personally identifiable information (PII) ?
Handling of PII Incidents: The company handles incidents involving personally identifiable information (PII) through by comprehensive asset inventories, immediate patching of vulnerabilities, network segmentation and .
Ransomware Information
Was ransomware involved in any of the incidents ?
Incident : Ransomware JOH174511023
Data Encryption: True
Regulatory Compliance
Were there any regulatory violations and fines imposed for each incident ?
Incident : Exposure of Critical Infrastructure JOH4502045100625
Regulatory Notifications: CISA advisories (e.g., May 2025 alert on Johnson Controls’ vulnerabilities)
Lessons Learned and Recommendations
What lessons were learned from each incident ?
Incident : Exposure of Critical Infrastructure JOH4502045100625
Lessons Learned: Convenience-driven configurations (e.g., remote access) without adequate security expose critical infrastructure to severe risks., Legacy and new ICS devices often lack basic safeguards like firewalls, encryption, or updated credentials., Human error and misconfigurations by IT teams unfamiliar with OT systems are major contributors to exposure., Regulatory gaps and inconsistent enforcement allow vulnerabilities to persist., Digital transformation must prioritize security alongside operational efficiency to avoid amplifying risks.
What recommendations were made to prevent future incidents ?
Incident : Exposure of Critical Infrastructure JOH4502045100625
Recommendations: Conduct comprehensive inventories of all connected ICS/OT assets., Immediately patch known vulnerabilities, especially those with critical CVSS ratings., Implement network segmentation and zero-trust models to limit exposure., Enforce mandatory air-gapping for the most critical systems where feasible., Replace default credentials and enforce strong authentication mechanisms., Adopt continuous monitoring to detect and respond to exposures in real-time., Integrate AI-driven threat detection to identify anomalies and potential attacks., Prioritize cybersecurity training for IT and OT teams to address skill gaps., Strengthen regulatory frameworks with mandatory compliance and enforcement mechanisms., Foster a cultural shift to prioritize security over convenience in operational decisions.Conduct comprehensive inventories of all connected ICS/OT assets., Immediately patch known vulnerabilities, especially those with critical CVSS ratings., Implement network segmentation and zero-trust models to limit exposure., Enforce mandatory air-gapping for the most critical systems where feasible., Replace default credentials and enforce strong authentication mechanisms., Adopt continuous monitoring to detect and respond to exposures in real-time., Integrate AI-driven threat detection to identify anomalies and potential attacks., Prioritize cybersecurity training for IT and OT teams to address skill gaps., Strengthen regulatory frameworks with mandatory compliance and enforcement mechanisms., Foster a cultural shift to prioritize security over convenience in operational decisions.Conduct comprehensive inventories of all connected ICS/OT assets., Immediately patch known vulnerabilities, especially those with critical CVSS ratings., Implement network segmentation and zero-trust models to limit exposure., Enforce mandatory air-gapping for the most critical systems where feasible., Replace default credentials and enforce strong authentication mechanisms., Adopt continuous monitoring to detect and respond to exposures in real-time., Integrate AI-driven threat detection to identify anomalies and potential attacks., Prioritize cybersecurity training for IT and OT teams to address skill gaps., Strengthen regulatory frameworks with mandatory compliance and enforcement mechanisms., Foster a cultural shift to prioritize security over convenience in operational decisions.Conduct comprehensive inventories of all connected ICS/OT assets., Immediately patch known vulnerabilities, especially those with critical CVSS ratings., Implement network segmentation and zero-trust models to limit exposure., Enforce mandatory air-gapping for the most critical systems where feasible., Replace default credentials and enforce strong authentication mechanisms., Adopt continuous monitoring to detect and respond to exposures in real-time., Integrate AI-driven threat detection to identify anomalies and potential attacks., Prioritize cybersecurity training for IT and OT teams to address skill gaps., Strengthen regulatory frameworks with mandatory compliance and enforcement mechanisms., Foster a cultural shift to prioritize security over convenience in operational decisions.Conduct comprehensive inventories of all connected ICS/OT assets., Immediately