Industrial Control System (ICS) Protocols and Security Overview

Terminology

SCADA (Supervisory Control and Data Acquisition), ICS (Industrial Control System), DCS (Distributed Control System), PCS (Process Control System), ESD (Emergency Shut‑Down), PLC (Programmable Logic Controller), RTU (Remote Terminal Unit), IED (Intelligent Electronic Device), HMI (Human‑Machine Interface), MIS (Management Information System), SIS (Supervisory Information System), MES (Manufacturing Execution System).

Protocol Overview

Modbus – a simple, transport‑agnostic protocol that defines a PDU; it lacks authentication, authorization, and encryption, making traffic easily readable.

PROFIBUS – a field‑bus technology for factory automation that enables distributed digital control and communication between shop‑floor devices and supervisory systems.

DNP3 – the Distributed Network Protocol used in power, water, and other utilities; it simplifies the OSI model to physical, data, and application layers and is supported by SCADA for communication with master stations, RTUs, and IEDs.

ICCP – a communication protocol for power control centers.

OPC – OLE for Process Control, a set of standard interfaces, properties, and methods for process control and manufacturing automation.

BACnet – a building automation network protocol for HVAC and other building systems, defining services and communication for computer‑controlled equipment.

CIP – a generic industrial protocol adopted by DeviceNet, ControlNet, and EtherNet/IP.

Siemens S7 – a layer‑7 protocol used by Siemens devices to exchange data over various physical media (MPI, DP, Ethernet) via TSAP; PLCs can use built‑in communication function blocks.

Other Industrial Protocols – IEC 60870‑5‑104, EtherNet/IP, Tridium Niagara Fox, Crimson V3, OMRON FINS, PCWorx, ProConOS, MELSEC‑Q, etc.

Information Detection

Sample detection scripts are provided for protocol testing, with brief notes that extensive testing should be performed independently.

Search Engines

Shodan and Zoomeye can be used to locate industrial control devices; example links and brief introductions are included.

Nmap Scripts

nmap -p 44818 --script enip-enumerate.nse 85.132.179.*

nmap --script modicon-info.nse -Pn -p 502 -sV 91.83.43.*

nmap -Pn -n -d --script iec-identify.nse --script-args=iec-identify -p 2404 80.34.253.*

nmap -p 102 --script s7-enumerate -sV 140.207.152.*

nmap -d --script mms-identify.nse --script-args='mms-identify.timeout=500' -p 102 IP

nmap -p 1911 --script fox-info 99.55.238.*

These scripts help locate SCADA systems, identify protocol versions, internal IPs, modules, and hardware details.

Significance

The scripts enable systematic discovery of industrial control systems and their components, facilitating deeper analysis or custom search engine development.

Script Resources

GitHub repositories: atimorin/scada-tools , atimorin/PoC2013 , drainware/scada-tools , drainware/nmap-scada .

Exploit‑DB scripts: 19833 , 19832 , 19831 , search results .

Wooyun Industrial Control Vulnerability Analysis

Analysis of vulnerabilities listed on the Wooyun platform shows that most incidents stem from weak passwords (e.g., "123456", "admin") and injection flaws. Researchers have presented these findings at conferences such as Kcon2015.

The main challenges are locating relevant systems and addresses, and, after gaining a shell, leveraging industrial control knowledge to manipulate the target.

Keywords for further searching include SCADA, Modbus, PLC, and other protocol names; GHDB queries like inurl:SCADA are useful.

Key Vulnerabilities

Seven notable SCADA‑related vulnerabilities are highlighted, each demonstrating control over specific industrial devices.

Reference Resources

Industrial control topics on ZoomEye ( http://ics.zoomeye.org/ ) and Shodan ( https://www.shodan.io/report/l7VjfVKc ).

Expert blogs and papers: Z‑0ne ( http://plcscan.org/blog/ ), evilcos papers ( https://github.com/evilcos/papers ), industrial security exercise shares, and KCon 2015 materials.

Additional references include search engines (Google, Baidu), security analysis firms (Codenomicon), and tutorial articles on Modbus.