Accessible ICS Report

LAST UPDATED: 2022-05-24

We scan the entire IPv4 space daily to map out and report on the ICS/OT exposed attack surface on the Internet. We do this by running probes for many “native” ICS/OT protocols that are elaborated below.

This report contains a list of devices that are responding to our various specialized ICS/OT scans, along with additional make-and-model information and raw responses received.

As of 2022-05-20 we scan for the following 17 protocols:

More protocols will follow.

While we do not check for specific vulnerabilities, it is extremely unlikely that these types of devices need to be accessible in any form to queries from the Internet, so unless you are running a honeypot if you receive such a report for your network/constituency, you are strongly advised to act immediately and firewall/filter access.

Read more on how attackers can leverage exposed ICS/OT infrastructure to their advantage and what you can do to mitigate in the CISA, FBI, NSA & Department of Energy joint Cybersecurity Alert advisory “Alert (AA22-103A): APT Cyber Tools Targeting ICS/SCADA devices“.

For more information on our scanning efforts, check out our Internet scanning summary page.

This report currently only has an IPv4 version.

Filenames: scan_ics

Fields

  • timestamp
    Timestamp when the IP was seen in UTC+0
  • ip
    IP of the detected device
  • protocol
    Protocol of the response
  • port
    Port response was received from
  • hostname
    Hostname of the device (may be from reverse DNS)
  • tag
    Tag, set to specific ICS protocol, such as Modbus or S7
  • asn
    AS of the detected device
  • geo
    Country of the detected device
  • region
    Region of the detected device
  • city
    City of the detected device
  • naics
    North American Industry Classification System Code
  • sic
    Standard Industrial Classification System Code
  • sector
    Sector of the IP in question
  • device_vendor
    Vendor name of device
  • device_type
    Type of device
  • device_model
    Model name of device
  • device_version
    Version of the device
  • device_id
    ID of the device
  • response_length
    Length of the base64 decoded raw response
  • raw_response
    Base64 encoded raw response

Sample

timestamp,ip,protocol,port,hostname,tag,asn,geo,region,city,naics,sic,sector,device_vendor,device_type,device_model,device_version,device_id,response_length,raw_response
"2010-02-10 00:00:00",192.168.0.1,tcp,502,node01.example.com,modbus,64512,ZZ,Region,City,0,0,"Communications, Service Provider, and Hosting Service","AB Regin",,,,0,18,DgGC/wEBAAhBQiBSZWdpbg==
"2010-02-10 00:00:01",192.168.0.2,tcp,502,node02.example.com,modbus,64512,ZZ,Region,City,0,0,"Communications, Service Provider, and Hosting Service","Schneider Electric SAS",,"140 NOE 771 01",V4.70,0,55,DgGBAAADABZTY2huZWlkZXIgRWxlY3RyaWMgU0FTAQ4xNDAgTk9FIDc3MSAwMQIFVjQuNzA=
"2010-02-10 00:00:02",192.168.0.3,tcp,502,node03.example.com,modbus,64512,ZZ,Region,City,0,0,,Siemens,,SIMATIC,S7-200,0,34,DgGDAAADAAdTaWVtZW5zAQdTSU1BVElDAgZTNy0yMDA=

Our 124 Report Types