SecurityScorecard researchers used Driftnet’s internet-scale discovery capabilities to analyze the network footprint of a small U.S. municipal utility provider that also operates as the town’s internet service provider (ISP). The investigation identified widespread exposure across internet-facing systems, including vulnerable surveillance equipment, exposed Industrial Control Systems (ICS), weak encryption configurations, and End-of-Life (EoL) Windows devices.
The utility provider operates its own Autonomous System (AS), meaning internet connectivity and critical infrastructure services exist within the same broader operational environment. This convergence creates a concentrated point of failure where disruption to one service can affect others across the community.
Over a six-month period, Driftnet identified 1,498 services across 692 IP addresses. Of those, 446 IPs (64%) exhibited at least one technical issue that increased exposure risk. SecurityScorecard’s Driftnet engine identifies 150% more internet-facing services than previous scanning methodologies, uncovering exposures traditional approaches miss. Findings included:
- 30 instances of Dahua and Hikvision surveillance equipment inside the entire footprint of the utilities AS. Banned internet protocol (IP) cameras could enable Man-in-the-Middle (MitM) attacks, Distributed Denial of Service (DDoS) attacks, malware-based campaigns, and more.
- Exposed ICS, SCADA, and OT-related services directly reachable from the internet. At least three /24 clusters hosting ICS or IOT services and consumer devices on the same broadcast domain.
- Weak or misconfigured encryption across 382 IP addresses, in addition to cleartext FTP and HTTP and unrecognized Certificate Authorities.
- EoL Windows hosts reachable via Server Message Block (SMB) and NetBIOS. A relic from the past, rarely ever makes an appearance outside of OT environments.
- 25 Known Exploited Vulnerabilities (KEVs) identified across internet-facing services.
- Convergence of a utility and ISP creates a single point of failure. Power delivery and internet reside on the same AS. Incidents on one impacts the other.
The research also identified multiple network segments where consumer-grade devices, surveillance systems, and ICS-related technologies operated within the same local network environment. This lack of segmentation increases the likelihood that compromise of a lower-security system could enable lateral movement toward operational infrastructure.
To understand the full scope of the findings, download the full report today to see how Driftnet delivers the visibility organizations need to move from reactive security to continuous, threat-informed defense.
