In today’s industrial landscape, organizations are increasingly turning toward digital transformation and intelligent automation to improve efficiency, visibility, and control. However, many industrial systems still rely on legacy equipment—such as PLCs, sensors, and actuators that communicate via serial interfaces such as RS-232, RS-422, or RS-485. While replacing these systems is costly and disruptive, extending their usability through modern networking is essential for organizations seeking to remain competitive.
One common solution to bridge this technological gap is the use of Serial-to-Ethernet converters. These devices allow legacy serial equipment to connect and communicate over modern Ethernet networks. While this integration brings numerous operational advantages, it also introduces serious cybersecurity risks that, if left unaddressed, can endanger critical infrastructure and industrial control systems.
We explore the technical role of Serial-to-Ethernet converters, the cybersecurity vulnerabilities they pose, and practical best practices organizations should adopt to secure their industrial environments.
Serial-to-Ethernet converters function as translators between two different communication paradigms. They take data generated by a serial port and encapsulate it in TCP/IP packets, making it possible to transmit this data over a standard Ethernet network. This allows operators to remotely monitor and control devices that were once only accessible through physical serial connections.
Factory Automation: Connecting legacy machine controllers to centralized monitoring systems.
Energy & Utilities: Remotely managing substations, meters, and relay devices.
Transportation: Linking roadside equipment or railway systems to control centers.
Oil & Gas: Monitoring remote sensors in hazardous or offshore locations.
By enabling legacy systems to connect to modern networking, these converters help industrial organizations avoid the high cost of replacing functioning equipment. However, this functionality comes at a price: exposing non-secure serial devices to the inherent risks of IP networks.
Many legacy devices and protocols were never designed with network connectivity or cybersecurity prospective.
The introduction of Serial-to-Ethernet converters opens up what was previously an air-gapped or isolated environment to new attack surfaces. This shift demands a critical reevaluation of security controls, especially in sectors where uptime and safety are paramount.
Protocols such as Modbus RTU, DNP3, or vendor-specific serial protocols were built for operational reliability, not security. Once these protocols are bridged to an IP network via a converter, they remain inherently insecure unless additional protections are put in place.
Unencrypted Communication: Data is transmitted in plain text, easily intercepted by attackers.
Lack of Authentication: Devices often accept commands from any source.
Spoofing and Replay Attacks: Attackers can inject or replay commands to control or disrupt devices.
Many Serial-to-Ethernet converters have been found to contain software and hardware vulnerabilities that make them attractive targets for attackers. These include:
Hardcoded credentials or factory-default usernames and passwords.
Outdated firmware with known exploits.
Unencrypted web interfaces or insecure protocols like Telnet enabled by default.
No support for audit logging or secure configurations.
These weaknesses make the converters themselves a stepping stone into the broader ICS network. Once compromised, they can provide unauthorized access to critical operations.
By connecting serial devices to the wider corporate network (or even the internet), organizations unintentionally expose critical control systems to a broader range of threats, including:
Malware infections
Network reconnaissance and lateral movement
Ransomware and sabotage
Exfiltration of sensitive process data
The potential impact is not limited to data loss—it can result in equipment failure, production downtime, safety hazards, and reputational damage.
The graph below represents Shodan searches looking for serial-to-Ethernet converters in the EMEA zone, we can see Latronix devices, Moxa NPort, and sometimes also the Telnet interfaces of RS-232
We can see also the most exposed countries are located in north Europe:
To address the cybersecurity risks introduced by Serial-to-Ethernet converters, a combination of technical, procedural, and architectural controls is essential. Here are recommended best practices to strengthen security posture:
Not all Serial-to-Ethernet converters are created equal. Organizations should choose devices that support modern cybersecurity features, including:
TLS/SSL encryption for data transmission.
Authentication and access control, including user roles and strong password policies.
Secure configuration interfaces using HTTPS or SSH.
Audit trails and logging of access and configuration changes.
Compliance with standards such as IEC 62443, NIST SP 800-82, or ISA/IEC-62443-4-2.
Work with vendors who provide long-term firmware support, vulnerability disclosures, and regular updates.
Once deployed, converters should be treated like any other endpoint:
Maintain an up-to-date asset inventory of all converter devices.
Regularly check vendor websites or advisories for new firmware or patch releases.
Schedule routine maintenance windows to apply security patches.
Consider automation tools or configuration management platforms for updates at scale.
Neglecting firmware updates is a common yet preventable source of exposure.
Proper network architecture is one of the most effective defenses against compromise. Key strategies include:
Network segmentation: Isolate serial device networks (e.g., ICS or SCADA segments) from business/IT networks using firewalls or VLANs.
Access control: Limit who and what can communicate with the converters via access control lists (ACLs).
Air-gapping when possible: Physically isolate critical systems that do not require outside communication.
Use of DMZs (Demilitarized Zones) to safely bridge IT and OT systems.
Network segmentation reduces the blast radius in case of compromise and helps contain lateral movement.
Visibility is essential for early detection and response to threats:
Deploy IDS/NDR that are tailored for industrial protocols (e.g., OT-native solutions, OT NDR).
Use network monitoring tools to baseline normal behavior and alert on anomalies.
Enable event logging and syslog forwarding from converters to a centralized SIEM (Security Information and Event Management) platform.
Implement device-level monitoring to detect unauthorized access or abnormal behavior.
Anomaly detection can help identify malicious activity before it escalates into a breach.
Cybersecurity is not a one-time task. Regular evaluation is critical:
Vulnerability scanning of Serial-to-Ethernet devices and associated networks
Penetration testing by security professionals with OT expertise.
Security audits and compliance checks using relevant industry standards.
Red teaming and tabletop exercises to assess incident response readiness.
Assessments help identify gaps, improve controls, and train personnel for real-world scenarios.
Securing Serial-to-Ethernet integrations also requires a shift in organizational mindset. Historically, OT and IT operated in silos, with differing priorities availability and safety for OT, confidentiality and integrity for IT. However, the convergence of these domains in industrial environments means collaboration is more important than ever.
Establish joint governance teams that include IT security and OT operations.
Provide cross-functional training for staff managing converters and serial equipment.
Develop incident response playbooks that include serial device scenarios.
Ensure that procurement decisions include security criteria.
Bringing OT and IT teams together fosters a unified approach to security and resilience.
Serial-to-Ethernet converters play a vital role in extending the life of legacy equipment while enabling digital transformation across industrial environments. However, this integration must not come at the cost of cybersecurity.
By understanding the unique risks these devices introduce and following best practices, from selecting secure hardware to implementing layered defenses, organizations can strike the right balance between innovation and protection.
In a world where industrial networks are increasingly targeted by sophisticated cyber threats, securing every link in the chain—including legacy connections—is not optional. It's essential.
Alessio has worked for more than 10 years in the field of Italian cybersecurity, ranging from consultancies to the role of Security Specialist in international companies. He specialized in industrial security, with experience in critical infrastructure and consultancy assignments abroad, as well as a period as a telecontrol specialist in a leading company in the Oil & Gas sector.
He currently holds the position of Head of the Operational Technology Business Unit and Cyber Threat Intelligence segment at Sicuranext. He focuses on emerging threats related to the OT world, engaging in research and intelligence activities. Additionally, he collaborates with various institutions, particularly in the United States, in the field of OT/ICS research.