patch known vulnerabilities, especially those with critical CVSS ratings., Implement network segmentation and zero-trust models to limit exposure., Enforce mandatory air-gapping for the most critical systems where feasible., Replace default credentials and enforce strong authentication mechanisms., Adopt continuous monitoring to detect and respond to exposures in real-time., Integrate AI-driven threat detection to identify anomalies and potential attacks., Prioritize cybersecurity training for IT and OT teams to address skill gaps., Strengthen regulatory frameworks with mandatory compliance and enforcement mechanisms., Foster a cultural shift to prioritize security over convenience in operational decisions.Conduct comprehensive inventories of all connected ICS/OT assets., Immediately patch known vulnerabilities, especially those with critical CVSS ratings., Implement network segmentation and zero-trust models to limit exposure., Enforce mandatory air-gapping for the most critical systems where feasible., Replace default credentials and enforce strong authentication mechanisms., Adopt continuous monitoring to detect and respond to exposures in real-time., Integrate AI-driven threat detection to identify anomalies and potential attacks., Prioritize cybersecurity training for IT and OT teams to address skill gaps., Strengthen regulatory frameworks with mandatory compliance and enforcement mechanisms., Foster a cultural shift to prioritize security over convenience in operational decisions.Conduct comprehensive inventories of all connected ICS/OT assets., Immediately patch known vulnerabilities, especially those with critical CVSS ratings., Implement network segmentation and zero-trust models to limit exposure., Enforce mandatory air-gapping for the most critical systems where feasible., Replace default credentials and enforce strong authentication mechanisms., Adopt continuous monitoring to detect and respond to exposures in real-time., Integrate AI-driven threat detection to identify anomalies and potential attacks., Prioritize cybersecurity training for IT and OT teams to address skill gaps., Strengthen regulatory frameworks with mandatory compliance and enforcement mechanisms., Foster a cultural shift to prioritize security over convenience in operational decisions.Conduct comprehensive inventories of all connected ICS/OT assets., Immediately patch known vulnerabilities, especially those with critical CVSS ratings., Implement network segmentation and zero-trust models to limit exposure., Enforce mandatory air-gapping for the most critical systems where feasible., Replace default credentials and enforce strong authentication mechanisms., Adopt continuous monitoring to detect and respond to exposures in real-time., Integrate AI-driven threat detection to identify anomalies and potential attacks., Prioritize cybersecurity training for IT and OT teams to address skill gaps., Strengthen regulatory frameworks with mandatory compliance and enforcement mechanisms., Foster a cultural shift to prioritize security over convenience in operational decisions.Conduct comprehensive inventories of all connected ICS/OT assets., Immediately patch known vulnerabilities, especially those with critical CVSS ratings., Implement network segmentation and zero-trust models to limit exposure., Enforce mandatory air-gapping for the most critical systems where feasible., Replace default credentials and enforce strong authentication mechanisms., Adopt continuous monitoring to detect and respond to exposures in real-time., Integrate AI-driven threat detection to identify anomalies and potential attacks., Prioritize cybersecurity training for IT and OT teams to address skill gaps., Strengthen regulatory frameworks with mandatory compliance and enforcement mechanisms., Foster a cultural shift to prioritize security over convenience in operational decisions.Conduct comprehensive inventories of all connected ICS/OT assets., Immediately patch known vulnerabilities, especially those with critical CVSS ratings., Implement network segmentation and zero-trust models to limit exposure., Enforce mandatory air-gapping for the most critical systems where feasible., Replace default credentials and enforce strong authentication mechanisms., Adopt continuous monitoring to detect and respond to exposures in real-time., Integrate AI-driven threat detection to identify anomalies and potential attacks., Prioritize cybersecurity training for IT and OT teams to address skill gaps., Strengthen regulatory frameworks with mandatory compliance and enforcement mechanisms., Foster a cultural shift to prioritize security over convenience in operational decisions.
What are the key lessons learned from past incidents ?
