The following findings are based on our continuous scanning of internet-facing OT assets across critical infrastructure sectors during Q1 2026. All data is aggregated — no individual organizations are identified.
Internet-facing OT devices discovered across monitored protocols
Exposed devices correlated to active threat campaigns
Critical infrastructure sectors with year-over-year exposure increase
Internet-exposed OT services broken down by protocol. Each row includes total exposed devices, quarter-over-quarter trend, top affected sectors, and known threat actors actively targeting that protocol.
| Protocol | Exposed Devices | QoQ Trend | Top Sectors | Active Threat Actors |
|---|---|---|---|---|
| Modbus TCP | Q1 data pending | — | Energy, Manufacturing, Water | CHERNOVITE, ELECTRUM |
| BACnet | Q1 data pending | — | Building Automation, Healthcare | Ransomware groups (lateral) |
| DNP3 | Q1 data pending | — | Energy, Water & Wastewater | KAMACITE, ELECTRUM |
| EtherNet/IP | Q1 data pending | — | Manufacturing, Oil & Gas | CHERNOVITE (PIPEDREAM) |
| S7 (Siemens) | Q1 data pending | — | Manufacturing, Energy | ELECTRUM (Industroyer) |
| OPC UA | Q1 data pending | — | Manufacturing, Energy, Oil & Gas | CHERNOVITE (PIPEDREAM) |
Data collection in progress. Full Q1 2026 figures will be published upon completion of the scanning cycle.
Request a complimentary external exposure assessment. We will show you what threat actors can see from the outside — no agents, no network access, results in under 24 hours.
Continuous attack surface intelligence for IT, OT, and ICS environments — purpose-built for enterprise security teams and critical infrastructure operators.