Pipeline Infrastructure Daily · The Big Drop

How Bad Is It?

The worst threats can't be seen. This is the one you can measure: industrial controllers on the public internet, speaking a protocol with no password, in the geography that moves the country's gas.

Unauthenticated Modbus · port 502 · United States · snapshot 2026-07-17 · source: Shodan

How Bad Is It severity meter
9 / 12

HIGH RISK. Modbus has no authentication by design, so every reachable device is commandable. Real programmable controllers — not just sensors — sit in the exposed set, in oil-and-gas country. Scored on a transparent six-factor rubric (below).

The actual count

A search for port:502 country:US returns 64,468 hits — but about 95% of them (60,978 hits) are not industrial control devices at all. They are honeypots (467 known decoys running Conpot, software that impersonates a vulnerable controller), cloud-hosted emulators, and internet scanners — machines that answer on port 502 with nothing industrial behind them. Strip those out and the confirmed-industrial set is 3,490.

Focus on authentic field controllers found in the pipeline infrastructure. The controllers, or devices, are connected on utility and telephone carrier networks, not cloud-based services. When this focus is applied, the number narrows to 314. That 314 is the number that matters: programmable controllers actually wired into gas and pipeline operations and reachable from the open internet — the devices where an unauthenticated Modbus command lands on real equipment that can open a valve, change a setpoint or drive a pump, not on a decoy. The filtering is the finding: most of what looks like exposure is bait, and the exposure that can move physical infrastructure is this core.

64,468 Raw port:502 −60,978 honeypots · cloud · scanners 3,490 Confirmed ICS tag:ics −3,176 cloud-hosted · non-field 314 Field controllers (est.) ~99.5% of port-502 hits never reach a field controller · pipe height on a √ scale
The pipeline narrows as the noise is filtered out. Counts are live Shodan for each exact query, 2026-07-17. Pipe height on a square-root scale so the field core stays visible.

Where it is

Confirmed-industrial Modbus concentrates where the gas is — Texas, Louisiana, Ohio — once the carrier-centroid states (devices that merely register to a telecom's metro) are read with caution.

TX 790 DC 281 CA 260 OH 259 NY 236 LA 212 IL 178 VA 162 FL 141 GA 109 PA 90 TN 82 brass = oil&gas geography · grey = carrier-centroid inflated (registrant geo)
Confirmed-ICS Modbus (tag:ics) by state, 2026-07-17. Shodan geolocation is registrant-level: a device shows where its IP registers, not where the steel is.
Confirmed device (Schneider Modicon family)US count
BMX P34 202023
PM55638
TM241CE24R5
171 CBU 980904
HMISCUxB54
Modicon M3403

The map

Every confirmed device mapped at its exact Shodan IP-geolocation — public data, not blurred. Brass/red points are field-hosted (utility / telephone carrier networks — the authentic controllers); grey points are cloud-hosted (Linode, Alibaba and the like — almost certainly emulators or decoys). Click a point for its city, network and device model.

Two to Watch

The worst: a controller with no password

The exposed set isn't only sensors reporting a number — it includes programmable logic controllers: Schneider Modicon M340 (BMX P34), M221 and M241 units that run the process. Reached over Modbus with no authentication, a PLC will answer a write the same way it answers its own operator — flip a coil, change a setpoint, command a valve or a pump. That is the difference between reading a tank level and moving the tank. What it would take to close: no patch exists for "no password" — the fix is to take the device off the public internet and put it behind a firewall or VPN.

The one that could rattle the NYMEX: Henry Hub

Henry Hub, in Erath, Louisiana, is the physical settlement point for NYMEX natural-gas futures — the price the whole market quotes. Louisiana carries 212 confirmed-industrial Modbus devices, in the Gulf-Coast corridor whose custody meters and compressor controls run on this same class of gear. The futures settle against physical delivery; a falsified flow or pressure reading, or a forced valve action at a custody point feeding the hub, distorts the signal the market prices against. We do not place any specific device at the hub — Shodan's Louisiana points resolve to carrier metros, not facilities — but the exposure footprint sits squarely in the geography that sets the national price. That is the chaos vector worth watching.

Method & rubric

How the score is built (0–12, disclosed):

confirmed ics>=100+2
unauth protocol(modbus)+2
controllers present(PLCs)+2
exposure persists+1
kev device classes exist+1
in pipeline geography+1
Total9 / 12 · HIGH

Every count is a live Shodan query, date-stamped and reproducible. The field-controller figure (~314) is an approximation: it applies the field-vs-cloud share of a product-confirmed sample (9 field / 91 cloud) to the confirmed-ICS total, so treat it as order-of-magnitude. Geolocation is registrant-level. Aggregate only — no operator is named "vulnerable" without per-IP verification and a request for comment.

See it / use the data

Open the live Looker Studio dashboard ↗ Live data Sheet ↗ Shodan: confirmed-ICS 502 ↗ Shodan: raw 502 ↗ Google Earth (KML) ↓ GeoJSON ↓

The Looker button opens a new report pre-wired to a Google Sheet of the confirmed-ICS-by-state data (sign in, then map state to a US geo chart with confirmed_ics_502 as the metric). The Sheet is a live source; it currently holds the 2026-07-17 snapshot and is refreshed when the tracker re-publishes it.