Key Lessons Learned: The key lessons learned from past incidents are Convenience-driven configurations (e.g., remote access) without adequate security expose critical infrastructure to severe risks.,Legacy and new ICS devices often lack basic safeguards like firewalls, encryption, or updated credentials.,Human error and misconfigurations by IT teams unfamiliar with OT systems are major contributors to exposure.,Regulatory gaps and inconsistent enforcement allow vulnerabilities to persist.,Digital transformation must prioritize security alongside operational efficiency to avoid amplifying risks.
What recommendations has the company implemented to improve cybersecurity ?
Implemented Recommendations: The company has implemented the following recommendations to improve cybersecurity: Immediately patch known vulnerabilities, especially those with critical CVSS ratings., Adopt continuous monitoring to detect and respond to exposures in real-time., Prioritize cybersecurity training for IT and OT teams to address skill gaps., Integrate AI-driven threat detection to identify anomalies and potential attacks., Strengthen regulatory frameworks with mandatory compliance and enforcement mechanisms., Replace default credentials and enforce strong authentication mechanisms., Foster a cultural shift to prioritize security over convenience in operational decisions., Implement network segmentation and zero-trust models to limit exposure., Enforce mandatory air-gapping for the most critical systems where feasible. and Conduct comprehensive inventories of all connected ICS/OT assets..
References
Where can I find more information about each incident ?
Incident : Exposure of Critical Infrastructure JOH4502045100625
Source: Bitsight Report on Exposed Industrial Control Systems
Incident : Exposure of Critical Infrastructure JOH4502045100625
Source: Cybersecurity Dive Analysis on Digital Transformation Risks
Incident : Exposure of Critical Infrastructure JOH4502045100625
Source: CISA Advisory (May 2025) on Johnson Controls’ Vulnerabilities
URL: https://www.cisa.gov
Where can stakeholders find additional resources on cybersecurity best practices ?
Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: Bitsight Report on Exposed Industrial Control Systems, and Source: Cybersecurity Dive Analysis on Digital Transformation Risks, and Source: CISA Advisory (May 2025) on Johnson Controls’ VulnerabilitiesUrl: https://www.cisa.gov.
Investigation Status
What is the current status of the investigation for each incident ?
Incident : Exposure of Critical Infrastructure JOH4502045100625
Investigation Status: Ongoing (trend analysis by Bitsight and CISA; no specific incident under investigation)
How does the company communicate the status of incident investigations to stakeholders ?
Communication of Investigation Status: The company communicates the status of incident investigations to stakeholders through Cisa Advisories (E.G., May 2025 Alert On Johnson Controls’ Systems) and Industry Reports By Bitsight And Cybersecurity Dive.
Stakeholder and Customer Advisories
Were there any advisories issued to stakeholders or customers for each incident ?
Incident : Exposure of Critical Infrastructure JOH4502045100625
Stakeholder Advisories: Cisa Alerts, Bitsight Reports, Industry Analyst Warnings On Systemic Risks.
What advisories does the company provide to stakeholders and customers following an incident ?
Advisories Provided: The company provides the following advisories to stakeholders and customers following an incident: were Cisa Alerts, Bitsight Reports and Industry Analyst Warnings On Systemic Risks.
Initial Access Broker
How did the initial access broker gain entry for each incident ?
Incident : Exposure of Critical Infrastructure JOH4502045100625
Entry Point: Publicly Accessible Ics Devices, Default Credentials, Unpatched Vulnerabilities,
High Value Targets: Energy Grids, Water Treatment Systems, Manufacturing Control Systems, Transportation Infrastructure,
Data Sold on Dark Web: Energy Grids, Water Treatment Systems, Manufacturing Control Systems, Transportation Infrastructure,
Post-Incident Analysis
What were the root causes and corrective actions taken for each incident ?
Incident : Exposure of Critical Infrastructure JOH4502045100625
Root Causes: Prioritization Of Operational Convenience Over Security In Ics/Ot Environments., Lack Of Basic Safeguards (Firewalls, Encryption, Updated Credentials) In Legacy And New Systems., Human Error And Misconfigurations Due To It/Ot Skill Gaps., Regulatory Gaps And Inconsistent Enforcement Of Cybersecurity Standards., Digital Transformation Initiatives Accelerating Exposure Without Adequate Security Controls.,
Corrective Actions: Mandate Asset Inventories And Vulnerability Assessments For All Ics/Ot Devices., Enforce Patch Management And Configuration Hardening For Exposed Systems., Implement Network Segmentation And Zero-Trust Architectures To Limit Lateral Movement., Adopt Continuous Monitoring And Ai-Driven Anomaly Detection., Strengthen Regulatory Oversight With Enforceable Compliance Requirements., Invest In Cybersecurity Training For It And Ot Personnel., Promote A Security-First Culture In Critical Infrastructure Operations.,
What is the company's process for conducting post-incident analysis ?
