We built a factory that doesn't exist. A small Swiss metalworking shop, with a real website and a believable shop floor behind it. A laser cutting cell. A press. Building utilities. Production counters ticking up over the day. The kind of setup you'd find in any of a thousand real shops.
Then we connected it to the public internet and watched.
It was found in under ten minutes. Within a day it was being hit around the clock. We ran it for 30 days in spring 2026 and logged every knock at every door.
24,831 distinct machines scanned its closed ports. Behind the doors that actually answered: 109,862 login sessions, 72,357 password guesses, from 6,772 unique addresses. More than nine in ten ran on automated bot frameworks hosted on rented cloud servers. Almost none of it human.

That is what the internet does to anything with an address. It's the part most manufacturers never see, because their equipment either isn't connected yet, or is connected and being quietly probed with nobody watching.
You Don't Have to Be a Target
The instinct, especially at a smaller shop, is simple: who would bother with us? We don't make anything a hacker wants. We're not a target.
That's the most expensive misunderstanding in the whole field, because nobody is bothering. There is no person who picked you. Almost everything in this report is automated, indiscriminate and constant. Software sweeps the entire internet, address by address, looking for anything with a known weakness. It doesn't know what you make and it doesn't care. "Too small to notice" assumes someone is doing the noticing. Nobody is. A program is, and a program has the whole internet and all the time it needs.
You don't have to be a target to be compromised. You only have to be reachable, with one weak spot, on the day a sweep rolls past carrying the exploit for it.
Your factory probably isn't sitting as wide open as ours was. We left every door ajar on purpose, to show the weather. But the weather is real, and it falls on everyone. It takes one forgotten door, one machine a supplier quietly put online for support, to drop your shop into exactly the spot our decoy was in. So we ran the experiment to see how much automated attention a small, unremarkable factory actually draws.
What We Built
The decoy is called a honeypot. Picture a fully furnished shop with hidden cameras. It looks real from the street. Nothing inside is worth stealing. The point is to watch who tries the doors, safely. We gave it a complete identity: a company, a website, a fictional history "since 1998," and a shop floor full of believable, slowly drifting machine data.

Then we opened the doors a careless factory might leave open, and recorded everything that came through each one.
What Came Knocking
The bots go for the easy doors first. The most-tried real passwords were the defaults that ship on devices and never get changed: admin, 123456, 1234, password. The favourite username and password pairs were the obvious ones too: root/admin, admin/admin, root/root. They get sprayed across the whole internet because they still work often enough to be worth it.
But look at the very top of the list. The two most-tried "passwords" weren't guesses at all. They were a known default login for a model of IP desk phone, sprayed across the internet by a botnet hunting for those phones. It wasn't looking for a factory. It wasn't looking for us. It was looking for a phone, and it knocked anyway.

That's the thing to understand about this layer of the internet. It isn't a hacker picking your lock. It's machinery, testing millions of doors a second, cataloguing whatever answers.
The scanners that didn't try to log in were just as busy mapping which doors might be worth a second look. Here is what they were hunting for.

We left the equipment login wide open on purpose, accepting any password, to see what the bots would do once "inside." The answer was almost nothing. Zero commands run. Zero malware planted. Partly because a generic Linux box wasn't the device most of them were hunting. Partly because this layer just validates a login and moves on. The hands-on work, the part that actually wrecks a factory, comes later, and only against targets that turn out to be real and worth the effort.
A real factory with a default password is exactly that kind of target.
Even PLCs Are Being Scanned For
Then there's the part with no equivalent in an office. We exposed the protocols that machines speak: Modbus, S7, EtherNet/IP. These are the languages PLCs use, the small rugged computers that actually run equipment. Over the month they drew a steady trickle of deliberate probes, visible in the dashboard above: 846 to EtherNet/IP, 348 to Siemens S7, 340 to Modbus. Small numbers next to the SSH flood, but every one is a stranger asking a machine to introduce itself.
Most just asked one thing: what are you? Our fake controller answered. Make, model, status, live readings. No password required.
The striking part isn't the volume. It's that there are bots whose entire job is to find industrial control systems on the public internet, and they found ours fast.
Because in their classic form these protocols have no passwords at all. They assume anyone who can reach them belongs there. Newer controllers have started bolting on real access protection, but most of the installed base still speaks the old, open dialect. A reachable one answers anyone who asks. Ours only let visitors look. A real exposed controller often lets a stranger change a value. (OPC UA, the modern protocol that can demand a login and encryption, drew just 10 connection attempts. Fewer scanners speak it yet. Both were found.)
And the scanning doesn't stop at probing. What it finds gets published. Here is our decoy on Shodan, the public search engine for internet-connected devices: indexed, tagged "ics" for industrial control system, with port 4840 wide open and the OPC UA address space, the names of the plant's cells and machines, laid out for anyone to read. No login. No payment.

