ICS and Iran: Exposure of Previously Targeted Devices

Executive Summary: The report examines Internet exposure trends from January to June 2025 for four ICS/building-automation systems (Unitronics Vision PLC/HMIs, Orpak SiteOmat, Red Lion devices, and Tridium Niagara), finding overall exposure increases of 4.5%–9.2% for most systems (Tridium having the largest absolute counts) while Orpak decreased. It highlights prior compromises or claimed attacks by Iranian-aligned actors (e.g., CyberAv3ngers) and known malware (IOCONTROL), emphasizes the continued prevalence of default credentials and consumer/mobile ISP hosting for ICS devices, and urges operators and manufacturers to remove Internet-facing interfaces and eliminate default passwords.