Industrial control computers are considered the backbone of modern supply systems. They regulate water levels, production facilities, energy flows and technical processes that usually remain invisible in everyday life. It is precisely these systems that are now increasingly being targeted. Cato Networks has observed suspicious activity against programmable logic controllers that use the Modbus communication protocol over a period of three months.
The findings are explosive in terms of security policy: The attackers combined broad automated queries with targeted patterns that indicate device fingerprinting, attempted disruptions and possible manipulation routes. In total, Cato identified 14,426 attacked IP addresses in 70 countries. Germany is in eighth place among the most affected countries.
An old protocol meets new threats
Modbus was designed for industrial environments where systems were isolated and largely trusted. The protocol was never intended for a direct connection to the public Internet. This is exactly where the problem lies today: If Modbus-capable control computers are accessible externally, attackers can not only spy on technical processes, but also influence them under certain conditions.
The Cato specialists Dr. Guy Waizel and Jakub Osmani therefore come to a clear conclusion: coupling Modbus with the Internet significantly increases the operational risk and increases the probability of successful attacks on critical infrastructures. The identity of the attackers remains unclear, but some of the activities originated in China.
Dam as an attack scenario
Cato showed how realistic manipulation can be in a proof of concept based on MITER Wildcat-Dam, an open-source simulator for controlling a dam. In the scenario, it was possible to control the dam from a laptop, change the water level and open the dam gates.
The example makes it clear why industrial security can no longer be understood only as a question of classic network technology. In operational technology, digital interventions can have physical consequences. A seemingly abstract protocol weakness then becomes a risk for system availability, production security and, in extreme cases, for public supplies.
Manufacturing was particularly hard hit
The attacks are spread across numerous industries. The manufacturing industry is hardest hit at 18 percent. This is plausible because Modbus-capable control computers are used particularly frequently there. This is followed by healthcare, construction, technology, transportation and finance. Public institutions were also observed, especially municipalities.
Geographically, activities are highly concentrated. The ten most affected countries account for 86 percent of the attacked IP addresses. The three leading countries alone, the USA, France and Japan, together account for 61 percent. Regionally, America leads with 48 percent, followed by Europe with 28 percent and Asia with 23 percent.
Segmentation becomes a mandatory task
The most important lesson from the observations is clear: Modbus devices must not be accessible directly from the public Internet. Where such exposure exists, those responsible must quickly identify and isolate the affected systems. This includes consistent segmentation in which operational technology is clearly separated from information technology and the Internet.
Strict access controls are equally important. Modbus communication should only be possible where it is technically necessary and only for authorized systems. In addition, there is a need for threat prevention, continuous monitoring and mechanisms that detect unusual queries, device profiling or attempts at manipulation early on.
The case shows how vulnerable critical infrastructures become when historical industrial protocols are adopted into modern, networked environments without adapting their protection mechanisms. For operators, this means: visibility, segmentation and controlled access are not optional additional measures, but rather the basis for preventing digital attacks on physical processes.
The full blog (in English) by Dr. Guy Waizel and Jakub Osmani are here.