The industrial automation sector is facing a stark cybersecurity wake-up call. New research from Forescout has identified 670 internet-facing VNC servers that provide direct, unauthenticated access to industrial control systems (ICS) and operational technology (OT) panels — many of which are PLC-controlled — without requiring any credentials whatsoever.
This finding arrives as the global PLC market is projected to grow from USD 12.9 billion in 2026 to USD 21.8 billion by 2035, driven by Industry 4.0 adoption and smart manufacturing expansion. The convergence of IT and OT networks has created an expanded attack surface that threat actors are already actively exploiting.
📊 Analyst Insight: The industrial automation market is valued at approximately USD 250 billion in 2026. With hundreds of thousands of connected PLCs and controllers in the field, the exposure of even a small fraction of unauthenticated remote access points represents a disproportionate risk to global supply chains and critical infrastructure operations.
The Discovery: 670 Direct Pathways Into Industrial Networks
Forescout's research team identified tens of thousands of exposed RDP and VNC servers that can be mapped to specific industries. After filtering out honeypots and infrastructure providers, the researchers pinpointed 91,000 RDP servers and 29,000 VNC servers tied to operational industries. The most alarming subset: 670 VNC servers offering direct, unauthenticated access to ICS/OT human-machine interfaces (HMIs) and control panels.
These exposed servers effectively hand over the keys to PLC-controlled manufacturing lines, water treatment facilities, energy grids, and building management systems — all without a password required.
Who Is Targeting Industrial Control Systems?
The threat is not theoretical. Forescout has documented that Russia-linked hacker groups are actively developing tools to scan for RDP, VNC, and OT-specific protocols. Two groups in particular have been flagged:
Infrastructure Destruction Squad (IDS)
A pro-Russian hacktivist group that has claimed intrusions into ICS environments targeting NATO and EU member states. IDS has openly boasted about capabilities for OT systems, including tools branded as "VoltRuptor" designed to disrupt industrial operations.
Dark Engine
Operating in alignment with IDS, Dark Engine has been scanning for remote access protocols and OT-specific attack surfaces, demonstrating a systematic approach to mapping vulnerable industrial targets.
🔍 Critical Context: The OT-ISAC released an advisory in April 2026 consolidating multiple disclosures affecting PLC ecosystems, including authorization bypass flaws, weak password protections in PLC workflows, and management-plane vulnerabilities across industrial networking products. The convergence of exposed VNC servers with known PLC vulnerabilities creates a dangerous chain of exploitability that adversaries are actively probing.
What This Means for PLC-Controlled Infrastructure
Programmable Logic Controllers form the backbone of modern industrial automation. From automotive assembly lines to pharmaceutical manufacturing and power distribution, PLCs execute the logic that keeps industrial processes running safely and efficiently.
When a VNC server exposes a PLC's HMI panel without authentication, an attacker can:
-
View and manipulate real-time process parameters (temperature, pressure, flow rates)
-
Alter setpoints to cause equipment damage or safety incidents
-
Stop or start production lines remotely
-
Download malicious logic to PLC controllers
-
Use compromised OT endpoints as a pivot point into corporate IT networks
Market Context: Rising Stakes in a Growing Industry
The global PLC market reached USD 11.7 billion in 2025 and is projected to expand at a CAGR of 5.12% through 2031. This growth is paralleled by the broader industrial automation market, expected to hit USD 257 billion in 2026.
As more controllers gain network connectivity for Industry 4.0 and IIoT initiatives, the number of internet-facing OT endpoints will continue to rise — making Forescout's findings a harbinger of what could become a systemic vulnerability across global manufacturing.
📋 Key Market Data Points
- Global PLC market 2025: USD 11.7 billion
- Global PLC market 2026: USD 12.9 billion
- Industrial automation market 2026: ~USD 257 billion
- Internet-facing RDP servers linked to industry: 91,000
- Internet-facing VNC servers linked to industry: 29,000
- Unauthenticated VNC servers exposing ICS/OT: 670
Mitigation Strategies for Industrial Operators
Organizations relying on PLCs and industrial controllers should implement the following measures immediately:
-
Audit all internet-facing remote access points — Identify and eliminate direct VNC/RDP exposure on OT networks.
-
Deploy secure gateways — Replace direct VNC access with VPNs, zero-trust network access (ZTNA), or dedicated OT remote access solutions.
-
Implement network segmentation — Isolate ICS/OT networks from corporate IT and the open internet using firewalls and unidirectional gateways.
-
Enforce multi-factor authentication — All remote access to industrial control systems must require strong authentication.
-
Monitor for unauthorized scanning — Deploy OT-specific network detection and response (NDR) tools to identify reconnaissance activity targeting industrial protocols.
❓ Frequently Asked Questions
Q: How did Forescout identify these exposed servers?
A: Forescout's Vedere Labs conducted internet-wide scanning to identify RDP and VNC servers, then correlated findings against known industrial protocols and application fingerprints to map servers to specific industries.
Q: Are PLCs inherently insecure?
A: Modern PLCs are designed with operational reliability as the priority. Security vulnerabilities often arise from configuration gaps — such as exposing HMIs directly to the internet without authentication — rather than fundamental design flaws.
Q: What industries are most at risk?
A: Manufacturing, energy, water/wastewater, oil and gas, pharmaceuticals, and transportation are the most impacted sectors due to their reliance on remotely accessible PLC-controlled systems.
Q: Have attacks using these exposures been confirmed?
A: While Forescout has documented active scanning by Russia-linked groups, specific exploitation of these 670 VNC servers has not been publicly confirmed. However, the risk of imminent exploitation remains high given the active threat landscape.
The Bottom Line
The combination of 670 unauthenticated VNC servers exposing ICS/OT panels and active threat actor scanning by Russia-linked groups creates an urgent risk scenario for every organization operating PLC-controlled infrastructure. The industrial automation sector must treat internet-facing remote access as a critical vulnerability — not an operational convenience.
As Forescout's research demonstrates, the pathways into the world's most sensitive industrial networks are often the simplest ones left unlocked.
