Skip to content
ProtocolPorts

Port reference

Port 102 (TCP) – S7comm

Siemens S7 communication over ISO-on-TCP (COTP/TPKT) — controls and programs SIMATIC S7 PLCs.

tcpWell-knownCommonly attacked

Default state

Open on Siemens S7-300/400/1200/1500 PLCs and CPs, typically with no authentication on the protocol itself.

Common attacks

  • Unauthenticated PLC start/stop commands halting a process
  • Reading and uploading PLC program logic and configuration
  • Writing memory/blocks to manipulate the controlled process
  • Device enumeration of CPU, firmware, and serial via s7-info

Hardening

  • Never expose port 102 to the internet — keep PLCs on an isolated OT network
  • Segment with firewalls/DMZ and use unidirectional gateways where possible
  • Enable S7 access protection and known-list/communication restrictions on newer CPUs
  • Monitor OT traffic with an ICS-aware IDS for anomalous S7 commands

nmap snippet

nmap -p102 --script s7-info <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 102?

Port 102 carries S7comm, Siemens' proprietary protocol for SIMATIC S7 PLCs, tunneled inside ISO-on-TCP (TPKT/COTP, RFC 1006). Engineering tools like TIA Portal and STEP 7 use it to read and write PLC memory, upload and download program blocks, and start or stop the CPU on S7-300, S7-400, S7-1200, and S7-1500 controllers and their communication processors.

Why it matters for security

Classic S7comm was designed for trusted, isolated networks and has no authentication. Any host that can reach port 102 can read process data, upload the PLC's logic, write new blocks, or issue a stop that halts a physical process. This is the channel Stuxnet abused to reprogram centrifuge controllers, so an exposed S7 PLC is treated as a critical safety and availability risk, not just an IT one.

How it's attacked

Attackers find PLCs with the nmap s7-info script or Shodan, enumerating CPU type, firmware, and serial. From there they issue unauthenticated start/stop commands, dump or modify program logic, and write to memory to manipulate the process. Even without write access, reconnaissance of the controlled plant is valuable for a follow-up attack.

Hardening checklist

Never expose port 102 to the internet — keep PLCs on a dedicated OT network behind firewalls and a DMZ, and use unidirectional gateways for data export. On newer CPUs, enable S7 access protection, communication known-lists, and program block protection. Deploy an ICS-aware IDS to flag anomalous S7 commands, and restrict engineering-station access. Use the nmap snippet above only on PLCs you are authorized to assess.

Related ports

Port 502Port 2404Port 20000Port 44818

Frequently asked questions

Does S7comm have authentication?
Classic S7comm has no authentication. Anyone who reaches port 102 can read, write, start, or stop the PLC. Newer S7-1500 CPUs add access levels and S7comm-plus, but legacy deployments remain wide open.
Is port 102 related to Stuxnet?
Yes. Stuxnet targeted Siemens S7 PLCs and manipulated their logic over this S7 communication channel, which is why exposed port 102 is treated as a critical OT risk.