Active Scanning in the Industrial Control Systems

Industrial control systems (ICS) networks have faced challenges in incident detection over the last few years. One of the issues harming ICS networks is the active scanning of such structures. Active scanning can be used in two different key scenarios: either by an attacker causing network damage or by the network owner to explore network hosts and visualize network architecture; in both cases, it can affect ICS network traffic. This paper aims to demonstrate active scanning using two tools (Nmap, Zmap) from the penetration tester's perspective. The penetration tester operation was described in the context of the impact on the failure or the delay of communication in the network. As a part of this work, an industrial testbed was created to analyse the impact of the scanning. While scanning with the Zmap tool, there was a complete loss of communication between the device and the testbed network. On the other hand, the Nmap tool displayed a delay and an occasional network outage. The article then described and visualized the delay and outage data. These results clearly show that it is not appropriate to use active scanners in industrial networks, as they can have a fatal impact on the entire network's communication.