Live ICS Exposure Index

11,649 industrial control systems
are reachable from the public internet

RedEye Security indexed every publicly exposed Modbus, EtherNet/IP, DNP3, BACnet, S7, and Niagara Fox device on the internet. No exploitation. No authentication required to read the device identity. Filtered to drop honeypots, decoys, and tarpits.

1,252
US Exposed
10,397
Worldwide ex-US
150
Countries
6
ICS Protocols
Last refresh: · Source: Shodan passive scan + RedEye CIP/BACnet verification
Browse the data

Four views into the same dataset

Maps show device location. Charts rank by state, country, vendor, and protocol. All read-only. No scan endpoints, no exploitation paths exposed to the public.

United States

Map

1,252 devices · all 50 states

Every exposed PLC, RTU, and HMI in the US, geolocated. Filter by protocol. Click any device to see vendor, product, and last-seen banner.
Worldwide (ex-US)

International Map

10,397 devices · 150 countries

Same view, the rest of the planet. Top: Canada (1,955), China (956), Netherlands (817), France (578).
United States

Rankings

Top states, vendors, ISPs

Where exposure concentrates: which states, which vendors, which carriers host the most public ICS.
Worldwide (ex-US)

International Rankings

Top countries, vendors, ASNs

Global breakdown. Useful for cross-border supply-chain risk and tracking nation-state exposure patterns.
Protocol breakdown

11,649 devices across six industrial protocols

Modbus (port 502)
674
EtherNet/IP (44818)
756
DNP3 (20000)
1,051
BACnet (47808)
5,164
S7/Siemens (102)
1,751
Fox/Niagara (1911)
2,253
How we built this

Passive index, active verification, aggressive filtering

  • Passive collection. Shodan's continuous internet-wide crawl indexes every device that responds to its protocol probes. We pull six ICS protocols daily.
  • Active verification. For EtherNet/IP devices, we issue a CIP ListIdentity query (the same unauthenticated query a legitimate HMI would send). If the device responds with vendor, product, firmware, and serial number — it's a real PLC, not a honeypot.
  • Honeypot filtering. Multiple passes: Conpot defaults, Shodan honeyscore ≥0.8, nginx-fingerprinted "PLCs" (decoy pattern), Internet Rimon (Israeli kosher-net SYN-ACK tarpit), CORELINK GLOBAL COMM (fake-Antarctica fleet actually based in Tokyo), and a worldwide BACnet honeypot fleet identified by constant-response signatures across 8 countries.
  • Cellular IP handling. Devices behind cellular modems (LTE/5G) have unreliable geolocation — we flag them as such, but the exposure itself is real regardless of where the dot is drawn.
  • Stacked exposure detection. When a device has both a cellular router admin UI and a port-forwarded ICS port on the same IP, compromising the modem owns the whole LAN. We flag these.
  • Read-only. No commands sent. No writes. No exploitation. Every action would be visible to the device operator if they cared to look.

Is your facility in this dataset?

We do free, no-commitment 30-minute scoping calls for water utilities, manufacturers, and critical infrastructure operators. If you're exposed, we'll tell you exactly which device, on which protocol, on which IP — before anyone else points it out.

Talk to RedEye