Industrial Control Systems Face Growing Cyber Threats
As the US government issues warnings to energy companies, water utilities, and industrial operators about state-sponsored adversaries actively targeting Internet-connected operational technology (OT), security researchers have uncovered a troubling number of older industrial control systems that permit direct access with no authentication required.
A scan of the Internet specifically looking for OT devices using the Modbus protocol identified at least 179 devices that allow unauthenticated access, according to researchers at technology-evaluation firm Comparitech. Although 179 represents a relatively modest number, experts warn that these public-facing systems are almost certainly already in the crosshairs of cyberthreat actors.
How the Research Was Conducted
Comparitech used the open-source tool Masscan to initially flag 311 potentially open Modbus devices. Researchers then filtered out systems showing signs of being honeypots, leaving 179 devices that exposed the Modbus protocol on the default port 502 without requiring any form of authentication.
Mantas Sasnauskas, head of security research at Comparitech, emphasized that these numbers are likely conservative, noting that a broader scan covering a wider variety of protocols would uncover far more insecure and Internet-exposed industrial control system (ICS) devices.
"These aren't 179 exposed Web servers — they're industrial controllers with no authentication that anyone on the Internet can read from and potentially write to. We identified devices tied to a national railway and two national power grids. A single compromised device in those environments can have serious physical consequences."
Direct OT Targeting: No Longer Just Theoretical
While the most prevalent attack path against industrial systems has historically involved compromising IT infrastructure first and then pivoting into OT environments, security professionals note that direct targeting of Internet-exposed OT assets is escalating.
Jeff Macre, principal OT security solutions architect at Darktrace, an AI cybersecurity platform, explained that multiple attack vectors continue to put industrial environments at risk.
"Internet-facing control system components, insecure remote access pathways, default credentials, and poorly protected boundary devices continue to create direct routes into industrial environments. IT-to-OT pivoting remains the dominant path in many incidents, but direct exposure is still one of the clearest and most avoidable sources of OT risk."
Liz Martin, senior director of threat hunting at Dragos, a provider of OT cybersecurity services, reinforced this assessment.
"The direct targeting of exposed industrial devices is no longer theoretical, it's happening with enough precision to suggest pre-operational intent to impact OT."
Government Warnings and Recent Incidents
On April 7, the US government issued a warning that Iran-linked cyberattackers are actively targeting programmable logic controllers (PLCs) — OT devices that automate specific functions in critical industrial systems such as water and wastewater treatment plants and energy generation facilities.
In December 2025, a cyberattack struck Poland's decentralized wind- and solar-energy infrastructure, though it failed to — or did not intend to — cut power to civilians. Multiple analysts linked that attack to Russia-aligned actors.
Beyond PLCs, all major players in current geopolitical conflicts — Iran, Israel, Russia, Ukraine, and the United States — have also targeted IP cameras as a means of gathering intelligence on specific locations, ranging from monitoring the daily habits of Iranian leadership to assessing the impact of missile strikes.
The Blurred Line Between State Actors and Proxies
Organizations should resist tying their security posture to shifting geopolitical winds, particularly when it comes to threats against industrial control systems, warns Austin Warnick, director of the national security intelligence team at Flashpoint, a cyberthreat intelligence provider. While nation-state actors are currently the primary driver of attacks targeting PLCs in critical sectors like water and energy, opportunistic groups frequently attack the same targets regardless of the diplomatic relations between nations.
"Recent intelligence indicates that the distinction between state actors and opportunistic proxies is increasingly blurred, creating a two-tiered threat landscape. These proxies often treat ceasefires as mere technicalities, maintaining or even escalating their 'cyber jihad' against private-sector infrastructure to exert political pressure when kinetic options are restricted."
A Dangerous Visibility Gap in OT Networks
One of the most significant obstacles to defending industrial environments is a systemic lack of visibility. According to Dragos, fewer than 10% of OT networks globally have visibility and monitoring in place. This visibility gap has tangible consequences:
- A lack of visibility hampered detection in nearly 46% of architecture reviews.
- The same issue affected the vast majority — 88% — of tabletop exercises.
- Nearly 30% of incident response cases began with an unexplained operational issue rather than a detected anomaly.
These figures come from Dragos's "2026 OT Cybersecurity Year in Review" report.
The Limits of External Scanning
Companies are urged to scan their own systems — both internally and from an external perspective — to identify vulnerable devices. However, external scans have inherent limitations. They can only detect what is visible at the network perimeter and are unable to capture devices sitting behind NAT devices and firewalls, or those connected via cellular OT assets, which often lack perimeter defenses entirely.
Dragos's Martin noted that the most dangerous gaps tend to be internal rather than perimeter-level exposures.
"Internet-wide scans measure exposure at the perimeter, but the most persistent and consequential gaps are internal: Poor segmentation, weak credentials on privileged accounts, limited OT telemetry, and absence of ICS-aware monitoring. Those conditions don't show up in [an external scan], but they're what adversaries are exploiting once they're past the front door."
Recommendations for Industrial Operators
Given the convergence of nation-state threats, opportunistic proxy actors, and persistent device-level vulnerabilities, security professionals recommend that industrial operators take the following steps:
- Conduct both internal and external network scans to identify exposed OT devices.
- Eliminate unauthenticated access to ICS components wherever possible.
- Implement network segmentation to prevent IT-to-OT lateral movement.
- Deploy ICS-aware monitoring solutions to close the visibility gap.
- Enforce strong credential policies, particularly on privileged OT accounts.
- Do not reduce security vigilance in response to perceived geopolitical de-escalation.
The combination of aging industrial infrastructure, limited monitoring, and increasingly sophisticated adversaries — whether state-directed or operating as proxies — means that the risk to critical systems remains elevated regardless of the broader geopolitical climate.
Source: Dark Reading