Researchers at Comparitech have identified 179 internet-exposed industrial control system (ICS) devices across 20 countries, including systems tied to power grids and railway networks, all accessible via the Modbus protocol. The devices were found responding on port 502, the default communication port for Modbus, which is widely used in critical infrastructure environments.
The exposed systems include equipment from major vendors such as Schneider Electric and ABB, performing functions like logic control, power monitoring, and data logging. The United States had the highest number of exposed devices at 57, followed by Sweden (22) and Turkey (19).
Denis Calderone, CTO, Suzu Labs:
“During yesterday’s extremely busy cybersecurity news cycle we were all abuzz about the six-agency advisory about Iranian actors targeting US critical infrastructure PLCs. One thing we pointed out yesterday while conversing with clients and others was to look for any Internet exposure to certain protocols used by PLCs including Modbus TCP on port 502.
“Modbus is particularly concerning because it is a protocol developed without security controls. Now, today, Comparitech publishes research showing 179 ICS devices sitting exposed on that exact port across 20 countries, with the United States leading the count at 57 devices. The timing on this could not be more relevant.
“To put it bluntly, Modbus was designed in 1979 for closed industrial networks and that’s why it lacks any concept of authentication and no encryption. If you can reach port 502, you can read from and write to the device registers. The researchers didn’t just do a Shodan search and look at headers, they performed a Masscan, identified open Modbus ports and were able to chart live energy consumption from an exposed power monitoring device using the manufacturer’s publicly available register list.”
“We already know the Iranian hackers are looking for this, and these devices are just sitting there waiting to be found. So, what we said yesterday stands today that PLCs and ICS devices need to be behind firewalls and segmented OT network zones, not exposed to the internet. Modbus was never meant to be an internet-facing protocol.
“The convergence of industrial systems onto IP networks has been causing this kind of exposure for decades now. If your organization runs any industrial control systems, scan your own environment for anything responding on port 502 and take it off the internet today. If you need remote access for maintenance or monitoring, put it behind a VPN. There is no scenario where an unauthenticated industrial control protocol should be directly reachable from the public internet.”
Damon Small, Board of Directors, Xcape, Inc.:
“Exposing Industrial Control System (ICS) assets directly to the Internet via unauthenticated protocols like Modbus represents a critical failure in perimeter hygiene that invites immediate disruption of physical operations.
“While the report’s tally of 179 devices is statistically small, the inclusion of programmable logic controllers (PLC) and power monitors in the U.S. and Sweden highlights a persistent gap in securing critical infrastructure. The fundamental issue is that Modbus lacks native encryption or authentication, meaning any device responding on port 502 is effectively an open door for unauthenticated read and write commands.
“Recent surges in activity from state-affiliated actors targeting similar vulnerabilities underscore that this is no longer a theoretical risk but an active targeting priority. Security teams must move beyond simple port blocking and verify that any necessary remote access is tunneled through a robust VPN or a secure gateway with granular identity controls.
“Prioritize an immediate scan of external IP ranges for port 502 and audit all Modbus TCP gateways to ensure they are not bridging internal Operation Technology (OT) and industrial control networks directly to the public Internet. Use the Purdue Model reference architecture for guidance on how to properly segment OT from IT to protect these critical infrastructures. In short, the problem is not with the devices or the protocols that they use, but rather the manner in which operators are deploying them.
“It is 2026, and we are still arguing about whether a power grid should be a public webpage.”
Larry Pesce, VP of Services, Finite State:
“This highlights a recurring and concerning issue: internet-exposed industrial control system (ICS) devices, particularly those using legacy protocols like Modbus that were never designed with security in mind.
“What stands out here isn’t just the exposure itself: it’s where it’s happening.
“Critical infrastructure organizations such as energy, water, and manufacturing have historically been among the most cautious when it comes to external attack surfaces. These environments typically emphasize segmentation, controlled access, and layered defenses. So seeing these systems directly reachable from the internet suggests a breakdown in foundational security practices.
“And that’s really the key takeaway:
“This isn’t a failure of advanced security controls, it’s a failure of fundamentals.
“The “Back to Basics” Problem
“What these exposures reinforce is the need to revisit core disciplines such as network perimeter management. If Modbus is reachable from the public internet, something upstream like firewalls, routing, and/or segmentation have failed. Full stop.
