Rising Threats to Industrial Control Systems: Exposed Devices Pose Critical Infrastructure Risks
A recent investigation by Cyble Research & Intelligence Labs reveals a sharp increase in vulnerabilities affecting industrial control systems (ICS), with disclosures nearly doubling between 2024 and 2025. The surge is driven by threat actors targeting energy, manufacturing, and utilities infrastructure, particularly through internet-exposed devices running legacy protocols like Modbus a decades-old standard lacking encryption and authentication.
A scan of port 502, the default Modbus port, identified 179 exposed ICS devices worldwide, including critical infrastructure components. Among them:
- A device linked to a national railway network, where ICS manages train routing and signaling.
- Two devices tied to national power grids in Asia and Europe, responsible for monitoring consumption and electrical distribution.
The United States had the highest number of exposed devices (57), followed by Sweden (22) and Turkey (19). While most devices (128) did not disclose vendor details, 54 revealed manufacturer information, with Schneider Electric (22), Data Electronics (14), and ABB Stotz-Kontakt (6) being the most prevalent. Exposed models included:
- Schneider TM221CE40T (industrial automation logic controller)
- Fastwel CPM713 (distributed I/O management)
- eGauge Core EG4015 (energy meter and data logger)
- Schneider BMXP342020 (industrial processor module)
- A.Eberle PQI-DA-SMART (voltage and power logger)
The risk is amplified by Modbus’s lack of authentication, allowing attackers to read and manipulate holding registers critical data points like temperature, voltage, and control states. Even minor unauthorized changes could disrupt operations. Researchers demonstrated this by mapping energy consumption from a live Schneider PowerLogic EM4880 installation using publicly available register lists.
With the global ICS market projected to grow from $226.76 billion to $504.38 billion by 2033, the expansion of connected devices introduces new attack surfaces. Protocols like Modbus, DNP3, and BACnet designed for closed networks remain vulnerable when exposed online, requiring safeguards such as firewalls, VPNs, and network segmentation to mitigate risks. The findings underscore the growing threat to essential infrastructure, where even low-sophistication attackers could exploit unprotected systems.
Source: https://www.comparitech.com/news/critical-infrastructure-at-risk-179-ics-devices-exposed-online/
eGauge Systems - Know Your Power cybersecurity rating report: https://www.rankiteo.com/company/egauge-systems
AbbVie cybersecurity rating report: https://www.rankiteo.com/company/abbvie
"id": "EGAABB1775658772",
"linkid": "egauge-systems, abbvie",
"type": "Vulnerability",
"date": "4/2026",
"severity": "100",
"impact": "6",
"explanation": "Attack threatening the economy of geographical region"{'affected_entities': [{'industry': 'Transportation',
'name': 'National railway network',
'type': 'Critical Infrastructure'},
{'industry': 'Energy/Utilities',
'location': ['Asia', 'Europe'],
'name': 'National power grids (Asia and Europe)',
'type': 'Critical Infrastructure'},
{'industry': 'Industrial Automation',
'name': 'Schneider Electric',
'type': 'Manufacturer'},
{'industry': 'Industrial Automation',
'name': 'Data Electronics',
'type': 'Manufacturer'},
{'industry': 'Industrial Automation',
'name': 'ABB Stotz-Kontakt',
'type': 'Manufacturer'}],
'attack_vector': 'Internet-exposed ICS devices (Modbus protocol)',
'data_breach': {'sensitivity_of_data': 'Critical operational data (e.g., '
'temperature, voltage, control '
'states)'},
'description': 'A recent investigation by Cyble Research & Intelligence Labs '
'reveals a sharp increase in vulnerabilities affecting '
'industrial control systems (ICS), with disclosures nearly '
'doubling between 2024 and 2025. The surge is driven by threat '
'actors targeting energy, manufacturing, and utilities '
'infrastructure, particularly through internet-exposed devices '
'running legacy protocols like Modbus, a decades-old standard '
'lacking encryption and authentication. A scan of port 502, '
'the default Modbus port, identified 179 exposed ICS devices '
'worldwide, including critical infrastructure components such '
'as a national railway network and national power grids in '
'Asia and Europe. The risk is amplified by Modbus’s lack of '
'authentication, allowing attackers to read and manipulate '
'holding registers critical to operations.',
'impact': {'operational_impact': 'Potential disruption to train routing, '
'signaling, and electrical distribution',
'systems_affected': 'Industrial control systems (ICS) in energy, '
'manufacturing, and utilities'},
'lessons_learned': 'The expansion of connected ICS devices introduces new '
'attack surfaces. Legacy protocols like Modbus, DNP3, and '
'BACnet designed for closed networks remain vulnerable '
'when exposed online, requiring safeguards such as '
'firewalls, VPNs, and network segmentation.',
'post_incident_analysis': {'corrective_actions': 'Firewalls, VPNs, network '
'segmentation, and enhanced '
'monitoring of ICS devices',
'root_causes': 'Internet-exposed ICS devices '
'running legacy protocols (Modbus) '
'lacking encryption and '
'authentication'},
'recommendations': 'Implement firewalls, VPNs, and network segmentation to '
'mitigate risks. Monitor and secure internet-exposed ICS '
'devices running legacy protocols.',
'references': [{'source': 'Cyble Research & Intelligence Labs'}],
'response': {'network_segmentation': 'Recommended',
'remediation_measures': 'Firewalls, VPNs, and network '
'segmentation'},
'title': 'Rising Threats to Industrial Control Systems: Exposed Devices Pose '
'Critical Infrastructure Risks',
'type': 'Vulnerability Exploitation',
'vulnerability_exploited': 'Lack of encryption and authentication in Modbus '
'protocol'}