Listen to this Post

Introduction:
In the world of Operational Technology (OT) and Industrial Control Systems (ICS), the assumption that “network ports and protocols are just IT problems” is not only wrong—it is dangerous. Attackers are increasingly targeting industrial environments not through sophisticated zero-day exploits, but through open, unmonitored ports running protocols that were never designed with security in mind. From Human-Machine Interfaces (HMIs) with web interfaces to Programmable Logic Controllers (PLCs) running unauthenticated protocols, the attack surface in OT networks is vast and often overlooked. Understanding these ports is the first line of defense because, as Mike Holcomb aptly puts it, “you can’t protect what you don’t see”.
Learning Objectives:
- Identify and understand the 14 most common OT/ICS ports and protocols targeted by adversaries
- Recognize the inherent security weaknesses in legacy industrial protocols such as Modbus, S7, and DNP3
- Learn practical commands and techniques for scanning, monitoring, and securing OT network assets
- Understand network segmentation strategies and firewall configurations to protect critical infrastructure
You Should Know:
- The OT/ICS Port Cheat Sheet: Know Your Enemy’s Entry Points
Every OT environment has its own unique fingerprint of ports and protocols. However, certain ports appear so frequently across industries that they have become the default checklist for both defenders and attackers. Below is the definitive list of the most common OT/ICS ports every cybersecurity professional must know:
| Port | Protocol | Purpose | Security Risk |
||-|||
| TCP 22 | SSH | Administrative command-line access | Powerful but risky—if credentials are compromised, attackers gain full control |
| TCP 80 | HTTP | Web interfaces on SCADA, HMIs, PLCs, firewalls | Unencrypted—credentials and data transmitted in clear text |
| TCP 102 | S7 | Siemens proprietary OT/ICS protocol | Insufficiently protected authentication—credentials can be intercepted |
| UDP 161 | SNMP | Asset monitoring and data querying | Useful but exploitable—community strings often default or weak |
| TCP 443 | HTTPS | Encrypted web interfaces | More secure than HTTP but misconfigurations are common |
| TCP 502 | Modbus | The most ubiquitous OT protocol—”everywhere” | No native authentication or encryption—attackers can read/write registers freely |
| TCP 1433 | MS SQL | Historical data storage backbone | Decades of sensitive process data—SQL injection and credential theft risks |
| TCP 1883/8883 | MQTT | Machine-to-machine (M2M) communication | Unencrypted by default—encryption only if explicitly configured |
| TCP 3389 | RDP | Remote desktop to Windows assets | Prime target for ransomware and lateral movement |
| TCP 4840 | OPC UA | Universal translator between vendor systems | Should be blocked at external firewalls and only opened for authenticated access |
| TCP 20000 | DNP3 | SCADA remote asset management over WAN | Lacks encryption and authentication—command injection and data spoofing possible |
| TCP 34964 | Profinet | Time-sensitive industrial communication | Real-time protocols are difficult to monitor with traditional tools |
| TCP 44818 | EtherNet/IP | Rockwell Automation / Common Industrial Protocol (CIP) | Widely deployed—attackers can discover and manipulate devices |
| UDP 47808 | BACnet | Building automation (HVAC, lighting, access control) | Often overlooked—building systems connected to OT networks create unexpected attack paths |
Critical Note: Any service or protocol can run on any port. Attackers frequently move services to non-standard ports to evade detection. These default ports are your starting point, not your complete inventory.
- Why These Ports Are So Dangerous: Real-World Attacks
The threat is not theoretical. In early 2024, the FrostyGoop malware disrupted district heating to more than 600 apartment buildings in Lviv, Ukraine, during sub-zero temperatures. FrostyGoop directly abused the Modbus TCP protocol over port 502, sending commands to exposed ENCO controllers after gaining access through a vulnerable internet-facing router and poorly segmented networks. The malware did not rely on complex exploits—it simply “spoke” Modbus like a legitimate system, reading and writing registers to manipulate measurements and control behavior on devices operating without authentication or encryption.
Similarly, attackers linked to the Iranian-aligned Cyber Av3ngers group compromised a Unitronics PLC-HMI at the Municipal Water Authority of Aliquippa in Pennsylvania in late 2023. The attack was alarmingly simple: the device was exposed to the open internet and still used default credentials. Following the incident, CISA issued urgent guidance warning operators about widespread exposure of Unitronics PLCs across water, wastewater, and agriculture sectors.
