The pair wrote a series of scripts, small computer programs, that interrogated the Shodan search engine. Shodan was created to log machines connected to the internet in the same way Google logs webpage contents.
In their search scripts the pair used 600 terms compiled from lists of Scada manufacturers and the names and product numbers of the control systems they sell.
Armed with a list of 500,000 potential targets, they approached the US Department of Homeland Security who pared it down to the most important 7,200 targets. The DHS is now in the process of contacting the firms who own these computers to warn them they can be found online.
In many cases, said the pair, convenience had led companies to connect such important systems to the web.
"A lot of these guys want to fix things at 3am without driving three hours in each direction," wrote Mr Brodsky.
Mr Radvanovsky and Mr Brodsky did not test the computers they found to see how well they were protected. However, other researchers have found many weaknesses in the software used to control Scada systems via the net.
While attacks on critical infrastructure are relatively rare, recent months have seen viruses and other malicious programs hit control systems at oil treatment plants and other facilities.