Port 802 carries MBAP-S (Modbus Application Protocol Secure)—the encrypted version of the protocol that's been running factories, power grids, and industrial control systems since 1979.
What Runs on Port 802
Modbus/TCP Security operates on port 802, providing TLS-encrypted communication between industrial devices. Both TCP and UDP use this port, though TCP is the primary transport.1
The protocol wraps traditional Modbus packets in TLS encryption, adding certificate-based authentication while maintaining compatibility with the original Modbus protocol structure.2
Why This Port Exists
In 1979, Modicon (now part of Schneider Electric) created the Modbus protocol for Programmable Logic Controllers (PLCs). At the time, industrial systems were air-gapped—physically isolated from the outside world. Security wasn't a priority because factories were islands.3
The protocol was designed for reliability and speed, not security. No encryption. No authentication. No access control.4
For 39 years, this was fine. Then the Internet reached everywhere.
Suddenly, SCADA systems and industrial control systems were connected to networks. The same lack of security that didn't matter in an isolated factory became a critical vulnerability. Attackers could send unauthorized commands to industrial equipment. They could read sensitive process data. They could manipulate control systems.5
In 2018, the Modbus Organization released Modbus/TCP Security—essentially wrapping the original protocol in TLS. IANA assigned it port 802 on June 10, 2014.6
How It Works
When a client connects to port 802:
- TLS handshake — Both client and server present X.509v3 certificates for mutual authentication
- Encrypted channel — TLS wraps the Modbus Application Protocol Data Unit (APDU)
- Normal Modbus operation — Inside the encrypted tunnel, Modbus works exactly as it always has
The beauty is that the Modbus protocol itself didn't change. The MBAP header and PDU structure remain identical to the original. The security is a wrapper.7
Where You'll Find This Port
Industrial Control Systems — Factory automation equipment using encrypted Modbus communication
SCADA Systems — Power grids, water treatment facilities, and other critical infrastructure requiring authenticated device communication
Building Automation — HVAC systems, lighting controls, and energy management systems in commercial buildings
Process Control — Chemical plants, refineries, and manufacturing facilities where encrypted commands prevent unauthorized manipulation
The Security Story
The original Modbus (port 502) carries everything in plaintext. Commands, sensor readings, device states—all visible to anyone who can see the traffic. For an attacker on the network, it's trivial to:
- Send unauthorized commands to equipment
- Read sensitive process data
- Inject malicious Modbus frames
- Replay captured commands
Modbus/TCP Security on port 802 solves this through:
- Encryption — AES encryption via TLS prevents eavesdropping
- Authentication — Certificate-based mutual authentication ensures both sides are who they claim to be
- Integrity — TLS prevents message tampering
But adoption is slow. Legacy industrial equipment can't be upgraded. Many systems still run on port 502 because the devices are decades old and will run for decades more. Port 802 exists for new deployments and upgraded systems.8
Related Ports
Port 502 — Original Modbus/TCP, still the most widely deployed industrial protocol despite having no security
Port 503 — Modbus/TCP over TLS (alternative secure implementation)
Checking What's Listening
To see if port 802 is active on your system:
If you find port 802 open and don't know why, investigate immediately. This port should only be open on industrial control systems running Modbus/TCP Security. On a typical workstation or server, it shouldn't be listening.
Frequently Asked Questions About Port 802
Byla tato stránka užitečná?