Security Experts:

Shadowserver Starts Conducting Daily Scans to Help Secure ICS

The Shadowserver Foundation this week announced that it has started conducting daily internet scans in an effort to identify exposed industrial control systems (ICS) and help organizations reduce their exposure to attacks.

The nonprofit cybersecurity organization is scanning the web for exposed services that use the Modbus industrial communications protocol on TCP port 502, but Shadowserver’s Piotr Kijewski told SecurityWeek that they plan on introducing many other ICS and operational technology (OT) protocol scans in the near future.

Shadowserver has been working with national cybersecurity agencies, law enforcement, private companies and security researchers worldwide to provide free information that defenders can use to mitigate vulnerabilities, detect malicious activities, and counter threats. The organization describes itself as the “world's largest provider of free, public benefit cyber threat intelligence data feeds.”

The first daily ICS scan conducted by Shadowserver revealed more than 6,300 unique IP addresses corresponding to exposed Modbus services. A majority are associated with Siemens products, followed by ABB, AB Regin, Schneider Electric’s Telemecanique, Solare Datensysteme, Invensys, Delta Electronics, Huawei, Rockwell Automation (Allen Bradley), Alpes Technologies, SE-Elektronic, COPA-DATA, WEG, and Synchronic.

More than 900 of the exposed systems are in the United States, followed by Spain, Sweden, France, Turkey and Italy.

Shadowserver ICS scan

“Our mission is to make the Internet more secure by bringing to light vulnerabilities, malicious activity and emerging threats,” Kijewski explained. “One of the ways we do this is by alerting the owners/admins of these IPs or responsible National CSIRTs of any unnecessarily exposed services that we find, so that they can respond by blocking access to them. This is the case with the Modbus scan.”

Learn more about the exposure of industrial systems at SecurityWeek’s ICS Cyber Security Conference

Shadowserver has been scanning the internet for many types of protocols for nearly a decade, adding new protocols each year.

In the case of the Modbus scans, the organization pointed out on its website, “It is unlikely that these types of devices need to be accessible in any form to queries from the Internet, so unless you are running a honeypot you are strongly advised to act immediately and block access.”

Kijewski said the collected data is primarily for incident response, but the organization is also monitoring the data for trends.

The expert admitted that others are conducting similar scans, but noted that Shadowserver’s reports are provided to administrators and network owners free of charge.

“We also scan daily, which is not always the case for other services,” Kijewski explained. “Additionally, different scanning sources can give slightly different results, depending on how they scan and where from, so it is usually a good idea to use multiple sources of such information regardless.”

Related: Vulnerabilities in OpENer Stack Expose Industrial Devices to Attacks

Related: InHand Router Flaws Could Expose Many Industrial Companies to Remote Attacks

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.