LAST UPDATED: 2022-05-24
We scan the entire IPv4 space daily to map out and report on the ICS/OT exposed attack surface on the Internet. We do this by running probes for many “native” ICS/OT protocols that are elaborated below.
This report contains a list of devices that are responding to our various specialized ICS/OT scans, along with additional make-and-model information and raw responses received.
As of 2022-05-20 we scan for the following 17 protocols:
- BACnet (port 47808/udp)
- CODESYS (port 1200/tcp, port 2455/tcp)
- Crimson V3 (port 789/tcp)
- DNP3 (port 20000/tcp)
- EtherCAT (port 34980/udp)
- EtherNet/IP (port 44818/tcp)
- GE-SRTP (port 18245/tcp)
- HART (port 5094/tcp)
- ICCP (port 102/tcp)
- IEC 60870-5-104 (port 2404/tcp)
- MELSEC-Q (port 5007/tcp)
- Modbus (port 502/tcp)
- OMRON FINS (port 9600/udp)
- OPC UA Binary (port 4840/tcp)
- PC Worx (port 1962/tcp)
- ProConOS (port 20547/tcp)
- Siemens S7 (port 102/tcp)
- Tridium Niagara Fox (port 1911/tcp)
More protocols will follow.
While we do not check for specific vulnerabilities, it is extremely unlikely that these types of devices need to be accessible in any form to queries from the Internet, so unless you are running a honeypot if you receive such a report for your network/constituency, you are strongly advised to act immediately and firewall/filter access.
Read more on how attackers can leverage exposed ICS/OT infrastructure to their advantage and what you can do to mitigate in the CISA, FBI, NSA & Department of Energy joint Cybersecurity Alert advisory “Alert (AA22-103A): APT Cyber Tools Targeting ICS/SCADA devices“.
For more information on our scanning efforts, check out our Internet scanning summary page.
This report currently only has an IPv4 version.