Nmap scanning in OT networks? While Nmap is traditionally considered a host discovery and active port scanning tool for IT networks, it can be used in OT environments. I have created a QuickStart guide for using Nmap in ICS/OT environments (see download link below). Before you just starting scanning away in your OT environment though, consider the following: 1. Any active scanning tool, such as Nmap, has the potential to impact system responsiveness and availability. Many OT assets, especially older ones, can have interoperability issues when scanned by Nmap resulting in the asset failing, reloading or even completely crashing and needing to be replaced. 2. If risk to physical safety, environmental safety or production are ever at question for your environment, do not use Nmap in your OT network. 3. Active scanning should never be used inside production facility networks against Level 0 to 2 assets. 4. Consider using Nmap for scanning of "traditional IT systems" that are in use within the OT network such as data historians, engineering workstations and domain controllers running Windows or Linux. Such testing should be coordinated in testing windows. Conducting Nmap on a regular basis against these very popular targets for attackers could help discover if a malicious service has been installed on these assets without your knowledge. Only scan these resources when a secondary system can be made immediately available to eliminate any risk to impacting production. 5. Reserve Nmap scanning for all other OT assets for any backup facilities or testing during Factory Acceptance Testing (FAT)/Site Acceptance Testing (SAT). 6. Be sure to scan your external Internet-facing ranges to ensure you do not have any assets directly exposed to the Internet. You can find this, and my other QuickStart references for Shodan and Nmap, at https://lnkd.in/gPf5mzn8. If you have any questions, comments or suggestions, please just let me know! #icssecurity #icscybersecurity #otsecurity #otcybersecurity #cybersecurity #shodan #nmap #pentest #pentesting
All good and useful info Mike for a still under.apprecited wide range of industries that use ICS/OT and stuck between IT sec and OT no sec. Remember this includes all of critical network infrastructure (CNI).
Awesome 👍
controlthings.io covers this really well espcially in thier course "assessing and exploiting control systems and iot " highly recommend the PDF for viewing. https://drive.google.com/file/d/1_22MtEjveuv-Apl2ghQrfR5TaSnSPJAG/view?usp=drive_web
Just add a comment for your consideration since many times I see people having this type of misunderstanding: Even if it looks similar, I advise using NMAP for scanning but Wireshark for cybersecurity.
Some years ago I faced many problems with scanning tools on ICS OT environment. I couldn´t explain the risks better than you have done in this post Mike Holcomb Really useful! It will help many OT professionals! Thanks for sharing!
Thanks Michael for sharing this. I used another tool zenmap-kbx in kali linux, which is the front end version of nmap.
Thanks for sharing Mike Holcomb!
I was just investigating this option a few weeks ago. Thank you for the cheat sheet!
Natural born Cybersecurity | Protecting Critical Infrastructure | Guardian of OT/ICS 🏭 | Speaker
10moAgree if you want to perform an active scanning on assets located on level 3.5/3 of Purdue Model, just be careful with all those legacy Windows OS like XP, 7, etc that can malfunction or crash during an active query. My2cents