Skip to content
ProtocolPorts

Port reference

Port 502 (TCP) – Modbus TCP

Modbus over TCP/IP — reads and writes coils and registers on PLCs, RTUs, and industrial I/O.

tcpWell-knownCommonly attacked

Default state

Open on PLCs, RTUs, and gateways speaking Modbus TCP, with no authentication or encryption on the protocol.

Common attacks

  • Unauthorized reads of coils, registers, and process state
  • Unauthorized writes flipping coils or registers to control equipment
  • Device and function-code enumeration via modbus-discover
  • Denial of service by forcing outputs or flooding the device

Hardening

  • Never expose port 502 to the internet — isolate Modbus on an OT segment
  • Segment with firewalls/DMZ and restrict to authorized SCADA hosts
  • Use a Modbus-aware gateway or proxy that enforces read-only where possible
  • Monitor with an ICS IDS for unexpected write function codes

nmap snippet

nmap -p502 --script modbus-discover <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 502?

Port 502 hosts Modbus TCP, the IP encapsulation of the venerable Modbus serial protocol. A master (SCADA, HMI, or engineering tool) issues function codes to a slave — a PLC, RTU, or I/O gateway — to read and write coils (bits) and registers (words) that represent sensors, setpoints, and actuator commands across factories, utilities, and building systems.

Why it matters for security

Modbus was created in 1979 for trusted serial links and has no authentication, no encryption, and no integrity checking. When it runs over TCP and is reachable, anyone who connects to port 502 can read the entire process image and write coils and registers — turning pumps and breakers on or off, changing setpoints, or driving outputs to unsafe values. There is no concept of a privileged client, so exposure equals control.

How it's attacked

Attackers locate devices with the nmap modbus-discover script or Shodan, then enumerate unit IDs and supported function codes. With write codes available, they flip coils and registers to manipulate the process or force a denial of service. Because reads are unauthenticated, even passive attackers gather detailed intelligence on the plant.

Hardening checklist

Never expose port 502 to the internet. Keep Modbus devices on an isolated OT segment behind firewalls and a DMZ, and allowlist only authorized SCADA masters. Where feasible, front devices with a Modbus-aware gateway that enforces read-only or filters dangerous function codes, and deploy an ICS IDS to alert on unexpected writes. Use the nmap snippet above only on systems you are authorized to test.

Related ports

Port 102Port 2404Port 20000Port 44818

Frequently asked questions

Does Modbus TCP have authentication?
No. Modbus has no authentication or encryption. Any host that reaches port 502 can read and write coils and registers, giving direct control over the connected equipment.
Can Modbus be made secure?
The protocol itself cannot be authenticated, so security relies on network controls: strict segmentation, firewalls, allowlisting SCADA masters, and ICS-aware monitoring. Modbus/TCP Security (TLS) exists but is rarely deployed.