These incidents are not isolated. Late-2024 research from Censys identified more than 145,000 internet-exposed ICS services across 175 countries. The exposed systems span protocols such as Modbus, IEC 60870-5-104, CODESYS, OPC UA, and BACnet—many designed decades ago for trusted, isolated environments.
3. Hands-On: Scanning for OT/ICS Ports with Nmap
Nmap is an essential tool for any OT security professional. However, scanning industrial networks requires caution—aggressive scans can crash sensitive PLCs. Here are safe and effective commands:
Basic OT Port Scan (TCP Connect Scan – Safest for PLCs):
nmap -Pn -sT -p 22,80,102,443,502,1433,1883,3389,4840,20000,34964,44818,47808 <target_ip>
Siemens S7 PLC Information Gathering:
nmap --script s7-info.nse -p 102 <target_ip>
This script extracts vendor, model, firmware, and other critical details from Siemens PLCs.
Modbus Device Enumeration:
nmap --script modicon-info -p 502 <target_ip>
Comprehensive OT Discovery Scan (Use with Extreme Caution):
nmap -Pn -sT --scan-delay 1s --max-parallelism 1 -p 80,102,443,502,4840,20000,34962-34964,44818 <target_subnet>
The `–scan-delay` and `–max-parallelism` options prevent overwhelming fragile OT devices.
- Exploitation in Practice: Modbus and S7 Attack Vectors
Understanding how attackers exploit these protocols is crucial for defense.
Modbus TCP (Port 502) – Python Exploitation Example:
from pymodbus.client import ModbusTcpClient
Connect to the Modbus device
client = ModbusTcpClient('192.168.1.100', port=502)
client.connect()
Read holding registers (address 0, count 10)
result = client.read_holding_registers(0, 10)
print(f"Current values: {result.registers}")
Write to a coil (turn something ON or OFF)
client.write_coil(0, True) Set coil 0 to ON
Write to a holding register (change a setpoint)
client.write_register(100, 75) Set register 100 to 75
client.close()
This simple script demonstrates how easily an attacker can read and write data to a Modbus device without any authentication.
Siemens S7 (Port 102) – Python with python-snap7:
import snap7
Connect to the Siemens PLC
client = snap7.Client()
client.connect('192.168.1.10', 0, 1) IP, rack, slot
Read data from a data block
data = client.db_read(1, 0, 100) Read 100 bytes from DB1
print(f"Raw data: {data}")
client.disconnect()
The S7 protocol has known vulnerabilities where authentication between client and PLC insufficiently protects transmitted passwords, allowing attackers to intercept network traffic and obtain valid PLC credentials.
5. Defense-in-Depth: Securing OT Ports and Protocols
Securing OT environments requires a layered approach:
Network Segmentation (Purdue Model):
The Purdue Enterprise Reference Architecture provides a proven framework for OT network segmentation. The model divides the network into levels:
– Levels 0-3: OT side (physical processes, sensors, real-time control)
– Levels 4-5: Enterprise IT side
Key implementation steps:
- Deploy firewalls between IT and OT networks with strict access control lists
- Create a DMZ for remote access and data historization—engineers and operators should access OT systems via a jump server in the OT DMZ
- Micro-segment the OT network into zones based on criticality and function
- Block port 4840 at external firewalls and open only for authenticated access via VPN
Firewall Rules for OT Protection:
- Allow only explicitly required traffic between zones
- Block all inbound traffic from the internet to OT networks
- Restrict remote access (SSH, RDP) to authorized jump hosts only
- Implement application-layer inspection for industrial protocols where possible
Access Control Best Practices:
- Change all default credentials immediately
- Implement multi-factor authentication for all remote access
- Use VPN tunnels for any remote access into OT environments
- Apply the principle of least privilege—users should only have access to what they need
6. Monitoring and Continuous Improvement
“Most OT cyber incidents don’t start with advanced exploits; they begin with something far simpler: open ports left unmonitored”. Effective monitoring requires:
Asset Discovery and Inventory:
- Maintain a complete inventory of all OT devices and their open ports
- Use tools like `otscan` for automated discovery across subnets via port scanning and protocol-specific queries
- Regularly audit for unauthorized devices and unexpected open ports
Shodan for External Exposure Assessment:
Security professionals should use Shodan to identify their own exposed assets:
– `port:502 tag:ics` — Find Modbus devices
– `port:102 Siemens` — Find Siemens PLCs
– `port:20000 DNP3` — Find DNP3 SCADA systems
– `port:47808 BACnet` — Find building automation systems
Continuous Monitoring:
- Deploy OT-specific intrusion detection systems that understand industrial protocols
- Monitor for anomalous traffic patterns on critical ports
- Log all access attempts to OT devices and review regularly
- Establish baseline behavior for normal operations and alert on deviations
7. Training and Skill Development
The skills gap in OT cybersecurity remains a significant challenge. Fortunately, free resources are available:
- Mike Holcomb’s YouTube channel offers extensive OT/ICS cybersecurity content, including a complete 10+ hour OSINT for ICS/OT course. His newsletter reaches over 8,400 subscribers with practical security insights.
