The computers that control large industrial control systems—the sewage plants, power stations, and assembly lines that keep civilization running—aren’t supposed to be online. Computers online tend to get hacked, of course, and you wouldn’t want your local power plant under rogue control. But a graduate student was able to locate and map more than 10,000 industrial control systems that are directly connected to the Internet, as reported by Kim Zetter at Wired’s Threat Level Blog. What’s more, only 17 percent of those devices bothered to ask for authorization to connect, suggesting that network managers simply didn’t realize that their control systems were online.

The finding adds a discouraging twist to worries that hackers might take over critical infrastructure. Indeed, individuals have regularly managed to electronically penetrate industrial systems, with destructive real-world consequences. Last year, David Nicol of the University of Illinois described how hackers could conceivably take down a good portion of the U.S. power grid. His analysis relied on simple techniques commonly used by hackers to steal credit cards and the like; never did he assume that the important control systems would be sitting out in the open without any protections in place.

It’s unclear how many of the 10,000 control systems were set up to control critical infrastructure like power stations, says Éireann P. Leverett, the researcher who published the study. He notified the U.S. Department of Homeland Security of his findings last September. But one thing is clear: If, as it appears, this many systems have been online without the knowledge of the people in charge, we can’t let the assumption that something isn’t connected to the Internet take the place of a real security protocol.

Image: Grizzly Peak Sub-Station, California; courtesy of Lawrence Berkeley National Lab