Yeah, the issue has existed for years and is widely documented in the security community. There are a few reasons why we haven't seen more widespread chaos:
1. Lack of network visibility by the owners of ICS
2. Availability > Forensics
3. VNC interfaces don't always provide full access
And keep in mind that there aren't a huge number of these anonymous VNC instances to begin with. We're talking less than 10,000 instances of servers that don't have any authentication and only a fraction of them are ICS-related.
I've written/ presented on the topic a few times, see:
1. Lack of network visibility by the owners of ICS
2. Availability > Forensics
3. VNC interfaces don't always provide full access
And keep in mind that there aren't a huge number of these anonymous VNC instances to begin with. We're talking less than 10,000 instances of servers that don't have any authentication and only a fraction of them are ICS-related.
I've written/ presented on the topic a few times, see:
https://blog.shodan.io/taking-things-offline-is-hard/
https://blog.shodan.io/why-control-systems-are-on-the-intern...
https://blog.shodan.io/state-of-control-systems-in-the-usa-2...