New research from Comparitech underscores how exposed ICS (industrial control systems) continue to present a tangible risk to critical infrastructure, with 179 internet-facing ICS devices identified globally through scans of Modbus, a widely used but inherently insecure protocol. These devices, which communicate over port 502, are embedded in sectors such as power grids, manufacturing, and transportation, and their exposure reflects a broader shift toward connectivity without corresponding security controls.
“Malware affecting industrial control systems (ICS) has the potential to disrupt the key industries that underpin modern society,” Justin Schamotta, a researcher at Comparitech, wrote in a Wednesday post. “Variants such as Industroyer, Stuxnet, Havex, Triton, and BlackEnergy have demonstrated the ability to interfere with industrial processes, disrupt power supplies, and, in some cases, cause physical damage to critical infrastructure.”
The findings highlight the real-world implications of this exposure. Among the identified systems were devices linked to a national railway network and others tied to power grid infrastructure in both Asia and Europe, where ICS play a central role in monitoring and controlling operations. Such visibility raises operational and safety concerns, as these systems underpin essential services and, if manipulated, could disrupt physical processes or critical service delivery.
At the core of the risk is the continued reliance on legacy protocols like Modbus, which lack encryption and authentication, leaving exposed devices accessible even to low-skilled attackers. Comparitech’s research emphasizes that these systems were designed for isolated environments, not today’s internet-facing architectures, making them particularly vulnerable when directly exposed. Without safeguards such as firewalls or VPNs, these devices become easy entry points into critical infrastructure environments, amplifying both cyber and physical risk.
Schamotta said the U.S. had the highest number of exposed industrial control devices at 57, followed by Sweden with 22 and Turkey with 19.
“One ICS device we identified as being part of a national railway network. Railways use ICS devices to help with everything from train routing to signalling. The exposure of such devices could present a serious operational and safety risk,” he added. “Two other devices (one in Asia and one in Europe) formed part of their respective country’s national power grid infrastructure. In the energy supply sector, ICS devices can be used to monitor consumption and control electrical distribution.”
Comparitech identified that the majority of devices, 128 in total, exposed only their firmware versions and or internal IDs without including a vendor string. This is typical of custom controllers or embedded modules. A total of 54 devices advertised their manufacturer, though not always their model information. Schneider devices were the most prevalent with 22 instances, followed by Data Electronics with 14 and ABB Stotz-Kontakt with six.
Exposed devices included a Schneider TM221CE40T logic controller, which automates industrial processes by monitoring inputs such as sensors and controlling outputs like motors, relays, and actuators. A Fastwel CPM713 logic controller was also identified, designed to manage distributed input and output modules across large-scale industrial networks.
Among the exposed systems was the eGauge Core EG4015 energy meter and data logger, which measures electrical usage across multiple circuits, logs detailed data, and functions as a built-in web server for viewing real-time and historical power data locally or remotely. Researchers also found a Schneider BMXP342020 processor module, which serves as the core of an industrial control system by reading inputs, executing logic, and driving outputs to control equipment.
Additionally, an A.Eberle PQI-DA-SMART voltage and power logger was identified, enabling continuous monitoring and analysis of grid performance to detect disturbances early and maintain stable, reliable power across industrial systems and energy networks.
Schamotta noted that the danger of revealing the make and model of a device is that it allows attackers to find any associated register lists provided by the manufacturer. “The register list maps the values found in each of the device’s holding registers to sensor readings. These readings can include temperature, pressure, voltage, current, flow; control states for switches, motors or pumps, target values for controllers; and error or status codes.”
Given that the global industrial automation and control systems market is currently valued at $226.76 billion and projected to grow to $504.38 billion by 2033, the number of connected industrial devices is rapidly increasing.
However, Schamotta recognizes that this expansion presents a significant cybersecurity challenge: every newly networked device introduces potential attack surfaces that must be protected. “Without proper safeguards such as firewalls, VPNs, network segmentation, and secure authentication, internet-exposed ICS devices make easy targets.”
From an attacker’s perspective, devices running protocols like Modbus (as well as DNP3, or BACnet) are particularly vulnerable because they were designed for closed networks and often lack built-in authentication or encryption. These devices could be exploited by attackers with limited technical expertise if exposed directly to the internet. This is particularly concerning given some ICS devices’ critical role in economic activity and essential infrastructure.
About a fortnight back, Team Cymru published new research examining three case studies that reveal the extent of exposed ICS and OT devices known to be targeted by hostile nation-state actors. The findings underscore a critical concern: many of these systems remain directly exposed and vulnerable to exploitation. The research highlights that critical infrastructure remains exposed to cyber risk and shows how data can help organizations detect vulnerabilities, reduce threats, and prevent attackers from establishing a foothold or launching disruptive attacks.
