Security Risks in Internet-exposed SCADA in Manufacturing

Industrial control systems (ICS) and SCADA (Supervisory Control and Data Acquisition) environments were never designed to be exposed to the internet. Yet, as manufacturing enterprises embrace digital transformation, they find themselves in a challenging position—balancing operational efficiency with cybersecurity risk.

For one Fortune 500 global manufacturer client, this challenge caused a potentially exploitable vulnerability. In an effort to modernize its production facilities, the company integrated its SCADA network with cloud-based analytics and remote monitoring solutions. But in the process, multiple SCADA endpoints were accidentally left exposed to the public internet. Without strong authentication controls or segmentation, these systems became attractive targets for attackers. (Figure 1).

Figure 1. The ABB SCADA system that was compromised via its cloud-based monitoring solution.

The implications were severe:

• Production Disruptions: Unauthenticated access to SCADA systems meant attackers could potentially manipulate industrial processes, leading to costly downtime.
• Safety Hazards: SCADA systems control physical machinery, meaning an attacker could disrupt factory equipment, harming workers and damaging assets.
• Data Integrity Risks: SCADA systems handle critical telemetry data. Unauthorized access could allow attackers to alter parameters, leading to faulty production output.
• Regulatory and Compliance Violations: Many industries mandate strict cybersecurity controls for ICS/SCADA, such as NIST 800-82 and IEC 62443. Failure to secure these environments could result in fines and reputational damage.

The Challenge: Blind Spots in Traditional Security Tools

Despite using conventional vulnerability management and network security tools, the aforementioned company remained unaware of these exposures. Why? Because legacy scanners and asset management tools rely on predefined IP ranges and manual inputs—meaning they often miss the unknown or misconfigured assets within sprawling IT and OT environments.

In this case, the SCADA systems were connected via a third-party vendor’s remote access solution, which created an unintended internet-facing exposure. The company’s security team had no visibility into these risks because the asset wasn’t registered in their inventory. This is a textbook example of shadow OT—a growing problem where connected operational technology assets exist outside the security team’s awareness.

The company’s security team had no visibility into this risk because:

• The SCADA systems were not properly inventoried – They weren’t tracked within the organization’s asset management system.
• The third-party solution created an unintended exposure – The remote access tool likely had insecure default settings, lacked strict access controls, or wasn’t properly configured to restrict external communication.
• Legacy security tools rely on predefined IP ranges – Traditional scanners and asset management platforms depend on manually inputted asset lists, so if the security team didn’t know these SCADA endpoints were internet-facing, they wouldn’t have been scanned or monitored.

The Solution: External Exposure Management

To avoid shadow OT problems, manufacturers need to implement what’s called external exposure management. In short, this is the process of taking the attacker’s view from the outside and managing risk based on the accessibility and attractiveness of exposed assets. 

This was an actual case study of how CyCognito’s external attack surface management (EASM) platform detected and flagged the internet-exposed SCADA endpoints, luckily before any known security incidents arose.

Here’s how CyCognito helped remediate the issue:

• Automated Asset Discovery Beyond Known Ranges: Unlike traditional scanners, CyCognito doesn’t rely on pre-defined input ranges. Instead, it autonomously maps an organization’s entire external attack surface, identifying internet-facing assets—including shadow IT and OT—without requiring any prior knowledge from the security team.
• High-Precision Attribution: Using advanced AI-driven reconnaissance, CyCognito accurately attributed the exposed SCADA endpoints to the correct business unit and flagged them as high-risk operational assets requiring immediate remediation.
• Risk-Based Prioritization: Not all exposures are equal. Instead of overwhelming the security team with thousands of alerts, CyCognito focused on what truly matters—vulnerabilities that are both exploitable and business-critical. In this case, the exposed SCADA systems were ranked as top-priority threats due to their direct impact on production and safety.
• Guided Remediation with Ownership Assignment: One of the biggest challenges in large enterprises is ensuring security teams, IT teams, and OT engineers collaborate effectively. CyCognito not only provided detailed remediation guidance, but also automatically assigned ownership to the relevant stakeholders within the organization, ensuring swift resolution.

Lessons Learned: Securing Manufacturing in the Digital Era

This incident underscores a critical reality for manufacturers—security gaps often emerge at the intersection of IT and OT environments. As companies accelerate digital transformation initiatives, they must:

• Adopt a Continuous External Exposure Management Strategy: Periodic security scans aren’t enough. Attack surfaces are dynamic, and new exposures emerge constantly.
• Gain Full Visibility Across IT, OT, and Third-Party Networks: Every connection—including third-party integrations—must be continuously monitored for security risks.
• Implement Risk-Based Security Testing: Not all vulnerabilities pose the same level of risk. Security teams must prioritize remediating the most exploitable and business-critical exposures first.
• Automate Asset Attribution and Ownership Assignment: Security is a cross-functional effort. Organizations must ensure that vulnerabilities are properly assigned to accountable teams for remediation.

Final Thought: Take Control Before Attackers Do

For this Fortune 500 manufacturer, CyCognito provided the critical visibility and remediation guidance needed to avert a potential cyber incident. But this is just one case among many. Every manufacturing company must ask itself: Do we know what’s truly exposed? And if not, who else does?

Discover and secure your attack surface today. Contact CyCognito to learn how we can help eliminate blind spots before attackers exploit them.