This report identifies hosts that have been observed performing scanning activity against Industrial Control System (ICS) sensors (honeypots).
Scanning for ICS devices may be a benign activity; for example, having to do with a research project, or perfomed by an organization like the Shadowserver Foundation looking for open or vulnerable services that it can report to National CERTs and network owners so that they can remediate their networks.
Other scans, however, may be part of a network reconnaissance in the preparatory phase of an attack, or an attempt to exploit the devices being scanned.
Basic information collected includes the source of the scan and the requests being sent, including the communication state and any other protocol specific details, if available. Note that because the ICS sensors used are also HTTP-aware, observed scans may also include non-ICS related attacks that happen to also hit these sensors. These may be considered false positives from an ICS-related attack perspective, but they may be attacks in themselves too.
File name: event4_honeypot_ics_scan
This report type was originally created as part of the EU Horizon 2020 SISSDEN Project.