Industrial Controllers Still Vulnerable As Conflicts Move to Cyber

ICS/OT SECURITY CYBERSECURITY OPERATIONS PERIMETER VULNERABILITIES & THREATS NEWS Industrial Controllers Still Vulnerable As Conflicts Move to Cyber The US government warns programmable logic controllers are being targeted, and research turns up 179 vulnerable operational technology (OT) devices. Robert Lemos,Contributing Writer April 10, 2026 4 Min Read SOURCE: 1ST FOOTAGE VIA SHUTTERSTOCK As the US government warns energy companies, water utilities, and industrial firms that state-sponsored adversaries are targeting Internet-connected operational technology, researchers have found a small number of older industrial control systems allow direct access without requiring authentication. A scan of the Internet for operational technology (OT) using the Modbus protocol found at least 179 devices that allow unauthenticated access, according to researchers at technology-evaluation firm Comparitech. While representing a relatively small number of devices, the dozens of public-facing systems are likely being targeted by cyberthreat actors, experts say. While the most common attacks on industrial systems continue to focus on compromising IT systems and then pivoting to operational technology (OT), the direct targeting of Internet-exposed assets remains a significant issue, says Jeff Macre, principal OT security solutions architect at Darktrace, an AI cybersecurity platform. Related:Iranian Threat Actors Disrupt US Critical Infrastructure via Exposed PLCs "Internet-facing control system components, insecure remote access pathways, default credentials, and poorly protected boundary devices continue to create direct routes into industrial environments," he says. "IT-to-OT pivoting remains the dominant path in many incidents, but direct exposure is still one of the clearest and most avoidable sources of OT risk." The US government warned on April 7 that Iran-linked cyberattackers are targeting programmable logic controllers (PLCs), OT devices that automate specific functions in a variety of critical industrial systems, such as those in water and wastewater treatment plants and energy generation facilities. In December 2025, a cyberattack compromised Poland's decentralized wind- and solar-energy infrastructure, but failed to — or did not intend to — cut power to civilians. Multiple analysts connected the attack to Russia-aligned actors.  All the major players in current conflicts — Iran, Israel, Russia, Ukraine, and the US — have also targeted IP cameras as a way to gain intelligence on targeted locations, from the daily habits of Iranian leadership to the level of impact of missile strikes. Serious Physical Consequences' Nation-state attackers targeting critical infrastructure have a landscape ripe for exploitation. In its research, Comparitech used the open source tool Masscan to flag 311 possible open Modbus devices, and excluded systems that showed signs of being a honeypot. The remaining 179 devices exposed the Modbus protocol on the default port 502 without requiring authentication. Related:Vehicle Tire Pressure Sensors Enable Silent Tracking Mantas Sasnauskas, head of security research at Comparitech, stresses that the research likely found a conservative number of systems, and far more insecure and Internet-exposed ICS devices would be found if the scan focused on a wider variety of protocols. "These aren't 179 exposed Web servers — they're industrial controllers with no authentication that anyone on the Internet can read from and potentially write to," he says. "We identified devices tied to a national railway and two national power grids. A single compromised device in those environments can have serious physical consequences." While cyberattackers most often infect IT devices and then pivot to OT devices, groups have started directly targeting OT as well, says Liz Martin, senior director of threat hunting at Dragos, a provider of OT cybersecurity services. "The direct targeting of exposed industrial devices is no longer theoretical, it's happening with enough precision to suggest pre-operational intent to impact OT," she says. Ceasefire? The Danger Remains Organizations should not link their security response to geopolitical events or risks, especially with threats to industrial control systems, says Austin Warnick, director of the national security intelligence team at Flashpoint, a cyberthreat intelligence provider. While nation-state actors are the current primary driver targeting programmable logic controllers in critical sectors such as water and energy, opportunistic groups will often attack those targets irrespective of the relations between nations, he says. Related:Quantum-Resistant Data Diode Secures Sensitive Data on Edge Devices, Critical Systems "Recent intelligence indicates that the distinction between state actors and opportunistic proxies is increasingly blurred, creating a two-tiered threat landscape," Warnick says. "These proxies often treat ceasefires as mere technicalities, maintaining or even escalating their 'cyber jihad' against private-sector infrastructure to exert political pressure when kinetic options are restricted." Companies should be scanning their own systems — both internally and externally — to find their vulnerable devices. Fewer than 10% of OT networks globally have visibility and monitoring in place, creating essentially a visibility gap, according to Dragos. A lack of visibility hampered detection in nearly half of architecture reviews (46%) and the vast majority of tabletop exercises (88%), while nearly a third of incident response cases (30%) began with an unexplained operational issue and not a detected anomaly, according to Dragos's "2026 OT Cybersecurity Year in Review" report. External scans only find what is visible and fail to capture devices behind NAT devices and firewalls, or those behind cellular-connected OT assets, which often are not protected by perimeter defenses, Dragos's Martin says. "Internet-wide scans measure exposure at the perimeter, but the most persistent and consequential gaps are internal: Poor segmentation, weak credentials on privileged accounts, limited OT telemetry, and absence of ICS-aware monitoring," she says. "Those conditions don't show up in [an external scan], but they're what adversaries are exploiting once they're past the front door." About the Author Robert Lemos Contributing Writer Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports AI SOC for MDR: The Structural Evolution of Managed Detection and Response How Enterprises Are Developing Secure Applications Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report Gartner IGA Voice of the Customer 2026 Access More Research Webinars Tips for Managing Cloud Security in a Hybrid Environment? Zero Trust Architecture for Cloud environments: Implementation Roadmap Security in the AI Age Identity Maturity Under Pressure: 2026 Findings and How to Catch Up Building a Robust SOC in a Post-AI World More Webinars You May Also Like ICS/OT SECURITY Bombarding Cars With Lasers: Novel Auto Cyberattacks Emerge by Nate Nelson, Contributing Writer OCT 20, 2025 ICS/OT SECURITY Cyberattack Leads to Beer Shortage as Asahi Recovers by Robert Lemos, Contributing Writer OCT 08, 2025 ICS/OT SECURITY Water Systems Under Attack: Norway, Poland Blame Russia Actors by Robert Lemos, Contributing Writer AUG 15, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 Editor's Choice CYBERSECURITY OPERATIONS RSAC 2026: AI Dominates, But Community Remains Key to Security byKristina Beek,Rob Wright APR 2, 2026 THREAT INTELLIGENCE Axios Attack Shows How Complex Social Engineering Is Industrialized byAlexander Culafi APR 6, 2026 5 MIN READ ICS/OT SECURITY Iranian Threat Actors Disrupt US Critical Infrastructure via Exposed PLCs byElizabeth Montalbano APR 8, 2026 4 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Tips for Managing Cloud Security in a Hybrid Environment? THURS, MAY 7, 2026 AT 1PM EST Zero Trust Architecture for Cloud environments: Implementation Roadmap TUES, MAY 12, 2026 AT 1PM EST Security in the AI Age TUES, APRIL 28, 2026 AT 1PM EST Identity Maturity Under Pressure: 2026 Findings and How to Catch Up WED, MAY 6,2026 AT 1PM EST Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST More Webinars White Papers How Sunrun Transformed Security Operations with AiStrike Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity Explore More White Papers BLACK HAT ASIA | MARINA BAY SANDS, SINGAPORE Experience cutting-edge cybersecurity insights in this four-day event featuring expert Briefings on the latest research, Arsenal tool demos, a vibrant Business Hall, networking opportunities, and more. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass. GET YOUR PASS GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE