Malware affecting industrial control systems (ICS) has the potential to disrupt the key industries that underpin modern society. Variants such as Industroyer, Stuxnet, Havex, Triton, and BlackEnergy have demonstrated the ability to interfere with industrial processes, disrupt power supplies, and, in some cases, cause physical damage to critical infrastructure.
According to Cyble Research & Intelligence Labs’ most recent report, ICS vulnerability disclosures almost doubled between 2024 and 2025. This increase, says Digital Watch Observatory, is linked in part to “greater exploitation by threat actors” seeking to compromise energy, manufacturing, and utilities infrastructure.
Internet-exposed ICS devices are a primary target, particularly those running legacy protocols such as Modbus. Modbus enables the sensors and controllers used in power grids, factories, and other industrial systems to communicate with each other. The decades-old protocol lacks encryption and doesn’t require authentication. As such, devices running Modbus should be placed behind a firewall or VPN.
To assess the extent of this risk, we conducted a scan for internet-facing Modbus devices. We identified 179 suspected industrial control devices responding on port 502, the default port used by the Modbus protocol.
One ICS device we identified as being part of a national railway network. Railways use ICS devices to help with everything from train routing to signalling. The exposure of such devices could present a serious operational and safety risk.
Two other devices (one in Asia and one in Europe) formed part of their respective country’s national power grid infrastructure. In the energy supply sector, ICS devices can be used to monitor consumption and control electrical distribution.
Which country had the most exposed ICS devices?
The United States had the most (57) exposed industrial control devices, followed by Sweden (22) and Turkey (19).
Which ICS manufacturers had the most exposed devices?
The majority of devices (128) only exposed their firmware versions and/or internal IDs without including a vendor string. This is to be expected from custom controllers or embedded modules.
A total of 54 devices did advertise their manufacturer (though not always their model information). Schneider devices were most prevalent (22 instances), followed by Data Electronics (14 instances) and ABB Stotz-Kontakt (6 instances).
Exposed devices included:
- Schneider TM221CE40T logic controller: used to automate industrial processes by monitoring inputs (like sensors) and controlling outputs (such as motors, relays, and actuators).
- Fastwel CPM713 logic controller: manages distributed input/output modules across large-scale industrial networks.
- eGauge Core EG4015 energy meter and data logger: measures electrical energy usage across multiple circuits and logs detailed data, while also acting as a built-in web server so users can view real-time and historical power data locally or remotely.
- Schneider BMXP342020 processor module: used in industrial automation systems. It forms the “brain” of a control system that can read inputs, execute logic, and drive outputs to control equipment.
- A.Eberle PQI-DA-SMART voltage and power logger: enables continuous monitoring and analysis of grid performance, helping detect disturbances early and maintain stable, reliable power in industrial systems and energy networks.
The danger of revealing the make and model of a device is that it allows attackers to find any associated register lists provided by the manufacturer. The register list maps the values found in each of the device’s holding registers to sensor readings. These readings can include temperature, pressure, voltage, current, flow; control states for switches, motors or pumps, target values for controllers; and error or status codes.
For example, using the register list for the PowerLogic EM4880, we were able to chart the energy consumption of a live installation.
Even if a device isn’t obviously linked to a particular manufacturer, attackers may make an educated guess as to what its registers relate to, particularly if they monitor how they change over time.
Because Modbus doesn’t require authentication, an attacker could potentially write to, as well as read from, the holding registers. Even minor unauthorized changes could disrupt the system that depends on the device’s readings.
Where next?
Given that the global industrial automation and control systems (ICS) market is currently valued at USD 226.76 billion and is projected to grow to USD 504.38 billion by 2033, the number of connected industrial devices is rapidly increasing. This expansion presents a significant cybersecurity challenge: every newly networked device introduces potential attack surfaces that must be protected. Without proper safeguards such as firewalls, VPNs, network segmentation, and secure authentication, internet-exposed ICS devices make easy targets.
From an attacker’s perspective, devices running protocols like Modbus (as well as DNP3, or BACnet) are particularly vulnerable because they were designed for closed networks and often lack built-in authentication or encryption. These devices could be exploited by attackers with limited technical expertise if exposed directly to the internet. This is particularly concerning given some ICS devices’ critical role in economic activity and essential infrastructure.
Methodology
We used the Masscan tool to perform an internet-wide scan for anything listening on port 502, which is commonly used by the Modbus protocol. We received 311 responses in total.
To ensure we didn’t include any honeypots – decoy systems used by security researchers to attract attackers – we erred on the side of caution and dismissed any responses from emulation software and cloud-based devices. Where device holding registers were visible and interpretable, we dismissed any with wildly fluctuating readings that were unlikely to mirror real-world outputs. This left us with 179 responses with a high likelihood of coming from real ICS devices.
Researcher: Mantas Sasnauskas
