There is a common assumption among water utility operators that their control systems are not on the internet. The SCADA server is in the plant. The PLCs are in the field cabinets. The HMI is on a desktop in the control room. None of it was deliberately connected to the public internet. So it must not be visible. That assumption is wrong more often than it is right.
The public internet is continuously scanned by automated infrastructure that indexes every device responding on every routable IP address. When an industrial controller, a SCADA gateway, or a VPN concentrator responds to a network request, that response is recorded, indexed, and made searchable. The device's manufacturer, model, firmware version, and open services become part of a publicly available dataset. This happens whether or not the device operator knows about it. And it happens every day.
How OT equipment ends up on the internet
The most common path is cellular SCADA gateways. Utilities deploy cellular modems at remote sites, lift stations, pump houses, and water towers to provide remote monitoring and telemetry. The devices from manufacturers like Sierra Wireless, Digi International, and Cradlepoint come with a public IP address assigned by the cellular carrier. Unless the utility has explicitly configured a VPN or private APN, that device is directly reachable from the internet.
Many of these gateways are configured to pass traffic through to the control equipment behind them. A cellular modem at a lift station may forward Modbus/TCP traffic on port 502 directly to the PLC. The result is a PLC that is not physically plugged into the internet but is functionally reachable from anywhere in the world through the cellular gateway.
The second common path is misconfigured firewalls. A utility installs a firewall between its IT network and its OT network. The integrator configures a rule to allow remote access for programming and troubleshooting. That rule allows inbound traffic on port 44818 (EtherNet/IP) or port 502 (Modbus/TCP) from "any" source instead of a specific IP address. The firewall is in place. The rule is permissive. The control equipment is exposed.
The third path is VPN concentrators and remote access servers with known vulnerabilities. Utilities deploy VPN appliances to provide secure remote access to their OT networks. But VPN appliances themselves are internet-facing devices with their own attack surface. If the VPN appliance is running outdated firmware with known vulnerabilities, it becomes the entry point. Multiple CISA advisories have documented active exploitation of VPN appliances from Fortinet, Pulse Secure, and Cisco specifically targeting critical infrastructure networks.
What gets indexed
When public scanning infrastructure encounters an industrial control device, the response reveals a significant amount of information. A Rockwell CompactLogix PLC responding on port 44818 will identify itself by model number, firmware revision, and module configuration. A Modbus device on port 502 may return its device identification, including vendor name and product code. A Siemens S7 PLC on port 102 will respond with its module type, serial number, and firmware version.
This information is not being extracted through exploitation. These are standard protocol responses that the devices are designed to provide. The device is simply answering the question it was asked. The problem is that anyone can ask.
The scanned data includes:
- IP address and geolocation. The physical location of the device, typically accurate to the city level.
- Open ports and services. Which industrial protocols are accessible: Modbus/TCP (502), EtherNet/IP (44818), DNP3 (20000), BACnet (47808), S7comm (102).
- Device identification. Manufacturer, model, firmware version, and sometimes the system name configured by the integrator.
- Banner information. Text strings returned by web interfaces, including login pages that identify the device type and sometimes the organization operating it.
- SSL/TLS certificates. Certificate details, including organization names and domain names, that can identify the operator.
An attacker who wants to find water utility SCADA equipment in a specific state does not need to send a single packet. The data is already collected, indexed, and searchable.
The question is not whether your OT equipment is being scanned. It is whether you know what the scan results say about you.
Why this matters more than you think
Internet exposure does not mean compromise. But it does mean that the first step of any attack, reconnaissance, has already been completed for the adversary. A threat actor targeting water utilities does not need to identify targets through labor-intensive research. The targets are already cataloged.
The progression from exposure to compromise is predictable. The device is discovered in the public index. The firmware version is checked against the National Vulnerability Database. If a known vulnerability exists, and if the device is running default credentials or no authentication, the attacker has everything they need. No zero-days required. No sophisticated tooling. Just standard engineering software connecting to an unprotected device at a known address.
This is exactly the attack chain documented in every major water utility cyber incident. Oldsmar, Aliquippa, Muleshoe. Internet-facing equipment. Known vulnerabilities. Default or missing credentials. The pattern is consistent because the underlying exposure is consistent.
Finding out what is exposed
The first step is knowing what an external observer can see. A passive vulnerability assessment uses the same publicly available intelligence sources that adversaries use, but for a defensive purpose. It identifies every device associated with your utility's IP space that is indexed by public scanning infrastructure, maps those devices to known vulnerabilities in the NVD and CISA KEV catalog, and produces a report that documents exactly what is visible and what the risk is.
This assessment does not require network access, credentials, or any interaction with your systems. It is entirely observational. The data already exists. The question is whether you have looked at it.
At Sentinel OT, this is what we do. We provide passive vulnerability assessments for water and wastewater utilities across the United States. The assessment documents what is exposed, identifies the specific CVEs that apply, and provides remediation recommendations. Typical turnaround is one week. The resulting report directly supports AWIA Risk and Resilience Assessments, grant applications, and remediation planning.
If you operate a water utility and you have not verified whether your control systems are visible from the public internet, the answer is probably yes. Finding out takes days, not months. And the cost of not finding out is measured in incidents that were entirely preventable.