A recent Comparitech report identified 179 industrial control system (ICS) devices using the Modbus protocol exposed to the internet across 20 countries. These included systems connected to power grids and railway networks. The research highlights that the Modbus protocol, developed in 1979, lacks authentication and encryption, leaving devices accessible to attackers with limited technical skills. The United States recorded the highest number of exposed devices, followed by Sweden and Turkey, indicating widespread vulnerability within critical infrastructure. Comparitech noted that, without protections such as firewalls, VPNs, or network segmentation, these exposures present significant operational and safety risks.
Background
Modbus was originally designed for closed industrial networks, lacking authentication, encryption, and access controls. Comparitech reported that other legacy protocols-such as Distributed Network Protocol 3 (DNP3) and Building Automation and Control Networks (BACnet)-share similar weaknesses, making them susceptible in internet-connected environments. This risk is increasing as ICS deployments and IP connectivity grow, and researchers warn that network expansions without adequate security controls amplify exposure. Previous studies have also found tens of thousands of ICS devices exposed online in various sectors and regions.
Details
Comparitech researchers scanned for devices responding on port 502, the default for Modbus TCP, and discovered 179 live, internet-accessible ICS devices in 20 countries. The sample included at least one device tied to a national railway and two associated with power grid infrastructure. Exposed assets comprised programmable logic controllers (PLCs), energy meters, data loggers, and power loggers from vendors including Schneider, ABB, Data Electronics, and Siemens. Without access controls, attackers could potentially read or modify device registers, disrupting operational logic or process measurements. Denis Calderone, CTO of Suzu Labs, noted the report's timing amid warnings on Iranian actors targeting U.S. PLCs, describing the exposure as "a front-door wide open" scenario. Calderone advised scanning for port 502 exposures, disconnecting devices from direct internet access, and employing VPNs or segmented operational technology (OT) zones. Damon Small, board member at Xcape, described such exposures as indicative of inadequate perimeter hygiene and stressed the importance of asset inventories, segmentation, and secure remote access as mitigation measures.
Outlook
Experts anticipate increased adoption of cybersecurity standards such as ISA/IEC 62443 and North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP), which mandate network zoning, authentication, and secure-by-design practices. Asset discovery tools and ongoing OT monitoring are also expected to play key roles in minimizing Modbus exposure and protecting critical infrastructure from emerging threats.
