They’re deeply embedded in operational technology (OT) and industrial control systems (ICS) environments — the very systems that keep power plants running, factories producing, pipelines flowing, and buildings comfortable. The convergence of IT and OT means the same ports you monitor in enterprise networks are now talking to HMIs, historians, PLCs, engineering workstations, and network gear with exposed admin interfaces.
What surprises many is how many classic IT protocols sneak into OT networks right alongside the proprietary industrial ones. And yes — most of these legacy OT protocols were never designed with modern security in mind (unauthenticated, unencrypted, you name it).
Here are some of the most common ones you’ll encounter — and should absolutely be securing:
- TCP 22 (SSH) Command-line administrative access over an encrypted channel. Powerful for remote management, but a favorite target if credentials are weak or exposed.
- TCP 80 (HTTP) Web interfaces on SCADA servers, HMIs, PLCs, firewalls — you name it. Still far too common despite the risks.
- TCP 102 (S7) Siemens’ proprietary protocol, everywhere in power, refining, manufacturing. If you see Siemens gear, expect this one.
- UDP 161 (SNMP) Just like in IT: used to poll device stats and health. Useful for monitoring, exploitable if left wide open.
- TCP 443 (HTTPS) The encrypted sibling of HTTP. Increasingly common for secure web access on modern HMIs and controllers — but only if properly configured.
- TCP 502 (Modbus) The king of OT protocols. Unauthenticated, ubiquitous, and found literally everywhere from legacy plants to new builds. Read/write with almost no friction.
- TCP 1433 (MS SQL) The database backbone for historians storing decades of process data. If your historian is on this port without tight controls, it’s a goldmine for attackers.
- TCP 1883 (MQTT) Lightweight machine-to-machine messaging (unencrypted by default). Encrypted variant runs on TCP 8883 — make sure you’re using the secure one.
- TCP 3389 (MS RDP) Remote Desktop to Windows-based HMIs, engineering stations, or servers. Extremely convenient — and extremely dangerous without MFA, jump hosts, or strict allow-lists.
- TCP 4840 (OPC UA) The modern “universal translator” for multivendor interoperability. Better security model than older OPC, but still needs proper certificate management.
- TCP 20000 (DNP3) Classic in electric utilities for SCADA over WANs — talking to RTUs, IEDs, substations. Often seen in energy sector environments.
- TCP 34964 (Profinet) Siemens’ Ethernet-based protocol for real-time, deterministic communication in automation.
- TCP 44818 (EtherNet/IP) Rockwell/Allen-Bradley staple. Built on CIP, very common in discrete manufacturing.
- UDP 47808 (BACnet) Building automation favorite — HVAC, lighting, access control. Prevalent in commercial facilities and campuses.
P.S. Remember: any service can technically run on any port. These are just the defaults you’ll see most often in real-world OT/ICS environments.
The takeaway? Don’t treat OT networks like they’re magically isolated anymore. Scan for these ports, baseline what’s normal, segment ruthlessly, and push for encrypted/authenticated alternatives wherever possible (OPC UA with security, MQTT over TLS, VPN wrappers for RDP/SSH, etc.). The attackers already know these ports exist — it’s time we treat them with the same paranoia we apply to corporate IT.
Stay vigilant out there.
#OTSecurity #ICSSecurity #OTProtocols #NetworkSecurity #IndustrialControlSystems #SCADA #PLC #Cybersecurity