Kwame Zaire is a seasoned manufacturing expert and thought leader who has spent years at the intersection of production management and industrial electronics. With a deep focus on predictive maintenance, quality assurance, and operational safety, he provides a unique perspective on how digital vulnerabilities translate into physical risks within a factory or utility setting. His expertise in the inner workings of industrial control systems (ICS) makes him an essential voice in the ongoing conversation about protecting the backbone of modern infrastructure.
In this interview, we explore the alarming rise in ICS vulnerability disclosures and the specific technical weaknesses of legacy protocols like Modbus. We discuss the tangible dangers posed by internet-exposed devices in national power grids and railway networks, the risks associated with manufacturer-specific register lists, and how the massive growth of the automation market requires a fundamental shift in network security.
Vulnerability disclosures for industrial systems have nearly doubled recently. What specific factors are driving this surge in exploitation by threat actors, and how are they prioritizing energy and manufacturing utilities over other sectors?
The surge is a direct result of the converging worlds of Information Technology and Operational Technology, which has effectively opened a digital door into what were once isolated mechanical environments. Between 2024 and 2025, we saw these disclosures nearly double because threat actors have realized that compromising a single energy or manufacturing hub provides much higher leverage than attacking standard office networks. These sectors are being prioritized because they are the “crown jewels” of national stability; a disruption here doesn’t just lose data, it stops the flow of electricity or halts a production line, creating immediate economic and social pressure. We are seeing a more calculated approach where attackers specifically hunt for these utilities because their legacy hardware was never designed to withstand the scrutiny of modern, internet-based exploitation.
Modbus remains a standard protocol for sensors and controllers despite lacking native encryption or authentication. What are the primary technical hurdles when retrofitting these legacy protocols with modern security, and what specific configuration errors typically leave port 502 exposed to the public internet?
The biggest technical hurdle is that Modbus was born decades ago for closed, “air-gapped” networks where trust was assumed, so the protocol itself lacks the computational overhead to handle modern encryption or handshakes. When we try to retrofit these systems, we often run into hardware limitations where the original controllers simply don’t have the processing power to manage a VPN or encrypted tunnel natively. Regarding configuration, the most common and dangerous error is the “set it and forget it” mentality where a technician opens port 502 to allow for remote maintenance or data collection without placing it behind a firewall. During our recent scans, we identified 179 devices responding on this port, many of which were likely exposed because of a simple lack of awareness regarding how visible that port is to the global internet.
Industrial devices are increasingly integrated into national railway networks and power grids for signaling and distribution. If an attacker gains access to these systems, what is the step-by-step progression from initial discovery to causing physical disruptions or safety hazards in public transport?
The progression is chillingly methodical, starting with the discovery of an exposed device, like the one we found integrated into a national railway network. An attacker begins by “sniffing” the traffic to understand the rhythms of the system, identifying which Modbus registers correspond to specific physical actions like signal switching or track routing. Once they have mapped these registers, they move from passive observation to active manipulation, sending unauthorized commands to overwrite holding registers. In a railway context, this could involve changing a signal from red to green at the wrong time, or in a power grid, it could mean tripping a circuit breaker to cause a localized blackout. The final stage is the actual physical disruption, where these digital commands manifest as mechanical failures or safety hazards that can endanger lives and destroy multi-million dollar equipment.
When hardware from manufacturers like Schneider or Fastwel exposes firmware versions and register lists, how does this information facilitate unauthorized manipulation? Beyond reading data like temperature or pressure, how could an attacker use these registers to overwrite critical control states or target values?
Revealing the manufacturer and firmware, such as on a Schneider TM221 or a Fastwel CPM713, is like handing a burglar the blueprints and the key codes to a vault. It allows an attacker to download the specific register list provided by the manufacturer, which acts as a literal map of the device’s internal “brain.” They can see exactly which register controls the temperature setpoint of a cooling system or the open/close status of a high-voltage relay. Beyond just reading the data—which is dangerous enough for industrial espionage—an attacker can use the lack of authentication to write new values into those registers. They could, for instance, tell a motor to spin at a frequency that causes it to vibrate apart, or change a pressure threshold so that a safety valve fails to open, turning a standard industrial process into a catastrophic event.
The industrial automation market is projected to exceed $500 billion by 2033, significantly expanding the global attack surface. How should organizations prioritize network segmentation and VPN deployment during this rapid expansion, and what metrics best measure the effectiveness of these defensive layers?
With the market expected to more than double from its current $226.76 billion valuation, the “attack surface” is expanding faster than most security teams can keep up with. Organizations must prioritize network segmentation immediately, ensuring that a compromise in a front-office email system cannot migrate to the PLC controlling the factory floor. Every single device, especially those using vulnerable protocols like Modbus, DNP3, or BACnet, must be hidden behind a robust VPN and a strictly configured firewall that denies all traffic by default. To measure effectiveness, companies should track the “visibility score” of their assets—specifically, how many of their internal IDs or port 502 instances show up on public-facing scans. If a third-party scan can see your Schneider processor module or your eGauge energy meter, your defensive layers have already failed, and you are essentially inviting an intrusion.
What is your forecast for industrial control system security?
My forecast is that we are entering a “trial by fire” period where the rapid adoption of IIoT will outpace our ability to secure it, leading to more frequent and visible disruptions of public utilities. We will likely see a mandatory shift toward “Secure-by-Design” mandates, where manufacturers are forced to move away from unauthenticated protocols like standard Modbus in favor of versions that include native TLS or similar protections. However, until that transition is complete, the burden falls entirely on the operators to treat every sensor and controller as a potential entry point for a nation-state actor or a sophisticated extortionist. The next decade will be defined by how quickly we can wrap our legacy infrastructure in a modern protective shell, or if we will continue to find hundreds of critical devices exposed to anyone with a laptop and a basic port scanner.
