What are the recommended settings for scanning SCADA environments?

Supervisory Control and Data Acquisition (SCADA) is a control system architecture that uses computers, network communication protocols and graphical user interfaces. The SCADA concept was developed to remotely connect various logical programming controllers from different manufacturers, through standard automation protocols. 

As the development of SCADA has been moving forward and rapidly has increased it's exposure towards  the companies network infrastructure, the vulnerabilities are also being exposed and used by attackers. 

It is important to scan your SCADA environment even though scanning it can be unpredictable and sometimes may lead to unwanted downtime. For this reason you should always be careful when you start scanning your network, and it is recommended to follow these steps when using Holm Security VMP to make it a safe a process as possible.

You can locate connected SCADA devices on your network by importing the profile "Network scan profile - SCADA-OT" directly by following this article: https://support.holmsecurity.com/hc/en-us/articles/360019251980, or by including these categories yourself to the Discovery scan profile:

  • Product detection

Note: Some SCADA products can only be detected using Authenticated Network scan.

You should also exclude these vulnerability tests/ports to minimize the impact of your scan and the risk of downtime since they will try to make login and/or bruteforce attempts:

  • HID-2-1-334618 (PostgresSQL)
  • HID-2-1-334868 (JDownloader)
  • HID-2-1-374686 (Sybase)
  • HID-2-1-332787 (VMWare)
  • HID-2-1-332776 (VMWare)
  • Port: 22

Now you are ready to run your discovery scan.

When you have an overview of your SCADA environment, you are ready to execute the vulnerability scan.
Holm Security strongly advise you to take extra precaution when performing a vulnerability scan. Isolate your SCADA environment and start by scanning 1-2 IP's, and then slowly expanding the range. 

Starting with the Network scan - Standard profile we can modify it to lower the impact and afterwards analyze how the system is responding. 

  1. Follow the steps mentioned in the beginning.
    - Include categories.
    - Exclude vulnerability tests/ports. 
  2. Change the Performance setting to Low.
    This will lower the intensity of the scan.

With these settings you are ready to run your first vulnerability scan in an isolated environment.

If your SCADA environment is still stable, you can change the performance setting to Medium and continue to slowly expand your IP range.

It is crucial to be clear here that if a vulnerability scan should for some reason cause any issues, you should treat this as potential vulnerabilities on your SCADA environment and take necessary precautions. 

Please notice:
Holm Security cannot quarantee that vulnerability scanning of your SCADA environment will not cause any issues. Therefore, it should be used with extra precaution and first tested in an isolated and controlled environment.

Have more questions? Submit a request


Please sign in to leave a comment.