Modbus (RTU and TCP) has no native security: no authentication, no encryption, no signatures. The accepted good practice is strict OT VLAN isolation, an industrial firewall and no direct internet exposure.

Modbus was designed in 1979 with no security in mind, so any direct internet exposure brings: spoofing (anyone on the network can issue a Write Register), sniffing (all frames are in clear text) and denial of service (flooding requests saturates the slaves). The hard truth is that a Modbus Secure variant (TCP over TLS, adopted in 2018) does exist but its deployment is extremely limited because field devices do not support it. The industry standard remains network-level isolation through industrial firewalls (Hirschmann, Phoenix mGuard, Siemens SCALANCE), no internet exposure, and dedicated OT monitoring (Claroty, Nozomi).

Run a quick Shodan search for "modbus" before any client meeting: it is the most persuasive argument to justify the OT firewall on the project budget.