ICS protocol exploits expose OT assets beyond segmentation alone

At a glance

What this is: This is an analysis of FrostyGoop malware and how Modbus protocol exploits can disable OT assets through unauthorized control commands.

Why it matters: It matters because OT teams still rely on segmentation and visibility assumptions that protocol-aware malware can bypass, affecting resilience, safety, and incident response across industrial and infrastructure environments.

👉 Read Acalvio's analysis of FrostyGoop and ICS protocol exploits

Context

ICS protocol exploits are attacks that abuse industrial control protocols such as Modbus to issue commands, change register values, or disrupt device operations without relying on normal application-layer authentication. In OT environments, that matters because the protocol itself often carries the trust boundary, and FrostyGoop shows what happens when the protocol can be spoken directly by an attacker.

For IAM and security leaders, the bigger issue is that OT security cannot be treated as a pure network segmentation problem. When unauthenticated protocols govern control-plane actions, the organisation needs visibility into command-level abuse, not just perimeter traffic, and that changes how detection, containment, and operational resilience are designed.

Key questions

Q: What breaks when industrial protocols like Modbus are unauthenticated?

A: When industrial protocols are unauthenticated, any actor that can reach the control path may be able to send syntactically valid commands that alter device behaviour. That breaks the assumption that internal network position equals trust. In OT, the result is command-layer abuse, not just packet interception or scanning.

Q: Why do ICS protocol exploits bypass traditional segmentation controls?

A: Segmentation limits reach, but it does not validate whether an allowed command is safe for the asset receiving it. If an attacker gets a foothold inside the OT zone, protocol-specific malware can still issue destructive commands to PLCs. The control failure is trust without command integrity.

Q: How can security teams detect malicious Modbus activity early?

A: Teams should combine network detection with protocol-aware decoys that mimic real PLCs and attract reconnaissance before production devices are touched. That gives earlier, higher-confidence detection than anomaly-only methods in environments with sparse and highly specific traffic patterns.

Q: Who should be accountable for OT protocol abuse detection?

A: Accountability should sit with the OT security and operations owners jointly, because the impact is operational as well as cyber. The practical test is whether the organisation can spot unsafe control commands, isolate affected paths, and preserve service continuity before device manipulation spreads.

Technical breakdown

Why Modbus becomes an attack surface in OT

Modbus was designed for industrial communication, not for strong client authentication or encrypted command integrity. That means a device may accept protocol messages that look syntactically valid even when they come from an unauthorised source. In the FrostyGoop pattern, attackers do not need to break the protocol to abuse it. They only need to understand which opcodes, register values, and device targets will alter PLC behaviour. This is why protocol-specific malware is more dangerous than generic scanning or commodity malware in OT. The control plane itself becomes the vulnerability, especially when the environment still assumes that internal network location implies trust.

Practical implication: treat protocol-level command acceptance as a control gap, not just a network exposure.

Why segmentation is necessary but not sufficient

Network segmentation reduces blast radius, but it does not prevent an attacker who already has a foothold from sending valid-looking industrial commands within an allowed zone. The article shows that threats can bypass prevention controls through internet-facing OT assets or insider access from plant staff and contractors. Once the attacker can reach the PLC path, segmentation alone does not distinguish operational traffic from malicious manipulation. That is why OT defence must include detection that understands protocol semantics, not only IP reachability or VLAN boundaries. The relevant question is not just whether the traffic was allowed, but whether the command was safe for that asset and state.

Practical implication: pair segmentation with command-aware detection for Modbus and similar ICS protocols.

How decoys expose protocol-aware attacker behaviour

Decoys work because they present believable OT assets that should never receive legitimate operational commands during normal production activity. When an attacker runs reconnaissance, the decoy can respond as a plausible PLC, exposing scanning, targeting, and exploit preparation before real devices are hit. That gives defenders high-fidelity warning with less tuning than anomaly-only methods, which can struggle in OT because baseline traffic is narrow, sparse, and highly variable by site. In this case, the value is not just alerting. It is earlier confirmation that the adversary understands the protocol and is moving from discovery to device-specific abuse.

Practical implication: place protocol-aware decoys where they can see reconnaissance before destructive commands are sent.

Threat narrative

Attacker objective: The attacker aims to interrupt industrial operations by issuing malformed or unauthorized control commands that disable PLC behaviour and degrade service delivery.

1. Entry begins when the attacker gains access to the OT environment and can observe or reach PLC-facing network paths.
2. Escalation occurs during reconnaissance, when the attacker identifies Modbus-capable targets and prepares protocol-specific abuse against those devices.
3. Impact follows when FrostyGoop sends unauthorized Modbus commands that disable PLC operations and disrupt municipal heating services.

