|
Tool | Summary |
|
Nmap + ZMap | (i) Open source, active |
(ii) Uses a combination of ping sweeping, SYN scanning, and TCP connecting to determine which hosts reside on a network and which services they are operating. |
(iii) Version detection or full TCP connection could cause legacy systems to misbehave. |
(iv) Nmap Scripting Engine has allowed for bespoke modules to be created for SCADA protocols such as Modbus. |
(v) Could potentially threaten the operation of a ICS/SCADA system. |
(vi) ZMap has an almost identical capability but can scan Large Area Networks. |
|
Nessus | (i) Commercial, active |
(ii) Working on a “policy” framework, Nessus allows users to conduct host discovery and vulnerability analysis in a similar way to Nmap, again using ICMP, TCP, and ARP scanning. |
(iii) Unlike Nmap, Nessus has the ability to actively probe each service to report on potential vulnerabilities, which could cause accidental DoS on SCADA systems. |
|
Passive Vulnerability Scanner | (i) Commercial, passive |
(ii) Uses interface packet sniffing to dissect and analyse the data being sent over the network in order to gain information about the assets and services being deployed. |
(iii) Although it does not require any form of direct probing with nodes, PVS must be continuously ran in order to gain a better understanding of the network it is monitoring. |
(iv) It is not intrusive, but the time it takes to analyse traffic is significantly higher than the active alternatives. |
|
Shodan | (i) Open source/membership based, active |
(ii) Uses similar techniques to Nmap, ZMap, and Nessus to find the services that are running on internet-facing devices. |
(iii) All results are then stored in a database for users of the Shodan search engine to query against. |
(iv) As this tool uses the same technology as other active scanners, it too poses the risk of affecting ICS/SCADA systems, especially as it has the capability to scan globally, meaning any CNI running legacy software could be at a significant risk. |
(v) Shodan has the potential to bring unwanted malicious attention to ICS/SCADA networks through the storing and reporting of information about ICS infrastructures. |
|