Critical infrastructure needs to be handled with extra care as there have been reports of scans and even ping sweeps rebooting or causing devices to go offline. This is especially dangerous in networks in production as damages or disruptions of the service can cost hundreds of thousands, even millions of dollars, to the organization. For this reason, we can't aggressively scan the network to gather as much information as possible; instead, a carefully selected list of probes must be used.
This recipe shows you how to identify common ICS SCADA protocols safely with Nmap.
Open your terminal and enter the following Nmap command:
$ nmap -Pn -sT --scan-delay 1s --max-parallelism 1 -p80,102,443,502,530,593,789,1089-1091,1911,1962,2222,2404,4000,4840,4843,4911,9600,19999,20000,20547,34962-34964,34980,44818,46823,46824,55000-55003 <target>
Each port listed corresponds to a known ICS SCADA protocol. Keep in mind that this can be a false...