“Also, asset inventory. You can’t protect what you don’t know exists. Internet-wide scans keep finding devices because organizations don’t have a complete, continuously updated view of what’s deployed.
“Patch and update hygiene. Even when exposure is unavoidable, outdated firmware and unpatched services dramatically increases risk.
“Redundancy and resilience planning. Many ICS environments assume availability—but exposure introduces fragility. Even “low impact” disruptions can cascade if redundancy isn’t properly designed.
“The compounding risk effect is the part that tends to get underestimated.
“Individually, many of these exposed systems might not lead to catastrophic outcomes. Maybe it’s read-only access. Maybe it’s a non-critical site. Maybe exploitation requires additional steps.
“But security doesn’t fail in isolation.
“When you stack dozens, or hundreds, of “low impact” exposures, you create systemic risk.
“Attackers don’t need a single catastrophic vulnerability if they can enumerate environments, chain small weaknesses, and establish footholds across multiple sites. At that point, even minor disruptions can aggregate into operational, safety, or economic consequences.
“This keeps happening because a lot of organizations still rely on point-in-time scans and assumptions about what’s deployed. But what matters is what’s actually running in the field: the firmware, the configurations, the exposed services.
“And this is exactly the gap. Traditional approaches often miss “firmware reality”: the full picture of what’s deployed, exposed, and reachable.
“Without a continuous, accurate inventory tied to real deployed assets, these exposures slip through, even in mature environments.
“Honestly, this isn’t about blaming operators or engineers. These environments are complex, often decades in the making, with layers of legacy decisions.
“But moments like this are a good reset. Not a “we need more AI security tooling” moment or a “zero trust will fix everything” moment.
“This is a: “Did we lock the front door?” moment. Because in this case… the front door is Modbus on port 502, wide open to the internet.”
My admin page nor anything else that’s tied to administrating my router isn’t exposed to the Internet. I do that because I am paranoid that I will get pwned because I gave a threat actor the means to pwn me. I would suggest we all start to become a lot more paranoid.
Like this:
Like Loading...
Related
This entry was posted on April 9, 2026 at 2:02 pm and is filed under Commentary with tags Comparitech. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
179 internet-exposed ICS devices across 20 countries identified via insecure Modbus protocol
Researchers at Comparitech have identified 179 internet-exposed industrial control system (ICS) devices across 20 countries, including systems tied to power grids and railway networks, all accessible via the Modbus protocol. The devices were found responding on port 502, the default communication port for Modbus, which is widely used in critical infrastructure environments.
The exposed systems include equipment from major vendors such as Schneider Electric and ABB, performing functions like logic control, power monitoring, and data logging. The United States had the highest number of exposed devices at 57, followed by Sweden (22) and Turkey (19).
Denis Calderone, CTO, Suzu Labs:
“During yesterday’s extremely busy cybersecurity news cycle we were all abuzz about the six-agency advisory about Iranian actors targeting US critical infrastructure PLCs. One thing we pointed out yesterday while conversing with clients and others was to look for any Internet exposure to certain protocols used by PLCs including Modbus TCP on port 502.
“Modbus is particularly concerning because it is a protocol developed without security controls. Now, today, Comparitech publishes research showing 179 ICS devices sitting exposed on that exact port across 20 countries, with the United States leading the count at 57 devices. The timing on this could not be more relevant.
“To put it bluntly, Modbus was designed in 1979 for closed industrial networks and that’s why it lacks any concept of authentication and no encryption. If you can reach port 502, you can read from and write to the device registers. The researchers didn’t just do a Shodan search and look at headers, they performed a Masscan, identified open Modbus ports and were able to chart live energy consumption from an exposed power monitoring device using the manufacturer’s publicly available register list.”
“We already know the Iranian hackers are looking for this, and these devices are just sitting there waiting to be found. So, what we said yesterday stands today that PLCs and ICS devices need to be behind firewalls and segmented OT network zones, not exposed to the internet. Modbus was never meant to be an internet-facing protocol.
“The convergence of industrial systems onto IP networks has been causing this kind of exposure for decades now. If your organization runs any industrial control systems, scan your own environment for anything responding on port 502 and take it off the internet today. If you need remote access for maintenance or monitoring, put it behind a VPN. There is no scenario where an unauthenticated industrial control protocol should be directly reachable from the public internet.”
