The security of modern factories and power plants still relies on technology from almost half a century ago, which is becoming a growing concern for global business. The latest report from experts at Cato Networks warns of a wave of cyber attacks targeting industrial controllers (PLCs). Hackers are taking advantage of the fact that the widely used Modbus protocol was developed in the 1970s and has no security features – for someone who knows how to use it, taking control of a networked machine is worryingly easy today.
Modbus, a communication protocol developed in 1979, is in the spotlight. At the time of its creation, no one assumed that industrial controllers (PLCs) would ever be connected to the public Internet. Modbus was designed with trusted, isolated internal networks in mind. As a result, it was completely devoid of the mechanisms we recognise as elementary today: encryption and authentication. This openness, once an advantage to facilitate system integration, has become an invitation to hackers.
The scale of the problem is illustrated by data collected by a team led by Dr Guy Waizel and Jacob Osmani. Over just three months in autumn 2025, they identified coordinated activity targeting PLCs, involving more than 14,000 attacked IP addresses in 70 countries. These are not isolated incidents, but a systematic mapping of global industry vulnerabilities.
The attackers’ strategy is multi-layered and precise. Most of the identified interactions – more than 235,000 requests – involved so-called data extraction. The hackers do not immediately try to destroy machines; instead, they quietly read the contents of registers, learning about process parameters and device configuration. The next step is to ‘fingerprint’ the hardware. By knowing the manufacturer and software version, criminals can match specific security vulnerabilities to a particular machine.
What starts as innocent information gathering can quickly turn into a catastrophic scenario. To understand the real risks, Cato Networks experts ran a simulation on the Wildcat-Dam project. They demonstrated that, with just a laptop and access to the unsecured Modbus protocol, they were able to take control of the digital logic of the firewall. By manipulating register values, the researchers caused an artificial flood, overriding security limits and remotely opening the dam’s gates.
The geography of the attacks coincides with the map of global industrial powers. The United States, France and Japan have been the main targets, together accounting for 61 per cent of incidents. It is also worrying that attackers are not confined to one industry. Although the manufacturing sector is the most common victim, traces of intrusion have been found in healthcare facilities, construction and even urban infrastructure management systems. What emerges is a picture of opportunistic hacking: attackers are looking for any available controller that has been recklessly exposed to the public network.
Technical analysis suggests that some of this activity is coming from infrastructure located in China, although the identity of the actors remains hidden behind intermediary server systems. For business decision-makers, however, the key conclusion is not to identify a specific culprit, but to realise a structural flaw in their own systems.