That is the real problem with being on these maps. An attacker doesn't have to find you, and doesn't have to scan. They search Shodan for "Modbus in Switzerland," or for a specific controller model with a known flaw, and get a ready-made list: your equipment, its software version, your plant's layout, already mapped. The reconnaissance that used to take effort is now a filter on a public website. Being indexed turns an unremarkable shop into a line item on a target list that researchers, criminals and nation-states all browse from the same page. And it sticks: these services keep history, so a hole you closed last month can still point someone at you today.
And it isn't only the machines. Among the most-probed doors were Remote Desktop and VNC, the remote-screen tools that often put an operator's HMI on a screen. An exposed HMI is a stranger sitting at your operator's station. It's also one of the most common ways ransomware gets into industrial companies.
Not Everyone Knocking Is a Criminal
Here's the part that surprised us. A few days in, an email arrived from the BSI, Germany's federal cyber-security agency. They had noticed our factory was exposing industrial equipment to the internet, and they were letting us know.
They were right. Our box was hosted in Germany, and the BSI scans German address space on purpose, looking for exactly this. They match exposed systems to the network operator by IP address and send a warning, so operators can close the hole before someone less friendly arrives. Ours reached us through the hosting provider, which is how their notification program works.
Sit with that for a second. Scanners found our fake factory in minutes. Research services like Shodan and Censys catalogued it. Criminal bots were knocking within the day. And the national cyber-security agency of the country it sat in scanned it, recognised industrial gear, and emailed a warning. Everyone finds you.
The only people who tend not to know a factory is exposed are the people who run it.
A warning email is a gift. It is not a safety net. The BSI tells you the door is open. It doesn't close it for you, and it doesn't get there before the bots do.
There Is No Hiding
So we tried the dodge every team reaches for first. We moved the real management login off its obvious address, onto an obscure port. The noise dropped almost completely.

The login itself used digital keys instead of passwords, the kind a guessing bot can't fake, so the guessers got nowhere. But don't read that as safe either. A key-only login still facing the whole internet answers every stranger who knocks, announces that something is here, and still runs software that the next flaw in SSH itself can target. A lock on a door you've left standing in the middle of the street is still a door in the street.
And yes, nothing got in this month. That isn't the point, and it isn't something to build a strategy on. We weren't breached mostly because a generic decoy wasn't the prize these bots were hunting, not because the door was anything other than wide open the whole time. The takeaway isn't "we defended it well." It's how little it takes to be this exposed, and that hiding and locks only buy time. The one move that removes the risk is removing the exposure: take the door off the public internet, so the admin login and the machines answer only the people you've already let in.
One more thing the data shows. Almost all of it came from rented commercial cloud servers, not home connections. The single busiest source was one rented server in the Netherlands, knocking 17,711 times. That's where the servers are rented, not where the people sit. So blocking a country buys you nothing.
What to Do Monday Morning
Start with one honest question, asked out loud in the room: get me the list of every device we own with a public internet address. The real one, not the official one. If that list takes more than a day to produce, you've already found a problem. You don't know what's exposed, which means something is.
Then a few gut-checks. Hand on heart.
- Is there a Remote Desktop, a TeamViewer or an AnyDesk sitting straight on a production HMI right now, because a machine builder set it up for "remote support" in 2019 and it just never came off?
- Did a supplier once ask you to "just open a port" so they could dial in, and is that port still open today, with the same password it shipped with?
- Is there a cellular router or a little VPN box bolted to a machine that your team didn't install, doesn't monitor, and can't see inside?
If you flinched at any of those, you're normal. Every one of them started as a reasonable shortcut to keep a line running. Nobody was careless. But every one is a door, and the bots in this article are already knocking on it.
Three things for the next operations review:
You will be found. There is no "too small to notice." If it has an address, it's scanned within the hour. Plan as if you're already on the list, because you are.
Never put a machine controller on the internet. Not for remote support, not for a quick demo, not "just for the pilot." These protocols can't defend themselves. Equipment belongs on an isolated network, reachable only through something that authenticates and encrypts on its behalf, so the controllers themselves never answer the open internet. Doing that properly is its own piece of work, more than a checkbox, but the rule underneath it is simple: the machine never faces the street.
Give the gap an owner. The breach almost never lands on the machine. It lands on the operator PC, the file share, the router, the remote tool nobody patched. The boundary between IT and OT needs a name next to it. If nobody owns it, nobody is defending it.
The Only Question Left
None of this is a reason to keep your factory offline. The value of connected production is real, and it isn't going away. You need to connect. You just have to know what you're doing.
A fake factory got found in minutes and survived a month of constant attack, because the doors were locked and the machines never faced the street. A real one with default passwords and a controller on a public address would have been owned in the same window. Same internet, same bots, opposite outcome. The difference was never luck. It was knowing what you're doing.
The internet already knows your factory is there. The only question is what it finds when it knocks.
