While most are browsing the surface of the web for routine information, I found myself exploring the digital fingerprints of the physical world. I happened to stumble upon the live control panels of industrial boilers that were effectively "streaking" on the public web, completely open to the elements. It's all fun and games until you realize you're one click away from turning a skyscraper into a giant sauna — so let's talk about how I found these exposed Boiler Control Systems and why a little configuration goes a long way in keeping the heat where it belongs.

The OSINT Methodology: Deducing the Signature

In technical OSINT, the goal is to cut through the noise of millions of web servers to find the "needle" in the stack. Instead of complex scanning, I focused on the web.title signature. This is a high-confidence identifier because it's a static element of the device's firmware.

Using the Modat Magnify platform, I executed a targeted query to map these systems globally:

web.title ~ "Boiler Control System"

The most striking part of this discovery was the complete lack of access control.

Upon opening the identified IPs, the interface loaded immediately without asking for a username or password — and even the deep configuration settings remained completely open, requiring no authentication to make changes.

This proves that in OT security, a single, simple signature is often all it takes to find the front door (and the control room) of a critical system.

The Connectivity Trap

This level of "connectiveness" creates a high-stakes security paradox. While it allows a technician to check a building's status from their phone, it also places critical physical infrastructure on the same public playing field as a standard web server. In this case, seeing a system that manages high-pressure steam and building-wide heating sitting open without a single login prompt is a sobering reminder of how thin the line is between "connected" and "exposed."

Physical Stakes in a Digital Interface

When a boiler system is accessible to the world, the risks aren't just about data — they are kinetic. Through the unauthenticated interface, an attacker could potentially:

• Manipulate Boiler Staging: Forcing boilers to cycle incorrectly, leading to massive energy waste or mechanical wear.
• Alter RIO (Remote I/O) Assignments: Effectively "rewiring" the system's logic digitally, which could cause sensors to report false data or fail to trigger safety shut-offs.

It is a scary condition when the "Off" switch for a building's heating system is just one search away.

Real-World Consequences

The lack of authentication creates a "perfect storm" for several high-stakes scenarios:

1. Service Disruption: In commercial or residential buildings, an unauthorized shutdown could leave hundreds of people without heat or hot water during peak winter months.
2. Safety Hazards: While most boilers have physical safety valves, tampering with the control logic can push equipment to its operational limits, creating a high-risk environment for maintenance staff and building occupants.
3. Persistence & Stealth: Because there is no login requirement, there is also no audit log of who made a change. An attacker could subtly tweak temperature setpoints over weeks, causing gradual damage or increased costs without ever being detected.

The Disclosure Process: Coordination with CISA

Once the exposure was confirmed, I reported the findings to CISA (Cybersecurity & Infrastructure Security Agency). Working through a coordinator like CISA is vital in the OT world because it ensures the right people at the vendor are reached immediately.

The response was swift. CISA facilitated the bridge to the vendor, who confirmed that their "controls team is looking into this and they have already taken care of 2 of the systems and are working on the 3rd one that was flagged." Seeing that direct, physical impact from an OSINT report is exactly why we do this work.

The Verdict: Misconfiguration, Not Malfunction

After a thorough review of the evidence, CISA provided a final assessment that I fully support:

"Based on the information currently available and what I can find, it appears more likely that these issues stem from system misconfigurations rather than product vulnerabilities."

This conclusion hits the nail on the head. In Industrial Control Systems, the security features are often present, but they are only effective if the asset owner enables them. These systems weren't "broken" by design; they were simply left "unlocked" during deployment.

A Final Word of Thanks

This case is a textbook example of how the security ecosystem should work. I want to thank the CISA team for their professional mediation and for keeping the communication lines open between the research and vendor communities. I also want to thank the vendor for their fast response and for taking the initiative to secure those three exposed systems immediately.

By working together, we successfully moved critical infrastructure off the public firing line.

Conclusion

In today's world, as every physical device becomes increasingly internet-connected, the line between "convenience" and "exposure" has never been thinner. This research serves as a reminder that securing our critical infrastructure starts with moving beyond simple connectivity and ensuring that every "Boiler Control System" is shielded by proper configuration and robust access controls.