A critical analysis of the industrial device scanners’ potentials, risks, and preventives

Industrial device scanners allow anyone to scan devices on private networks and the Internet. They were intended as network security tools, but they are commonly exploited as attack tools, as scanning can reveal vulnerable devices. However, from a defensive perspective, this vulnerability disclosure could be used to secure devices if characteristics such as type, model, manufacturer, and firmware could be identified. Automated scanning reports can help to apply security measures before an attacker finds a vulnerability. A complete device recognition procedure can then be seen as the basis for auditing networks and identifying vulnerabilities to mitigate cyber-attacks, especially among Industrial Internet of Things (IIoT) devices that are part of critical systems. In this survey, considering SCADA (Supervisory Control and Data Acquisition) systems as monitoring and control components of essential infrastructure, we focus on analyzing the architectures, specifications, and constraints of several industrial device scanners. In addition, we examine the information revealed by the scanners to identify the threats posed by them on industrial systems and networks. We analyze monthly and yearly statistics of cyber-attack incidents to investigate the role of these scanners in accelerating attacks. By presenting the findings of an experimentation, we highlight how easily anyone could identify hundreds of Internet-connected industrial devices in Sweden, which could lead to a major service interruption in industrial environments designed for minimal human involvement. We also discuss several methods to avoid scanners or reduce their identifying capabilities to conceal industrial devices from unauthorized access.