Common ICS/SCADA/PLC Ports
Exposed To The Internet
Common ICS/SCADA/PLC Ports
Exposed To The Internet
Common ICS/SCADA/PLC Ports
Exposed To The Internet
State of OT Security Report
This is a compact, evidence-driven State of OT Security Report from Shieldworkz that exposes the prevalence and risk of ICS/SCADA/PLC ports reachable from the public internet. Drawing on Shieldworkz large-scale application-layer scans and validated discovery methodology, the report quantifies global exposure, explains why insecure-by-design OT protocols (Modbus, S7, BACnet, etc.) are a major operational risk, and - most importantly for OT/ICS teams - delivers prioritized, standards-aligned mitigations and an actionable remediation roadmap. The conclusions and recommended controls in this package are derived from Shieldworkz research and validation exercises.
Why this report matters to you
Thousands of industrial control systems that should be isolated are discoverable from the public internet - often without asset owners’ knowledge. Exposed ICS/SCADA/PLC ports create direct risk to production and safety: data breaches, operational shutdowns, DDoS, device manipulation, extended maintenance windows, third-party litigation and manipulated privileges. Shieldworkz scans engaged over 9,000 ICS devices within minutes during a real-world discovery project, showing how rapidly threat actors can find and target poorly segmented OT infrastructure. If your plant or estate relies on remote maintenance, vendor portals or cloud connectors, this report shows the immediate actions that materially reduce your attack surface.
What’s inside the analysis
Summary of Shieldworkz discovery methodology - application-layer scanning, honeypot elimination, multi-stage validation and blindfold testing.
Global exposure snapshot - country-level protocol exposure (Modbus, S7, BACnet, IEC-104, EtherNet/IP, OPC UA and others) with first-scan vs final-validation comparisons.
Honeypot detection and filtering approach - why a material portion of discovered ports are likely honeypots and how Shieldworkz isolates genuine targets.
Risk inventory - operational, legal and safety impacts from internet-reachable OT assets.
Observations & trends - which countries increased exposure, which closed gaps, and why Modbus remains the universal problem.
Standards mapping - how findings align with ISA/IEC-62443, NIST SP 800-82, NERC CIP and NIS2 requirements.
Prioritized recommendations - protocol-aware DPI controls, segmentation (Zones & Conduits), secure gateways, backup protections, continuous OT monitoring, and IR playbooks.
Key takeaways from the report
Internet-reachable OT ports are widespread and dangerous. Many devices run default configurations or known-vulnerable stacks and are visible in internet scans.
Modbus, FOX and BACnet dominate exposure. These legacy protocols lack built-in security and are frequently the largest source of internet-exposed ports.
Exposure is dynamic - some nations improve while others worsen. The USA showed a major reduction between scans, while several other countries saw increases.
Honeypots distort naive metrics; application-layer validation matters. Eliminating suspected honeypots produces a more accurate picture of real exposure.
Standards-based controls work. Implementing IEC-62443 zones & conduits, DMZs and protocol-aware gateways materially reduces risk if applied correctly.
Practical protections you can deploy
Remove direct internet exposure (immediate). Conduct an external attack-surface sweep; remove public IPs on controllers and place devices behind firewalls/proxies.
Segment with Zones & Conduits (IEC-62443). Group assets by criticality and control communications with DMZs and ACLs to prevent easy IT→OT pivots.
Deploy protocol-aware DPI firewalls or secure gateways. Translate legacy protocols to encrypted channels, block unauthorized function codes and deny write commands from untrusted sources.
Disable unused ports and harden device configs. Remove default credentials and unnecessary services on controllers, HMIs and engineering workstations.
Protect backups and recovery paths. Maintain immutable offline backups and test restores from isolated instances regularly.
Continuous OT monitoring & anomaly detection. Baseline “normal” traffic, detect protocol abuses, and alert on anomalous port activity and unexpected application-layer handshakes.
Develop OT-specific IR playbooks and exercise them. Tabletop and dry-run exercises must include engineering, operations and compliance teams to meet regulatory timelines.
Who should download
CISOs, OT/ICS security architects, plant managers, SOC leaders, control engineers, vendor-risk teams, procurement owners, compliance/legal staff and executive risk committees in manufacturing, energy, utilities, critical infrastructure and large estates.
Why you should download the full analysis now
This Shieldworkz report is a timely evidence pack: it quantifies the scale of internet-exposed OT risk, explains the detection methodology and provides a prioritized, standards-aligned remediation roadmap. With attackers scanning the internet continuously, the time to remove direct exposure and harden protocol gateways is now - failure to act leaves production, safety and reputation at risk.
Get the report & schedule a briefing
Download the Shieldworkz State of OT Security Report - Common ICS/SCADA/PLC Ports Exposed to the Internet. The package includes the full research PDF, methodology appendix, country exposure dashboards and a prioritized remediation checklist.
