Growth-minded manufacturing leaders rely on technology to streamline operations and stay competitive. But when critical industrial control systems connect to the public internet, they can expose your business to significant risks. Recently, a massive wave of suspicious activity targeted industrial systems worldwide, proving that digital adversaries actively seek out vulnerable equipment.
Between September and November 2025, Cato Networks researchers uncovered a global surge in Modbus/TCP activity against internet-exposed Programmable Logic Controllers (PLCs). This campaign spanned 70 countries and touched over 14,000 distinct IP addresses. For mid-market manufacturers without a full-time CTO, managing these technical vulnerabilities can feel overwhelming.
However, protecting your infrastructure does not require a massive IT budget. By understanding how these attacks work and implementing scalable, cost-effective solutions, you can confidently secure your operations. Let’s examine what this exposure means for your business and the exact steps you should take this quarter.
Understanding the Attack Modalities
This recent campaign pointed to systematic probing rather than random, isolated incidents. The attackers used several methods to explore and manipulate industrial environments:
- Reconnaissance at scale: Attackers heavily used a function called “Read Holding Registers” to scan thousands of exposed PLCs and extract basic configuration data.
- Device fingerprinting: Threat actors queried devices for specific identifying details, like the vendor and product version, allowing them to execute targeted data pulls later.
- Disruption attempts: Some systems faced bulk-read flooding. Bad actors issued near-maximum read requests to overwhelm the PLC’s processing capacity, effectively trying to exhaust its resources.
- Systematic write attempts: The most severe activity involved attackers writing new commands directly to the registers. This allowed them to alter the physical behavior of the machinery.
Why Modbus Remains Vulnerable
Modbus is a widely used communication protocol in industrial control systems. Engineers originally designed it for trusted, isolated networks, not the public internet. Because it lacks built-in encryption and authentication, anyone who can reach a Modbus device online can interact with it.
When you expose a Modbus-enabled PLC to the outside world, threat actors can often achieve greater access to your equipment with alarming speed. They might then shift from probing your device to actively manipulating the processes that run your facility.
Impact and Geographic Spread
This campaign did not discriminate, but it did show clear geographical and industry preferences. The United States bore the brunt of the activity, accounting for 36% of the targeted IPs. France and Japan followed closely behind.
More importantly for business owners, manufacturing emerged as the most targeted sector, absorbing 18% of the attacks. Healthcare, construction, and government municipalities also saw significant activity. This concentration reinforces the reality that operational technology (OT) in manufacturing plants is a prime target for disruption.
Practical Steps for Mid-Market Manufacturers
You do not need an expensive in-house IT team to secure your plant floor. Here are practical, immediate actions you can take to protect your business:
Identify and Secure Exposed PLCs
Work with your technology partner to scan your network for any PLCs directly connected to the internet. If you find exposed devices, remove their public access immediately.
Enforce Strict Segmentation
Isolate your operational technology from your standard IT network and the public internet. Setting up a dedicated, segmented network ensures that a vulnerability in your office email system does not grant an attacker access to your factory floor.
Implement Continuous Monitoring
Adopt budget-friendly, scalable monitoring tools that alert you to suspicious network activity. Establishing strict access controls allows only explicitly trusted sources to communicate with your industrial equipment.
Secure Your Growth Strategy
Exposing your Modbus devices to the internet creates unnecessary operational risk. Fortunately, you can close these security gaps quickly and cost-effectively. By taking action today, you protect your assets, ensure uninterrupted production, and maintain your competitive advantage. Partnering with experienced virtual CTO services can help you navigate these tech challenges, empowering your business to grow safely and securely.
