CRITICAL: Accessible ICS Report

DESCRIPTION LAST UPDATED: 2023-12-07

DEFAULT SEVERITY LEVEL: CRTICAL

We scan the entire IPv4 space daily to map out and report on the ICS/OT exposed attack surface on the Internet. We do this by running probes for many “native” ICS/OT protocols that are elaborated below.

This report contains a list of devices that are responding to our various specialized ICS/OT scans, along with additional make-and-model information and raw responses received.

As of 2023-11-01 we scan for the following 19 protocols:

More protocols will follow.

While we do not check for specific vulnerabilities, it is extremely unlikely that these types of devices need to be accessible in any form to queries from the Internet, so unless you are running a honeypot if you receive such a report for your network/constituency, you are strongly advised to act immediately and firewall/filter access.

Read more on how attackers can leverage exposed ICS/OT infrastructure to their advantage and what you can do to mitigate in the CISA, FBI, NSA & Department of Energy joint Cybersecurity Alert advisory “Alert (AA22-103A): APT Cyber Tools Targeting ICS/SCADA devices“.

You can track latest ICS scan results on the Shadowserver Dashboard.

You can learn more on the report in our Accessible ICS Report tutorial.

You can learn more on our reports in general in our Overview of Free Public Benefit Shadowserver Reports presentation, which also explains example Use Cases.

Severity levels are described here.

For more information on our scanning efforts, check out our Internet scanning summary page.

This report currently only has an IPv4 version.

Filenames: scan_ics

Fields

  • timestamp
    Timestamp when the IP was seen in UTC+0
  • severity
    Severity level
  • ip
    IP of the detected device
  • protocol
    Protocol of the response
  • port
    Port response was received from
  • hostname
    Hostname of the device (may be from reverse DNS)
  • tag
    Tag, set to specific ICS protocol, such as Modbus or S7
  • asn
    AS of the detected device
  • geo
    Country of the detected device
  • region
    Region of the detected device
  • city
    City of the detected device
  • naics
    North American Industry Classification System Code
  • hostname_source
    Hostname source
  • sector
    Sector of the IP in question
  • device_vendor
    Vendor name of device
  • device_type
    Type of device
  • device_model
    Model name of device
  • device_version
    Version of the device
  • device_id
    ID of the device
  • response_length
    Length of the base64 decoded raw response
  • raw_response
    Base64 encoded raw response

Sample

"timestamp","severity","ip","protocol","port","hostname","tag","asn","geo","region","city","naics","hostname_source","sector","device_vendor","device_type","device_model","device_version","device_id","response_size","raw_response"
"2010-02-10 00:00:00",high,192.168.0.1,udp,47808,node01.example.com,bacnet,64512,ZZ,Region,City,0,ptr,"Communications, Service Provider, and Hosting Service",Tridium,ArvestMortgage_98745,"Niagara4 Station",4.12.1.16,98745,,NzI6QTE6RDU6ODc6QTc6MDM6OEM6NTk6RDc6QUM6Mzc6QTA6NTc6NDM6NTE6MUM6M0Y6Mzc6MjI6NjY6QjA6NzA6NTQ6RUQ6MjY6Q0Q6QzU6OUI6MzY6RkQ6Njk6QTM=
"2010-02-10 00:00:01",high,192.168.0.2,udp,47808,node02.example.com,bacnet,64512,ZZ,Region,City,0,ptr,"Communications, Service Provider, and Hosting Service",Obvius,AcquiSuite_6_252,A7810-0,02.21.0309/0.8.0,252000,,NzI6QTE6RDU6ODc6QTc6MDM6OEM6NTk6RDc6QUM6Mzc6QTA6NTc6NDM6NTE6MUM6M0Y6Mzc6MjI6NjY6QjA6NzA6NTQ6RUQ6MjY6Q0Q6QzU6OUI6MzY6RkQ6Njk6QTM=
"2010-02-10 00:00:02",high,192.168.0.3,udp,47808,node03.example.com,bacnet,64512,ZZ,Region,City,0,ptr,"Communications, Service Provider, and Hosting Service",Tridium,DOC_VAV_4005,"Niagara4 Station",4.12.23074.1,4005,,NzI6QTE6RDU6ODc6QTc6MDM6OEM6NTk6RDc6QUM6Mzc6QTA6NTc6NDM6NTE6MUM6M0Y6Mzc6MjI6NjY6QjA6NzA6NTQ6RUQ6MjY6Q0Q6QzU6OUI6MzY6RkQ6Njk6QTM=

Our 132 Report Types