Scanning for ICS devices may be a benign activity — for example, having to do with a research project, or perfomed by an organization like the Shadowserver Foundation looking for open or vulnerable services that it can report to National CERTs and network owners so that they can remediate their networks.
Other scans, however, may be part of a network reconnaissance in the preparatory phase of an attack, or an attempt to exploit the devices being scanned.
Below is a description of a report based on data collected by SISSDEN ICS-aware honeypots. Basic information collected includes the source of the scan and the requests being sent, including the communication state and any other protocol specific details, if available. Note that because the ICS sensors used are also HTTP-aware, observed scans may also include non-ICS related attacks that happen to also hit these sensors. These may be considered false positives from an ICS-related attack perspective, but they may be attacks in themselves too.
This report type was created as part of the EU Horizon 2020 SISSDEN Project.