Research Finds 179 Exposed, Vulnerable ICS Devices

They are being used in numerous manufacturing and critical infrastructure systems around the world.

Utility Metamorworks
istock.com/metamorworks

Malware affecting industrial control systems (ICS) has the potential to disrupt the key industries that underpin modern society. Variants such as Industroyer, Stuxnet, Havex, Triton, and BlackEnergy have demonstrated the ability to interfere with industrial processes, disrupt power supplies, and, in some cases, cause physical damage to critical infrastructure.

According to Cyble Research & Intelligence Labs’ most recent report, ICS vulnerability disclosures almost doubled between 2024 and 2025. This increase, says Digital Watch Observatory, is linked in part to “greater exploitation by threat actors” seeking to compromise energy, manufacturing, and utilities infrastructure.

Internet-exposed ICS devices are a primary target, particularly those running legacy protocols such as Modbus. Modbus enables the sensors and controllers used in power grids, factories, and other industrial systems to communicate with each other. The decades-old protocol lacks encryption and doesn’t require authentication. As such, devices running Modbus should be placed behind a firewall or VPN.

To assess the extent of this risk, we conducted a scan for internet-facing Modbus devices. We identified 179 suspected industrial control devices responding on port 502, the default port used by the Modbus protocol. 

One ICS device we identified as being part of a national railway network. Railways use ICS devices to help with everything from train routing to signalling. The exposure of such devices could present a serious operational and safety risk.

Two other devices (one in Asia and one in Europe) formed part of their respective country’s national power grid infrastructure. In the energy supply sector, ICS devices can be used to monitor consumption and control electrical distribution.

The United States had the most (57) exposed industrial control devices, followed by Sweden (22) and Turkey (19).

ICS Manufacturers with the Most Exposed Devices

The majority of devices (128) only exposed their firmware versions and/or internal IDs without including a vendor string. This is to be expected from custom controllers or embedded modules.

A total of 54 devices did advertise their manufacturer (though not always their model information). Exposed devices included:

  • Schneider TM221CE40T logic controller: used to automate industrial processes by monitoring inputs (like sensors) and controlling outputs (such as motors, relays, and actuators).
  • Fastwel CPM713 logic controller: manages distributed input/output modules across large-scale industrial networks.
  • eGauge Core EG4015 energy meter and data logger: measures electrical energy usage across multiple circuits and logs detailed data, while also acting as a built-in web server so users can view real-time and historical power data locally or remotely.
  • Schneider BMXP342020 processor module: used in industrial automation systems. It forms the “brain” of a control system that can read inputs, execute logic, and drive outputs to control equipment.
  • A.Eberle PQI-DA-SMART voltage and power logger: enables continuous monitoring and analysis of grid performance, helping detect disturbances early and maintain stable, reliable power in industrial systems and energy networks.

The danger of revealing the make and model of a device is that it allows attackers to find any associated register lists provided by the manufacturer. The register list maps the values found in each of the device’s holding registers to sensor readings. 

These readings can include temperature, pressure, voltage, current, flow; control states for switches, motors or pumps, target values for controllers; and error or status codes.

For example, using the register list for the PowerLogic EM4880, we were able to chart the energy consumption of a live installation.

Even if a device isn’t obviously linked to a particular manufacturer, attackers may make an educated guess as to what its registers relate to, particularly if they monitor how they change over time. Because Modbus doesn’t require authentication, an attacker could potentially write to, as well as read from, the holding registers. Even minor unauthorized changes could disrupt the system that depends on the device’s readings.

Where Next?

Given that the global industrial automation and control systems (ICS) market is currently valued at $226.76 billion and is projected to grow to $504.38 billion by 2033, the number of connected industrial devices is rapidly increasing. 

This expansion presents a significant cybersecurity challenge: every newly networked device introduces potential attack surfaces that must be protected. Without proper safeguards such as firewalls, VPNs, network segmentation, and secure authentication, internet-exposed ICS devices make easy targets.

From an attacker’s perspective, devices running protocols like Modbus (as well as DNP3, or BACnet) are particularly vulnerable because they were designed for closed networks and often lack built-in authentication or encryption. These devices could be exploited by attackers with limited technical expertise if exposed directly to the internet. 

This is particularly concerning given some ICS devices’ critical role in economic activity and essential infrastructure.

This is a condensed version of this blog, to view the full article on Comparitech's website, click here.

More in Cybersecurity