Request a 30-minute briefing with a Shieldworkz OT/ICS expert to review your estate exposure and receive a tailored 30/90-day hardening roadmap. Fill the form to access the file and request a 30-minute briefing with a Shieldworkz OT/ICS expert.
Download your copy today!
State of OT Security Report
This is a compact, evidence-driven State of OT Security Report from Shieldworkz that exposes the prevalence and risk of ICS/SCADA/PLC ports reachable from the public internet. Drawing on Shieldworkz large-scale application-layer scans and validated discovery methodology, the report quantifies global exposure, explains why insecure-by-design OT protocols (Modbus, S7, BACnet, etc.) are a major operational risk, and - most importantly for OT/ICS teams - delivers prioritized, standards-aligned mitigations and an actionable remediation roadmap. The conclusions and recommended controls in this package are derived from Shieldworkz research and validation exercises.
Why this report matters to you
Thousands of industrial control systems that should be isolated are discoverable from the public internet - often without asset owners’ knowledge. Exposed ICS/SCADA/PLC ports create direct risk to production and safety: data breaches, operational shutdowns, DDoS, device manipulation, extended maintenance windows, third-party litigation and manipulated privileges. Shieldworkz scans engaged over 9,000 ICS devices within minutes during a real-world discovery project, showing how rapidly threat actors can find and target poorly segmented OT infrastructure. If your plant or estate relies on remote maintenance, vendor portals or cloud connectors, this report shows the immediate actions that materially reduce your attack surface.
What’s inside the analysis
Summary of Shieldworkz discovery methodology - application-layer scanning, honeypot elimination, multi-stage validation and blindfold testing.
Global exposure snapshot - country-level protocol exposure (Modbus, S7, BACnet, IEC-104, EtherNet/IP, OPC UA and others) with first-scan vs final-validation comparisons.
Honeypot detection and filtering approach - why a material portion of discovered ports are likely honeypots and how Shieldworkz isolates genuine targets.
Risk inventory - operational, legal and safety impacts from internet-reachable OT assets.
Observations & trends - which countries increased exposure, which closed gaps, and why Modbus remains the universal problem.
Standards mapping - how findings align with ISA/IEC-62443, NIST SP 800-82, NERC CIP and NIS2 requirements.
Prioritized recommendations - protocol-aware DPI controls, segmentation (Zones & Conduits), secure gateways, backup protections, continuous OT monitoring, and IR playbooks.
Key takeaways from the report
Internet-reachable OT ports are widespread and dangerous. Many devices run default configurations or known-vulnerable stacks and are visible in internet scans.
Modbus, FOX and BACnet dominate exposure. These legacy protocols lack built-in security and are frequently the largest source of internet-exposed ports.
Exposure is dynamic - some nations improve while others worsen. The USA showed a major reduction between scans, while several other countries saw increases.
Honeypots distort naive metrics; application-layer validation matters. Eliminating suspected honeypots produces a more accurate picture of real exposure.
Standards-based controls work. Implementing IEC-62443 zones & conduits, DMZs and protocol-aware gateways materially reduces risk if applied correctly.
Practical protections you can deploy
Remove direct internet exposure (immediate). Conduct an external attack-surface sweep; remove public IPs on controllers and place devices behind firewalls/proxies.
Segment with Zones & Conduits (IEC-62443). Group assets by criticality and control communications with DMZs and ACLs to prevent easy IT→OT pivots.
Deploy protocol-aware DPI firewalls or secure gateways. Translate legacy protocols to encrypted channels, block unauthorized function codes and deny write commands from untrusted sources.
Disable unused ports and harden device configs. Remove default credentials and unnecessary services on controllers, HMIs and engineering workstations.
Protect backups and recovery paths. Maintain immutable offline backups and test restores from isolated instances regularly.
Continuous OT monitoring & anomaly detection. Baseline “normal” traffic, detect protocol abuses, and alert on anomalous port activity and unexpected application-layer handshakes.
Develop OT-specific IR playbooks and exercise them. Tabletop and dry-run exercises must include engineering, operations and compliance teams to meet regulatory timelines.
Who should download
CISOs, OT/ICS security architects, plant managers, SOC leaders, control engineers, vendor-risk teams, procurement owners, compliance/legal staff and executive risk committees in manufacturing, energy, utilities, critical infrastructure and large estates.
Why you should download the full analysis now
This Shieldworkz report is a timely evidence pack: it quantifies the scale of internet-exposed OT risk, explains the detection methodology and provides a prioritized, standards-aligned remediation roadmap. With attackers scanning the internet continuously, the time to remove direct exposure and harden protocol gateways is now - failure to act leaves production, safety and reputation at risk.
Get the report & schedule a briefing
Download the Shieldworkz State of OT Security Report - Common ICS/SCADA/PLC Ports Exposed to the Internet. The package includes the full research PDF, methodology appendix, country exposure dashboards and a prioritized remediation checklist.
Request a 30-minute briefing with a Shieldworkz OT/ICS expert to review your estate exposure and receive a tailored 30/90-day hardening roadmap. Fill the form to access the file and request a 30-minute briefing with a Shieldworkz OT/ICS expert.
