Security Experts:

Connect with us

Hi, what are you looking for?



Shadowserver Starts Conducting Daily Scans to Help Secure ICS

The Shadowserver Foundation this week announced that it has started conducting daily internet scans in an effort to identify exposed industrial control systems (ICS) and help organizations reduce their exposure to attacks.

The Shadowserver Foundation this week announced that it has started conducting daily internet scans in an effort to identify exposed industrial control systems (ICS) and help organizations reduce their exposure to attacks.

The nonprofit cybersecurity organization is scanning the web for exposed services that use the Modbus industrial communications protocol on TCP port 502, but Shadowserver’s Piotr Kijewski told SecurityWeek that they plan on introducing many other ICS and operational technology (OT) protocol scans in the near future.

Shadowserver has been working with national cybersecurity agencies, law enforcement, private companies and security researchers worldwide to provide free information that defenders can use to mitigate vulnerabilities, detect malicious activities, and counter threats. The organization describes itself as the “world’s largest provider of free, public benefit cyber threat intelligence data feeds.”

The first daily ICS scan conducted by Shadowserver revealed more than 6,300 unique IP addresses corresponding to exposed Modbus services. A majority are associated with Siemens products, followed by ABB, AB Regin, Schneider Electric’s Telemecanique, Solare Datensysteme, Invensys, Delta Electronics, Huawei, Rockwell Automation (Allen Bradley), Alpes Technologies, SE-Elektronic, COPA-DATA, WEG, and Synchronic.

More than 900 of the exposed systems are in the United States, followed by Spain, Sweden, France, Turkey and Italy.

Shadowserver ICS scan

“Our mission is to make the Internet more secure by bringing to light vulnerabilities, malicious activity and emerging threats,” Kijewski explained. “One of the ways we do this is by alerting the owners/admins of these IPs or responsible National CSIRTs of any unnecessarily exposed services that we find, so that they can respond by blocking access to them. This is the case with the Modbus scan.”

Learn more about the exposure of industrial systems at SecurityWeek’s ICS Cyber Security Conference

Shadowserver has been scanning the internet for many types of protocols for nearly a decade, adding new protocols each year.

In the case of the Modbus scans, the organization pointed out on its website, “It is unlikely that these types of devices need to be accessible in any form to queries from the Internet, so unless you are running a honeypot you are strongly advised to act immediately and block access.”

Kijewski said the collected data is primarily for incident response, but the organization is also monitoring the data for trends.

The expert admitted that others are conducting similar scans, but noted that Shadowserver’s reports are provided to administrators and network owners free of charge.

“We also scan daily, which is not always the case for other services,” Kijewski explained. “Additionally, different scanning sources can give slightly different results, depending on how they scan and where from, so it is usually a good idea to use multiple sources of such information regardless.”

Related: Vulnerabilities in OpENer Stack Expose Industrial Devices to Attacks

Related: InHand Router Flaws Could Expose Many Industrial Companies to Remote Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.


Twenty-one cybersecurity-related M&A deals were announced in December 2022.