Damon Small, Board of Directors, Xcape, Inc.:
“Exposing Industrial Control System (ICS) assets directly to the Internet via unauthenticated protocols like Modbus represents a critical failure in perimeter hygiene that invites immediate disruption of physical operations.
“While the report’s tally of 179 devices is statistically small, the inclusion of programmable logic controllers (PLC) and power monitors in the U.S. and Sweden highlights a persistent gap in securing critical infrastructure. The fundamental issue is that Modbus lacks native encryption or authentication, meaning any device responding on port 502 is effectively an open door for unauthenticated read and write commands.
“Recent surges in activity from state-affiliated actors targeting similar vulnerabilities underscore that this is no longer a theoretical risk but an active targeting priority. Security teams must move beyond simple port blocking and verify that any necessary remote access is tunneled through a robust VPN or a secure gateway with granular identity controls.
“Prioritize an immediate scan of external IP ranges for port 502 and audit all Modbus TCP gateways to ensure they are not bridging internal Operation Technology (OT) and industrial control networks directly to the public Internet. Use the Purdue Model reference architecture for guidance on how to properly segment OT from IT to protect these critical infrastructures. In short, the problem is not with the devices or the protocols that they use, but rather the manner in which operators are deploying them.
“It is 2026, and we are still arguing about whether a power grid should be a public webpage.”
Larry Pesce, VP of Services, Finite State:
“This highlights a recurring and concerning issue: internet-exposed industrial control system (ICS) devices, particularly those using legacy protocols like Modbus that were never designed with security in mind.
“What stands out here isn’t just the exposure itself: it’s where it’s happening.
“Critical infrastructure organizations such as energy, water, and manufacturing have historically been among the most cautious when it comes to external attack surfaces. These environments typically emphasize segmentation, controlled access, and layered defenses. So seeing these systems directly reachable from the internet suggests a breakdown in foundational security practices.
“And that’s really the key takeaway:
“This isn’t a failure of advanced security controls, it’s a failure of fundamentals.
“The “Back to Basics” Problem
“What these exposures reinforce is the need to revisit core disciplines such as network perimeter management. If Modbus is reachable from the public internet, something upstream like firewalls, routing, and/or segmentation have failed. Full stop.
“Also, asset inventory. You can’t protect what you don’t know exists. Internet-wide scans keep finding devices because organizations don’t have a complete, continuously updated view of what’s deployed.
“Patch and update hygiene. Even when exposure is unavoidable, outdated firmware and unpatched services dramatically increases risk.
“Redundancy and resilience planning. Many ICS environments assume availability—but exposure introduces fragility. Even “low impact” disruptions can cascade if redundancy isn’t properly designed.
“The compounding risk effect is the part that tends to get underestimated.
“Individually, many of these exposed systems might not lead to catastrophic outcomes. Maybe it’s read-only access. Maybe it’s a non-critical site. Maybe exploitation requires additional steps.
“But security doesn’t fail in isolation.
“When you stack dozens, or hundreds, of “low impact” exposures, you create systemic risk.
“Attackers don’t need a single catastrophic vulnerability if they can enumerate environments, chain small weaknesses, and establish footholds across multiple sites. At that point, even minor disruptions can aggregate into operational, safety, or economic consequences.
“This keeps happening because a lot of organizations still rely on point-in-time scans and assumptions about what’s deployed. But what matters is what’s actually running in the field: the firmware, the configurations, the exposed services.
“And this is exactly the gap. Traditional approaches often miss “firmware reality”: the full picture of what’s deployed, exposed, and reachable.
“Without a continuous, accurate inventory tied to real deployed assets, these exposures slip through, even in mature environments.
“Honestly, this isn’t about blaming operators or engineers. These environments are complex, often decades in the making, with layers of legacy decisions.
“But moments like this are a good reset. Not a “we need more AI security tooling” moment or a “zero trust will fix everything” moment.
“This is a: “Did we lock the front door?” moment. Because in this case… the front door is Modbus on port 502, wide open to the internet.”
My admin page nor anything else that’s tied to administrating my router isn’t exposed to the Internet. I do that because I am paranoid that I will get pwned because I gave a threat actor the means to pwn me. I would suggest we all start to become a lot more paranoid.
Share this:
Like this:
Related
This entry was posted on April 9, 2026 at 2:02 pm and is filed under Commentary with tags Comparitech. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.