Modbus TCP remains one of the most commonly used communication protocols in industrial control systems (ICS). Its simplicity and wide vendor support have made it indispensable — but also highly exposed. Unlike modern IT protocols, Modbus TCP lacks encryption, authentication, and integrity checks.
A single unfiltered packet can read or write directly to a programmable logic controller (PLC), potentially altering the behavior of critical systems.

For industrial operators, the question is not whether Modbus TCP can be replaced — it’s how to secure it effectively in modern, connected networks.
The following best practices outline a layered, practical approach that fits both operational realities and compliance frameworks such as CMMC, IEC 62443, and NIS2.

Modbus TCP operates over TCP port 502, transmitting requests and responses between a client (typically an HMI or SCADA system) and one or more servers (PLCs or RTUs).
There are no built-in mechanisms for:

• Authentication (any host can send commands)

• Encryption (data and control instructions are transmitted in clear text)

• Session validation (no origin verification or replay protection)

In flat industrial networks, any device that can reach port 502 can issue control commands.This simplicity, while ideal for deterministic communication, presents clear cybersecurity and safety challenges.

One of the most effective ways to protect Modbus traffic is to limit network scope. In many industrial environments, OT networks have grown organically, leading to large Layer 2 broadcast domains that include hundreds of devices. Every additional node increases the potential for unauthorized access and monitoring complexity.

Right-sizing networks involves:

• Dividing the plant into logical zones based on process function (e.g., production line, utilities, packaging).

• Minimizing broadcast domains by breaking large Layer 2 segments into smaller, routed subnets.

• Ensuring that devices only communicate with systems necessary for their operation.

Reducing the size of a Modbus network makes both segmentation and monitoring more practical, while improving resilience against misconfigurations or malicious activity.

Segmentation separates critical assets from non-critical ones and restricts how Modbus packets traverse the network.

Virtual LANs (VLANs) are the most common method for isolating traffic.
However, VLANs rely on switch configuration and can still allow cross-communication if routing or trunking is misconfigured.
VLANs should be viewed as organizational, not security, boundaries.
They provide logical grouping but not true isolation.

Modern approaches use software-defined segmentation or overlay networks to create virtual enclaves around Modbus assets. Each enclave enforces access rules — defining which clients can initiate Modbus sessions, which function codes are allowed, and which data blocks can be accessed. Unlike VLANs, these enclaves are not tied to physical topology, making them easier to deploy across distributed sites.

This model aligns with the “zones and conduits” concept from IEC 62443, turning each network interaction into a controlled and monitored event.

A proxy (or gateway) can act as a controlled termination point for Modbus traffic. Instead of connecting HMIs or historians directly to PLCs, all Modbus requests pass through the proxy, which can:

• Validate source identity and function codes

• Enforce rate limiting and command whitelisting

• Log all requests for audit and compliance

• Translate or filter commands for non-compliant devices

Centralized policy enforcement: Simplifies management of access rules across multiple PLCs.Monitoring and anomaly detection: Enables inspection of Modbus payloads for unusual patterns.

Protocol conversion: Can provide encryption or modern authentication upstream while maintaining legacy Modbus communication downstream.

In Zero Trust architectures, these proxies form micro-DMZs around each control zone, preventing unauthorized lateral movement and creating natural audit boundaries.

• Firewalls remain essential but must be configured with precision.

• Basic rules like “allow port 502 from X to Y” provide minimal protection.

• Modern firewall configurations for Modbus networks should include:

• Source and destination IP whitelisting

• Stateful inspection of TCP sessions

• Rate limiting for Modbus traffic bursts

• Deep packet inspection (DPI) when supported

Where possible, firewalls should enforce Modbus-specific rules, blocking unused function codes or unexpected payload sizes. Combining context-aware firewalls with segmentation gives both performance and security coverage.

Remote access is one of the most common sources of compromise in ICS environments. Technicians or vendors connecting over VPNs often gain broad network access. A more secure design limits remote sessions to defined enclaves and enforces:

• Multi-factor authentication

• Time-bound access windows

• Session recording for audit

• Encryption for all remote Modbus traffic

Using modern identity-based VPNs or overlay connections ensures that remote users only reach the systems they are authorized to manage — not the entire OT network.

Visibility is fundamental to maintaining trust in Modbus networks.
Compliance frameworks like CMMC and IEC 62443 require demonstrable monitoring of both network activity and access control enforcement.

• Detect unauthorized Modbus sessions or new masters on the network.

• Alert on unusual function code usage, such as write commands during normal production hours.

• Track bandwidth changes or scanning activity.

• Maintain continuous asset discovery to detect newly added controllers or engineering workstations.

To meet compliance evidence requirements:

• Log all Modbus sessions with timestamps and user context.

• Store firewall and proxy events in a central system (SIEM or log server).

• Correlate network data with user access logs from identity providers.

• Review reports regularly to validate least-privilege access policies.

Modern ICS monitoring platforms can integrate OT-specific context, allowing teams to identify unsafe behavior quickly and generate reports aligned with regulatory standards.

Securing Modbus TCP requires multiple layers working together:

• Network segmentation isolates systems.

• Proxies and gateways enforce fine-grained control.

• Firewalls and VPNs restrict entry points.

• Monitoring and logging provide visibility and compliance evidence.

Each layer compensates for the protocol’s lack of built-in security.
When properly combined, they form a defense-in-depth model that is transparent to operations yet resilient against attacks.

Trout’s Access Gate provides a software-defined DMZ in front of each Modbus asset. It authenticates sessions, inspects commands, and enforces least-privilege policies — without requiring changes to PLCs or switches.
Traffic between enclaves is encrypted and logged, enabling both operational visibility and compliance reporting.

This architecture allows organizations to move from flat, perimeter-protected networks to a Zero Trust overlay model — one that can be deployed incrementally across plants and remote sites.

Modbus TCP’s simplicity has kept it relevant for decades, but it must now operate within far more connected and regulated environments. Basic firewall rules are no longer sufficient. By combining segmentation, proxy-based control, VPN isolation, and continuous monitoring, industrial organizations can protect legacy protocols without sacrificing uptime or interoperability.

That’s the foundation of resilient industrial cybersecurity.