Researchers identified 179 insecure industrial control systems (ICS) on the public internet and ripe for attack. Devices range from national railway signaling to electrical grid components leaving them insecure and ripe for attack.
The common thread linking these devices is a dependance on the Modbus protocol (PDF)—a decades-old communication standard that lacks encryption or password protection.
The research, published April 8 by cybersecurity firm Comparitech is based on work by researcher Mantas Schamotta.
“We used the Masscan tool to perform an internet-wide scan for anything listening on port 502, which is commonly used by the Modbus protocol. We received 311 responses in total,” he said. From there Schamotta winnowed the number to 179 ICS device after accounting for honeypots or virtual devices.
“Because Modbus doesn’t require authentication, an attacker could potentially write to, as well as read from, the holding registers (industrial systems).” Schamotta wrote. Even small changes can disrupt the physical systems those devices control, he added.
To attackers, internet-exposed Modbus, DNP3 and BACnet devices are easy targets because they were built for closed networks, not security. Many lack authentication or encryption, putting critical infrastructure and economic systems at risk,
What is Modbus?
Modbus dates back to 1979 and has been a widely used industrial communication protocol. It lets controllers, sensors and other automation devices exchange data over Transmission Control Protocol (TCP) – the standard internet communication method – and listens for connections on – port 502 – commonly used by Modbus systems.
Past cyber incidents involving the Modbus protocol include FrostyGoop attack on district heating in Ukraine (2024) and believed to be part of the PIPEDREAM or INCONTROLLER state sponsored attack in 2022.
Because Modbus is simple, reliable, and deeply embedded in many industrial control systems it was simply never replaced, explains Julie Gruenholz, in a Hallam ICS blog post “Why, In 2017, Are We Still Using Modbus?”.
Built-In Risk
Some of the devices found with instances of Modbus included; Schneider logic controllers (used to automate physical processes), a Fastwel controller (managing distributed inputs and outputs across large industrial networks), and eGauge energy meter and logger (tracking real-time and historical power data), and an A.Eberle power logger (used to monitor grid performance and spot disturbances early).
The United States had the most (57) exposed industrial control devices, followed by Sweden (22) and Turkey (19), according to the report.
Photo by Theo Aartsma on Unsplash
