TLP: CLEAR No restrictions. Share freely. first.org/tlp.
The threat posture for operational technology environments remains elevated as adversaries continue to identify and interact with exposed industrial systems. Recent reporting from Cato Networks described large-scale reconnaissance and exploitation attempts targeting Modbus-enabled industrial devices exposed over TCP port 502, including automated discovery and register enumeration activity. Separately, CISA and partner agencies warned that Iranian-affiliated actors are targeting internet-exposed PLCs across U.S. critical infrastructure with the intent to cause disruption.
These findings point to a broader issue than any single campaign: too many OT environments still expose critical assets or access pathways in ways that allow external actors to discover, fingerprint, and potentially interact with control systems. In many cases, the risk is not created by a novel exploit. It is created by reachable systems, legacy protocols, weak segmentation, unmanaged remote access, and limited visibility into who can access what.
For operators, the appropriate response is not simply to monitor for this campaign. It is to use the activity as a reason to validate whether PLCs, HMIs, engineering workstations, remote access tools, or vendor pathways remain reachable outside governed access controls. Any direct exposure of OT assets should be treated as a priority risk, even if there is no confirmed compromise.
Organizations should confirm that external access into OT is brokered through controlled gateways, bound to verified identity, limited by policy, monitored at the session level, and auditable for compliance and incident response. Where direct network access, shared credentials, persistent tunnels, or unmanaged vendor connections still exist, those pathways should be reviewed and removed or replaced.
Security researchers have observed coordinated activity involving Modbus/TCP probing of internet-exposed industrial systems. Modbus/TCP is commonly associated with industrial control environments and often operates without native authentication or encryption, making direct internet exposure especially concerning.
CISA’s April 2026 joint advisory further reinforces the risk, warning that Iranian-affiliated actors are targeting internet-exposed PLCs and may maliciously interact with project files or manipulate information displayed through HMI and SCADA systems.
For OT leaders, the concern is not simply that adversaries are scanning. The concern is that exposed industrial systems may be discoverable, identifiable, and interactable before a traditional compromise is detected.
The significance of this activity is not limited to the specific Modbus/TCP traffic observed. It confirms that exposed industrial protocols remain easy to discover, easy to fingerprint, and difficult for many organizations to monitor with confidence.
For OT operators, this should be viewed as an exposure validation event. If external systems can reach a PLC or industrial protocol directly, the organization has already ceded too much control over the interaction. The priority is not only to detect probing activity, but to remove the conditions that allow that probing to happen in the first place.
Modbus/TCP is one example of a larger architectural issue. Many OT environments still rely on compensating controls around legacy protocols rather than preventing direct access to those protocols altogether.
That distinction matters. A firewall rule, VPN, or jump host may reduce exposure, but if the resulting session still gives a user or external system network-level reachability to the control environment, the risk has not been removed. It has been moved behind a different control.
The more resilient model is to prevent remote users and external systems from directly communicating with native OT protocols wherever possible. Access should be mediated through controlled sessions that are authenticated, time-bound, monitored, recorded, and limited to the specific operational task.
Direct interaction with control assets When PLCs or industrial protocols are reachable from external networks, adversaries may be able to query, fingerprint, or interact with systems before exploitation occurs.
Exposure of legacy protocols Protocols such as Modbus/TCP were not designed for today’s threat environment. When exposed directly, they create risk even without a known vulnerability.
Unmanaged remote access pathways Persistent VPNs, vendor tunnels, shared credentials, and emergency access paths can create hidden routes into OT environments.
Limited session visibility Network logs alone rarely provide enough detail to understand what a remote user or external system did inside an OT session.
Weak governance and audit readiness If teams cannot show who accessed which systems, when, why, and under what controls, the organization faces both security and compliance exposure.
Operators should use this activity to pressure-test their current OT access model and validate whether exposure exists beyond known or approved pathways.
If the answer to any of these questions is unclear, the organization should treat that uncertainty as a control gap.
This activity should be treated as another clear signal that internet-exposed OT assets remain a persistent and preventable risk across critical infrastructure environments. The immediate point of reference is Cato Networks’ reporting on Modbus/TCP probing and interaction with exposed industrial systems, alongside CISA’s warning that internet-facing PLCs have been targeted in critical infrastructure environments.
The concern is not only that PLCs are being scanned. The deeper issue is that many industrial environments still allow external systems to discover, identify, and interact with control assets directly. In OT, that level of reachability creates risk well before exploitation occurs.
Operators should use this campaign as a prompt to validate their own exposure, review remote access pathways, and confirm that all external access into OT is brokered, authenticated, monitored, and governed. If an organization cannot clearly answer who can access critical systems, through which paths, and under what controls, then the exposure highlighted in this campaign is directly relevant.
The practical takeaway is straightforward: critical systems should not be reachable through direct network access. Remote access into OT should be identity-based, time-bound, session-controlled, and auditable from end to end.
This is no longer a question of whether adversaries are looking for exposed industrial systems. Public reporting and federal guidance show they are. The question for operators is whether their architecture gives those actors anything to find.