Post-Incident Analysis Process: The company's process for conducting post-incident analysis is described as Bitsight (Cybersecurity Firm), Cisa (Cybersecurity And Infrastructure Security Agency), , Organizations with continuous monitoring reduced exposure by up to 40%.
What corrective actions has the company taken based on post-incident analysis ?
Corrective Actions Taken: The company has taken the following corrective actions based on post-incident analysis: Mandate Asset Inventories And Vulnerability Assessments For All Ics/Ot Devices., Enforce Patch Management And Configuration Hardening For Exposed Systems., Implement Network Segmentation And Zero-Trust Architectures To Limit Lateral Movement., Adopt Continuous Monitoring And Ai-Driven Anomaly Detection., Strengthen Regulatory Oversight With Enforceable Compliance Requirements., Invest In Cybersecurity Training For It And Ot Personnel., Promote A Security-First Culture In Critical Infrastructure Operations., .
Additional Questions
Impact of the Incidents
What was the highest financial loss from an incident ?
Highest Financial Loss: The highest financial loss from an incident was Potential delay in reporting financial results.
What was the most significant system affected in an incident ?
Most Significant System Affected: The most significant system affected in an incident were VMware ESXi serverscompany devices and Industrial Control Systems (ICS)Programmable Logic Controllers (PLCs)Water treatment control systemsEnergy sector devices (oil pipelines, electrical substations)Transportation infrastructureHealthcare infrastructure.
Response to the Incidents
What third-party assistance was involved in the most recent incident ?
Third-Party Assistance in Most Recent Incident: The third-party assistance involved in the most recent incident was bitsight (cybersecurity firm), cisa (cybersecurity and infrastructure security agency), .
What containment measures were taken in the most recent incident ?
Containment Measures in Most Recent Incident: The containment measures taken in the most recent incident was Comprehensive asset inventoriesImmediate patching of vulnerabilitiesNetwork segmentation.
Lessons Learned and Recommendations
What was the most significant lesson learned from past incidents ?
Most Significant Lesson Learned: The most significant lesson learned from past incidents was Digital transformation must prioritize security alongside operational efficiency to avoid amplifying risks.
What was the most significant recommendation implemented to improve cybersecurity ?
Most Significant Recommendation Implemented: The most significant recommendation implemented to improve cybersecurity was Immediately patch known vulnerabilities, especially those with critical CVSS ratings., Adopt continuous monitoring to detect and respond to exposures in real-time., Prioritize cybersecurity training for IT and OT teams to address skill gaps., Integrate AI-driven threat detection to identify anomalies and potential attacks., Strengthen regulatory frameworks with mandatory compliance and enforcement mechanisms., Replace default credentials and enforce strong authentication mechanisms., Foster a cultural shift to prioritize security over convenience in operational decisions., Implement network segmentation and zero-trust models to limit exposure., Enforce mandatory air-gapping for the most critical systems where feasible. and Conduct comprehensive inventories of all connected ICS/OT assets..
References
What is the most recent source of information about an incident ?
Most Recent Source: The most recent source of information about an incident are Cybersecurity Dive Analysis on Digital Transformation Risks, CISA Advisory (May 2025) on Johnson Controls’ Vulnerabilities and Bitsight Report on Exposed Industrial Control Systems.
What is the most recent URL for additional resources on cybersecurity best practices ?
Most Recent URL for Additional Resources: The most recent URL for additional resources on cybersecurity best practices is https://www.cisa.gov .
Investigation Status
What is the current status of the most recent investigation ?
