What are the recommended settings for scanning SCADA environments?

Supervisory Control and Data Acquisition (SCADA) is a control system
architecture that uses computers, network communication protocols
and graphical user interfaces. The SCADA concept was developed to remotely
connect various logical programming controllers from different manufacturers,
through standard automation protocols.
As the development of SCADA has been moving forward and rapidly has
increased it's exposure towards the companies network infrastructure, the
vulnerabilities are also being exposed and used by cybercriminals.

It is important to scan your SCADA environment even though scanning it can be
unpredictable and sometimes may lead to unwanted downtime. For this reason
you should always be careful when you start scanning your network, and it is
recommended following these steps when using Holm Security VMP to make it a
safe process as possible.

You can locate and scan connected SCADA devices on your network by
importing the profile "Network scan profile - SCADA-OT" directly by following
this article: https://support.holmsecurity.com/hc/en-us/articles/360019251980,
or by including these categories yourself in the Basic scan profile:
Note: Some SCADA products can only be detected using Authenticated Network

We recommend also selecting the following options to minimize the impact of your
scan and the risk of downtime since they will try to make login and/or brute force

  • Skip potentially dangerous tests

  • Skip tests that perform active break-in attempts

  • Skip tests that perform active login attempts (optional to avoid any type of login/authentication attempt)
  • Skip password brute forcing

Additionally, you can also lower the intensity of the scan by changing Scan
Intensity to "Low" under the Performance tab.

With these settings, you are ready to run your first SCADA vulnerability scan in an
isolated environment.
Holm Security strongly advises you to take extra precautions when performing a
vulnerability scan. Isolate your SCADA environment and start by scanning 1-2
IPs, and then slowly expanding the range.

If your SCADA environment is still stable, you can change the performance
setting to Medium and continue to slowly expand your IP address range.

It is crucial to be clear here that if a vulnerability scan would, for some reason,
cause any issues, you should treat this as potential vulnerabilities on your SCADA
environment and take necessary precautions.

Have more questions? Submit a request


Please sign in to leave a comment.