While you likely don\u2019t stop to think about water or energy industries when you grab a drink of water or flip on the lights, you would definitely notice if your electricity or water stopped working. You might not know why they stopped working at first, but since critical infrastructure is connected online, then it\u2019s not outside the realm of possibility that hackers remotely caused the outage. In fact, researchers found human machine interface (HMI) systems in thousands of critical water and energy organizations exposed to the internet and just waiting to be exploited; critical functions such as starting or stopping a system can be accessed by anyone, be it nation-state attackers or script kiddies.Based on the 200 percent increase of SCADA-related vulnerabilities published by Trend Micro\u2019s Zero Day Initiative so far this year, there seems to be an increased interest in exploiting critical infrastructure which has been connected to the internet. So, using OSINT, Shodan for scanning and geostalking to map the physical locations to IPs, Trend Micro forward-looking threat researchers started looking into exposed industrial control systems (ICS) across energy and water industries. According to firm\u2019s new report, Exposed and Vulnerable Critical Infrastructure: Water and Energy Industries (pdf):The HMIs we discovered were accessible via unauthenticated [virtual network computing] VNC servers; a potential attacker can interact with these exposed HMIs using a VNC viewer. Alarmingly, many of these exposed HMIs have critical functionalities like start, stop, reset, alarm, parameter changes, and so on, easily accessible by anyone. If an attacker accesses these exposed HMIs, then they can inflict serious system damage or cause failures.As for the energy sector, all exposed oil and gas HMIs covered in the report, except a drilling rig in the Middle East, were in the U.S. Exposed solar, wind, and hydroelectric plant HMIs were in Germany, Spain, Sweden, the Czech Republic, Italy, France, Austria and South Korea. Exposed biogas HMIs were discovered in Germany, France, Italy, and Greece. A hydroelectric plant in Italy was exposed via its security cameras.Vulnerable water utility HMIs from water treatment plants and industrial water facilities were discovered across the globe. Thanks to being exposed to the public internet, hackers could potentially launch attacks to affect the supply of drinking water. For example, the researchers discovered the main HMI controls for one seawater-to-drinking water treatment plant were exposed online as were the controls for a water heating facility.Other potential attacks by remote hackers included DDoS, exploitation of vulnerabilities and lateral movement from the exposed ICS device to the core business network. Unlike the researchers, baddies aren\u2019t going to stop at just observing exposed and vulnerable systems. Trend Micro blogged about some of the real-world and supply chain implications.Potential attackers include nation-state hackers, organized criminal syndicates, cyber-terrorists, competitors, hacktivists, script kiddies and random hackers. Additionally, on underground forums, Trend Micro found threat actors wanting to purchase information about exposed devices and systems as well as ICS\/SCADA credentials. There were also cyber attack requests against competitors and sellers looking to profit on data stolen from industry targets.\u201cCritical infrastructure is a national focal point for cybersecurity \u2013 and for cybercriminals, who can pinpoint and exploit the weakest link in these connected systems,\u201d said Mark Nunnikhoven, vice president of cloud research for Trend Micro. \u201cThat\u2019s troubling, as Trend Micro Research continues to find critical devices, and the networks that they connect to, needlessly exposed. This exposure, combined with the record number of ICS vulnerabilities reported through the Zero Day Initiative this year, highlights a growing risk that extends into each of our communities.\u201dThe new 70-page report includes defense and security strategies to better protect ICSs, supply chains and HMI systems against the risk of attack.