- CISA’s ICS Training provides free courses focused on Industrial Control Systems cybersecurity
- FusionAcademy offers community-driven free online training sessions for ICS security professionals
- Free packet captures and hands-on labs are available for practicing OT security skills
What Undercode Say:
- Awareness is the first firewall. You cannot protect what you do not know exists. Every OT security program must start with a complete inventory of assets, ports, and protocols.
-
Legacy protocols are the weak link. Modbus, DNP3, S7, and BACnet were designed for reliability and interoperability in isolated environments—not security. Assuming obscurity equals safety is a dangerous fallacy.
-
Segmentation is non-1egotiable. The days of flat OT networks are over. Proper network segmentation based on the Purdue Model or similar frameworks is essential to contain breaches and prevent lateral movement.
-
Remote access must be controlled. Every remote access point—whether for vendors, engineers, or operators—is a potential entry point for attackers. VPNs, multi-factor authentication, and jump hosts are mandatory.
-
Continuous monitoring saves systems. Open ports left unmonitored are open doors. Organizations must implement continuous monitoring of OT networks to detect and respond to threats before they cause disruption.
-
The stakes are higher than data. OT security is not about protecting information—it is about keeping the lights on, the water clean, and critical infrastructure operating safely.
-
Education is the force multiplier. Investing in OT cybersecurity training for IT and OT teams bridges the knowledge gap and builds a security culture across the organization.
Prediction:
-P Regulatory pressure will intensify. Expect more stringent cybersecurity requirements for critical infrastructure operators, with specific mandates for port management, network segmentation, and continuous monitoring. CISA’s joint advisories and increasing legislative activity point toward mandatory compliance frameworks.
-P AI-powered OT monitoring will become mainstream. Machine learning models will increasingly be deployed to detect anomalous traffic patterns on OT networks, identifying subtle indicators of compromise that rule-based systems miss.
-1 Legacy protocol vulnerabilities will continue to be exploited. As long as Modbus, DNP3, and S7 remain widely deployed without native security, attackers will continue to abuse them. The FrostyGoop attack is not an anomaly—it is a harbinger.
-P Zero-trust architectures will expand into OT. The traditional perimeter-based security model is insufficient for modern OT environments. Zero-trust principles—verify every access, limit lateral movement, and assume breach—will become standard practice in industrial security.
-P Free OT security training will proliferate. As the skills gap widens, more organizations and individuals will create and distribute free educational content, democratizing access to OT cybersecurity knowledge and building a stronger global defense.
-1 Internet-exposed ICS devices will remain a persistent problem. Despite repeated warnings, organizations continue to expose critical infrastructure to the internet. Until consequences become severe enough to drive change, this attack surface will persist.
-P Convergence of IT and OT security teams will accelerate. The boundaries between IT and OT are blurring. Organizations that integrate their security teams and share threat intelligence will be better positioned to defend against cross-domain attacks.
-P Protocol security enhancements will gain traction. Industry consortia and standards bodies will accelerate efforts to add security features to legacy protocols, including authentication, encryption, and integrity checks for Modbus, DNP3, and other widely deployed industrial protocols.
▶️ Related Video (72% Match):
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Mikeholcomb Think – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