Current Status of Most Recent Investigation: The current status of the most recent investigation is Ongoing (trend analysis by Bitsight and CISA; no specific incident under investigation).
Stakeholder and Customer Advisories
What was the most recent stakeholder advisory issued ?
Most Recent Stakeholder Advisory: The most recent stakeholder advisory issued was CISA alerts, Bitsight reports, Industry analyst warnings on systemic risks, .
Initial Access Broker
.png)
Latest Global CVEs (Not Company-Specific)
Description
A weakness has been identified in itsourcecode Online Pet Shop Management System 1.0. This vulnerability affects unknown code of the file /pet1/addcnp.php. This manipulation of the argument cnpname causes sql injection. The attack can be initiated remotely. The exploit has been made available to the public and could be exploited.
Risk Information
cvss2
Base: 7.5
Severity: LOW
AV:N/AC:L/Au:N/C:P/I:P/A:P
cvss3
Base: 7.3
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
cvss4
Base: 6.9
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Description
A security flaw has been discovered in Tenda AX9 22.03.01.46. This affects the function image_check of the component httpd. The manipulation results in use of weak hash. It is possible to launch the attack remotely. A high complexity level is associated with this attack. It is indicated that the exploitability is difficult. The exploit has been released to the public and may be exploited.
Risk Information
cvss2
Base: 2.6
Severity: HIGH
AV:N/AC:H/Au:N/C:N/I:P/A:N
cvss3
Base: 3.7
Severity: HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
cvss4
Base: 6.3
Severity: HIGH
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Description
A weakness has been identified in code-projects Student File Management System 1.0. This issue affects some unknown processing of the file /admin/update_student.php. This manipulation of the argument stud_id causes sql injection. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be exploited.
Risk Information
cvss2
Base: 7.5
Severity: LOW
AV:N/AC:L/Au:N/C:P/I:P/A:P
cvss3
Base: 7.3
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
cvss4
Base: 6.9
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Description
A security flaw has been discovered in code-projects Student File Management System 1.0. This vulnerability affects unknown code of the file /admin/save_user.php. The manipulation of the argument firstname results in sql injection. The attack can be executed remotely. The exploit has been released to the public and may be exploited.
Risk Information
cvss2
Base: 7.5
Severity: LOW
AV:N/AC:L/Au:N/C:P/I:P/A:P
cvss3
Base: 7.3
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
cvss4
Base: 6.9
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Description
A vulnerability was identified in code-projects Student File Management System 1.0. This affects an unknown part of the file /admin/update_user.php. The manipulation of the argument user_id leads to sql injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be used.
Risk Information
cvss2
Base: 7.5
Severity: LOW
AV:N/AC:L/Au:N/C:P/I:P/A:P
cvss3
Base: 7.3
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
cvss4
Base: 6.9
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Access Data Using Our API
Get company history
curl -i -X GET 'https://api.rankiteo.com/underwriter-getcompany-history?linkedin_id=johnson-controls' -H 'apikey: YOUR_API_KEY_HERE'
RapidWhat Do We Measure ?
Incident
Finding
Grade
Digital Assets
Every week, Rankiteo analyzes billions of signals to give organizations a sharper, faster view of emerging risks. With deeper, more actionable intelligence at their fingertips, security teams can outpace threat actors, respond instantly to Zero-Day attacks, and dramatically shrink their risk exposure window.
These are some of the factors we use to calculate the overall score:
Network Security
Identify exposed access points, detect misconfigured SSL certificates, and uncover vulnerabilities across the network infrastructure.
SBOM (Software Bill of Materials)
Gain visibility into the software components used within an organization to detect vulnerabilities, manage risk, and ensure supply chain security.
CMDB (Configuration Management Database)
Monitor and manage all IT assets and their configurations to ensure accurate, real-time visibility across the company's technology environment.
Threat Intelligence
Leverage real-time insights on active threats, malware campaigns, and emerging vulnerabilities to proactively defend against evolving cyberattacks.
Rankiteo is a unified scoring and risk platform that analyzes billions of signals weekly to help organizations gain faster, more actionable insights into emerging threats. Empowering teams to outpace adversaries and reduce exposure.
