Operational technology—the programmable controllers, tank gauges, and grid telecontrol systems that run physical infrastructure—was never designed to be accessible from the open internet. When exposed, these systems become an attack surface that’s both fragile and consequential: many can be disrupted by a single malformed packet, and a successful compromise can cross from the digital world into the physical one. Nation-state actors have shown sustained interest in exactly this kind of access, quietly pre-positioning inside critical infrastructure. As frontier AI lowers the skill barrier to exploiting unfamiliar systems, an attack surface long protected by obscurity is now squarely in the crosshairs of adversaries.
SixMap conducted an internet-wide measurement study spanning the entire routable IPv4 space and, using its proprietary 6Gen technology, roughly 61 million discovered IPv6 hosts. Every address was checked against 82 OT protocol ports, then decoded and verified at the byte level to weed out honeypots, research sensors, and false positives. The result is a deliberately conservative, verified population built entirely from passive, non-intrusive data, without ever contacting or disrupting a live system. Because most attack surface tools skip non-standard ports and industrial protocols entirely, this may be the most complete public picture of exposed OT available today.
The research confirmed 14,524 internet-exposed OT services worldwide, with the United States the largest source at 1,537 verified exposures. Fuel-storage tank gauges make up the largest U.S. category, and a striking share broadcast a site name or full street address to anyone who connects. Using only passive signals, SixMap tied 73% of exposures worldwide, and 58% in the U.S., to a named organization. Download the full report for the complete breakdown by protocol, geography, and vulnerability.


