As the European security situation grows ever bleaker and industrial systems continue to converge with traditional IT networks, the importance of testing communication protocols like Modbus TCP/IP has never been greater. Modbus remains one of the most widely-used industrial protocols for SCADA and PLC communication – and unfortunately: it was never designed with security in mind.
We’re now able to offer remote Modbus TCP/IP penetration testing – simulating either an attacker with internal access (such as a compromised workstation, misconfigured VPN, or malicious/compromised insider) or an external threat actor who’s able to reach exposed assets over the internet.
Why Modbus Needs Attention
Modbus TCP/IP is a lightweight protocol, originally intended for local, trusted environments. It lacks encryption, authentication, or any form of access control by default – meaning any device that can reach the network interface can often issue commands, read process data, or change setpoints with zero resistance.
In many cases, devices speaking Modbus are:
- Directly internet-facing – due to legacy decisions, poor firewalling, or remote access requirements.
- Segmented poorly – living on flat internal networks alongside user workstations or even guest Wi-Fi.
- Misconfigured – running with default settings or insufficient monitoring.
What We’re Offering
Using both industry-standard and custom-built toolsets, we’re now able to perform realistic testing of your Modbus TCP/IP deployments. This includes:
- Reconnaissance of exposed Modbus assets (via known Shodan fingerprints and/or non-intrusive scanning)
- Safe interrogation of function codes and data structures
- Access control bypass and unauthenticated command injection testing
- Replay attack simulation (where applicable and where permission has specifically been granted)
- Recommendations for segmentation, filtering, and protocol hardening, as well as ideas on how exposed Modbus endpoints could be replaced with equivalents that utilise modern encryption and authentication mechanisms
All tests are conducted with safety and operational impact in mind – this isn’t about crashing your PLCs, it’s about demonstrating what a real attacker could achieve and how you can prevent it.
Why it matters now
Whether you’re looking to support ISO 27001/IEC 62443 compliance, just want to stay ahead of regulators and attackers alike, or are concerned by the recent rise in cyber-attacks on industrial assets, this kind of testing is a critical step in improving OT cyber-resilience. With ransomware groups increasingly targeting ICS environments and automated scripts and tooling now capable of probing for protocol-specific vulnerabilities, waiting and hoping for the best is no longer a viable option!
If you operate Modbus TCP/IP assets – internally or externally exposed – we’d be happy to work with you to understand the risks and help you address them – before someone else does!
Get in touch today info@istormsolutions.co.uk or call the team on 01789 608708
Author: Maff Bowers, Senior Pentesting Consultant, iSTORM®