Breaches seen in the wild

• Schneider Electric credentials breach — exposed credentials gave attackers access to Schneider Electric Jira, exfiltrating 40GB.
• Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

ICS protocol exploits are an integrity problem, not just a perimeter problem. FrostyGoop shows that industrial protocols can be abused at the command layer even when the network path is known and controlled. Modbus and similar protocols were not built with modern authentication and encryption assumptions, so the trust decision effectively moves into the protocol itself. Practitioners should treat command integrity as a first-class control requirement in OT.

Segmentation does not eliminate insider or foothold-driven OT abuse. The article is explicit that attackers may come in through internet-facing assets or through trusted plant administrators and contractors. That means the attack model includes legitimate access paths being turned into operational abuse paths. The governance lesson is that OT resilience cannot depend on location-based trust alone.

Protocol-aware deception: the control gap this incident exposes is the lack of high-fidelity visibility into malicious industrial commands before they reach real assets. Decoys work because they surface reconnaissance and exploit preparation without requiring perfect baselines or agent-based telemetry. For OT environments where endpoint controls are limited, that makes deception a practical part of command-level detection rather than a niche add-on.

OT defence must be designed around device state, not just network traffic. Anomalous packets are only useful if defenders can tell whether the command would alter PLC operation, not merely whether it is unusual. FrostyGoop demonstrates that precision-crafted protocol abuse can stay below generic anomaly thresholds. Security teams should rethink alerting around operational consequences, not packet novelty.

From our research:

• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes, and as quickly as 9 minutes in some cases, according to LLMjacking: How Attackers Hijack AI Using Compromised NHIs.
• Only 44% of developers are reported to follow security best practices for secrets management, a gap that increases the chance of exposed credentials becoming active attack paths.
• For a broader breach lens, see The 52 NHI breaches Report for recurring identity-exposure patterns that turn fast-moving access into operational risk.

What this signals

OT teams should expect protocol-aware malware to make segmentation look more effective than it is. The real signal is whether defenders can detect malicious commands before they change device state, which is why command-level visibility and 52 NHI Breaches Analysis style root-cause thinking matter even outside classic IT environments.

Protocol trust debt: when a protocol was never designed to authenticate the actor issuing commands, every additional exposed path increases the likelihood of misuse. That is a governance problem as much as a detection problem, and it should push practitioners toward decoy-based visibility, state-aware alerting, and tighter control of contractor and remote-access pathways.

The same assume-compromise mindset used in identity security applies here, but the object of protection is industrial command integrity rather than credentials. Teams that still optimise only for network perimeter control will miss the stage at which FrostyGoop-like activity becomes operational damage.

For practitioners

• Harden protocol trust boundaries Inventory every Modbus and other ICS protocol path that can alter PLC state, then classify which commands are allowed, who can send them, and from which network zones. Where a command can change process behaviour, treat it as privileged control traffic rather than ordinary east-west communication.
• Deploy protocol-aware deception Place PLC decoys on segments where reconnaissance and target validation will naturally occur, including locations that mirror leaf-switch visibility gaps. Tune them to respond plausibly to Modbus and BACnet probing so the first hostile interaction is surfaced before real control commands are attempted.
• Separate detection by command semantics Augment NDR with logic that inspects opcodes, register writes, and target device roles instead of relying only on anomaly scoring. Focus alerts on commands that can disable operations, not just on unusual source addresses or traffic volume.
• Test insider and foothold scenarios Run exercises that assume an attacker already has OT network reach through contractors, plant administrators, or exposed assets. Measure how quickly the team can isolate a device path once malicious protocol activity is detected.

Key takeaways

• FrostyGoop shows that ICS protocol exploits can disable real-world operations by abusing Modbus command paths rather than breaking classic perimeter controls.
• The reported incident left a municipal heating provider exposed to sub-zero temperatures for more than two days, showing that OT protocol abuse can become immediate service disruption.
• Command-aware detection and protocol deception are the controls that matter most when industrial traffic itself can be weaponised.

Key terms

• ICS protocol exploit: An ICS protocol exploit abuses industrial communication rules to send commands, change device settings, or disrupt operations. It targets the way control messages are accepted rather than breaking the physical asset itself, which makes protocol trust and command validation central security concerns.
• Modbus: Modbus is an industrial communication protocol used widely by PLCs and other OT devices for monitoring and control. It was not designed with modern authentication or encryption assumptions, so command integrity and network containment become critical compensating controls in operational environments.
• Protocol-aware deception: Protocol-aware deception uses decoys that speak the same industrial language as real assets so attackers reveal reconnaissance and exploit behaviour earlier. In OT, this gives defenders visibility without relying on endpoint agents or perfect behavioural baselines, which are often impractical.
• Command integrity: Command integrity is the assurance that only authorised, intended control messages can change a device state. In OT, it matters more than packet validity alone because an attacker can send a well-formed command that is still operationally destructive.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Acalvio: FrostyGoop: Defending Against ICS Protocol Exploits. Read the original.