Download your copy today!
State of OT Security Report
This is a compact, evidence-driven State of OT Security Report from Shieldworkz that exposes the prevalence and risk of ICS/SCADA/PLC ports reachable from the public internet. Drawing on Shieldworkz large-scale application-layer scans and validated discovery methodology, the report quantifies global exposure, explains why insecure-by-design OT protocols (Modbus, S7, BACnet, etc.) are a major operational risk, and - most importantly for OT/ICS teams - delivers prioritized, standards-aligned mitigations and an actionable remediation roadmap. The conclusions and recommended controls in this package are derived from Shieldworkz research and validation exercises.
Why this report matters to you
Thousands of industrial control systems that should be isolated are discoverable from the public internet - often without asset owners’ knowledge. Exposed ICS/SCADA/PLC ports create direct risk to production and safety: data breaches, operational shutdowns, DDoS, device manipulation, extended maintenance windows, third-party litigation and manipulated privileges. Shieldworkz scans engaged over 9,000 ICS devices within minutes during a real-world discovery project, showing how rapidly threat actors can find and target poorly segmented OT infrastructure. If your plant or estate relies on remote maintenance, vendor portals or cloud connectors, this report shows the immediate actions that materially reduce your attack surface.
What’s inside the analysis
Summary of Shieldworkz discovery methodology - application-layer scanning, honeypot elimination, multi-stage validation and blindfold testing.
Global exposure snapshot - country-level protocol exposure (Modbus, S7, BACnet, IEC-104, EtherNet/IP, OPC UA and others) with first-scan vs final-validation comparisons.
Honeypot detection and filtering approach - why a material portion of discovered ports are likely honeypots and how Shieldworkz isolates genuine targets.
Risk inventory - operational, legal and safety impacts from internet-reachable OT assets.
Observations & trends - which countries increased exposure, which closed gaps, and why Modbus remains the universal problem.
Standards mapping - how findings align with ISA/IEC-62443, NIST SP 800-82, NERC CIP and NIS2 requirements.
Prioritized recommendations - protocol-aware DPI controls, segmentation (Zones & Conduits), secure gateways, backup protections, continuous OT monitoring, and IR playbooks.
Key takeaways from the report
Internet-reachable OT ports are widespread and dangerous. Many devices run default configurations or known-vulnerable stacks and are visible in internet scans.
Modbus, FOX and BACnet dominate exposure. These legacy protocols lack built-in security and are frequently the largest source of internet-exposed ports.
Exposure is dynamic - some nations improve while others worsen. The USA showed a major reduction between scans, while several other countries saw increases.
Honeypots distort naive metrics; application-layer validation matters. Eliminating suspected honeypots produces a more accurate picture of real exposure.
Standards-based controls work. Implementing IEC-62443 zones & conduits, DMZs and protocol-aware gateways materially reduces risk if applied correctly.
Practical protections you can deploy
Remove direct internet exposure (immediate). Conduct an external attack-surface sweep; remove public IPs on controllers and place devices behind firewalls/proxies.
Segment with Zones & Conduits (IEC-62443). Group assets by criticality and control communications with DMZs and ACLs to prevent easy IT→OT pivots.
Deploy protocol-aware DPI firewalls or secure gateways. Translate legacy protocols to encrypted channels, block unauthorized function codes and deny write commands from untrusted sources.
Disable unused ports and harden device configs. Remove default credentials and unnecessary services on controllers, HMIs and engineering workstations.
Protect backups and recovery paths. Maintain immutable offline backups and test restores from isolated instances regularly.
Continuous OT monitoring & anomaly detection. Baseline “normal” traffic, detect protocol abuses, and alert on anomalous port activity and unexpected application-layer handshakes.
Develop OT-specific IR playbooks and exercise them. Tabletop and dry-run exercises must include engineering, operations and compliance teams to meet regulatory timelines.
Who should download
CISOs, OT/ICS security architects, plant managers, SOC leaders, control engineers, vendor-risk teams, procurement owners, compliance/legal staff and executive risk committees in manufacturing, energy, utilities, critical infrastructure and large estates.
Why you should download the full analysis now
This Shieldworkz report is a timely evidence pack: it quantifies the scale of internet-exposed OT risk, explains the detection methodology and provides a prioritized, standards-aligned remediation roadmap. With attackers scanning the internet continuously, the time to remove direct exposure and harden protocol gateways is now - failure to act leaves production, safety and reputation at risk.
Get the report & schedule a briefing
Download the Shieldworkz State of OT Security Report - Common ICS/SCADA/PLC Ports Exposed to the Internet. The package includes the full research PDF, methodology appendix, country exposure dashboards and a prioritized remediation checklist.
Request a 30-minute briefing with a Shieldworkz OT/ICS expert to review your estate exposure and receive a tailored 30/90-day hardening roadmap. Fill the form to access the file and request a 30-minute briefing with a Shieldworkz OT/ICS expert.
Download your copy today!
