Industrial Control System (ICS) Protocols and Security Scanning Guide

Professional Terms

SCADA: Supervisory Control and Data Acquisition system

ICS: Industrial Control System

DCS: Distributed Control System

PCS: Process Control System

ESD: Emergency Shut‑Down system

PLC: Programmable Logic Controller

RTU: Remote Terminal Unit

IED: Intelligent Electronic Device

HMI: Human‑Machine Interface

MIS: Management Information System

SIS: Supervisory Information System

MES: Manufacturing Execution System

Protocol Overview

Modbus – a simple, transport‑agnostic protocol. Security issues include lack of authentication, authorization, and encryption; commands and addresses are sent in clear text.

PROFIBUS – a field‑bus technology for factory‑floor monitoring and control.

DNP3 – Distributed Network Protocol used in power, water treatment, etc.; it simplifies the OSI model to physical, data, and application layers.

ICCP – communication protocol for power control centers.

OPC – OLE for Process Control, a set of standards for interfacing industrial devices.

BACnet – Building Automation and Control network protocol for HVAC and other building systems.

CIP – Common Industrial Protocol adopted by DeviceNet, ControlNet, and EtherNet/IP.

Siemens S7 – a Layer‑7 protocol for data exchange between Siemens devices, supporting various physical media (MPI, Profibus DP, Ethernet).

Other Industrial Protocols – IEC 60870‑5‑104, EtherNet/IP, Tridium Niagara Fox, Crimson V3, OMRON FINS, PCWorx, ProConOS, MELSEC‑Q, etc.

Related Search Engines

Shodan

Zoomeye

Information Detection (Scanning Commands)

Ethernet/IP (port 44818):

nmap -p 44818 --script enip-enumerate.nse 85.132.179.*

Modbus (port 502):

nmap --script modicon-info.nse -Pn -p 502 -sV 91.83.43.*

IEC 61870‑5‑101/104 (port 2404):

nmap -Pn -n -d --script iec-identify.nse --script-args=iec-identify -p 2404 80.34.253.*

Siemens S7 (port 102):

nmap -p 102 --script s7-enumerate -sV 140.207.152.*

nmap -d --script mms-identify.nse --script-args='mms-identify.timeout=500' -p 102 IP

Tridium Niagara Fox (port 1911):

nmap -p 1911 --script fox-info 99.55.238.*

Purpose of the NSE Scripts

Locate industrial control systems and protocol modules.

Collect information such as version, internal IP, module, and hardware details.

Enable further exploration with custom search engines.

Script Resources

GitHub test scripts: https://github.com/atimorin/scada-tools, https://github.com/atimorin/PoC2013, https://github.com/drainware/scada-tools, https://github.com/drainware/nmap-scada

Exploit‑DB scripts: https://www.exploit-db.com/exploits/19833/, https://www.exploit-db.com/exploits/19832/, https://www.exploit-db.com/exploits/19831/

Analysis of Industrial Control Vulnerabilities (Wooyun)

Most incidents stem from weak passwords (e.g., "123456", "admin") and injection flaws.

Key research has been presented at conferences such as KCon 2015.

Two main challenges: discovering SCADA/ICS assets and, after gaining a shell, manipulating the system using domain knowledge.

Detailed vulnerability information can guide further testing and expansion of attack vectors.

Search terms like "inurl:SCADA" or keywords such as MIS, SIS, DCS, PLC, ICS help locate relevant targets.

Reference Resources

ZoomEye SCADA topic: http://ics.zoomeye.org/

Shodan SCADA report: https://www.shodan.io/report/l7VjfVKc

Expert blogs and repositories: http://plcscan.org/blog/, https://github.com/evilcos/papers, http://zone.wooyun.org/content/14428

Protocol security analysis firms: http://www.codenomicon.com/cn/

Modbus learning article: http://www.cnblogs.com/luomingui/archive/2013/06/14/Modbus.html