SimaticScan : towards a specialised vulnerability scanner for industrial control systems

Antrobus, Rob and Frey, Sylvain and Green, Benjamin and Rashid, Awais (2016) SimaticScan : towards a specialised vulnerability scanner for industrial control systems. In: Proceedings 4th International Symposium for ICS & SCADA Cyber Security Research :. BCS.

[thumbnail of SimaticScan_camera_ready]
PDF (SimaticScan_camera_ready)
SimaticScan_camera_ready.pdf - Accepted Version
Available under License Creative Commons Attribution-NonCommercial.

Download (629kB)


Over the years, modern Industrial Control Systems (ICS) have become widely computerised and connected via the Internet and are, therefore, potentially vulnerable to cyber attacks. Currently there is a lack of vulnerability scanners specialised to ICS settings. Systems such as PLCScan and ModScan output pertinent information from a Programmable Logic Controller (PLC). However, they do not offer any information as to how vulnerable a PLC is to an attack. In this paper, we address these limitations and propose SimaticScan, a vulnerability scanner specialised to Siemens SIMATIC PLCs. Through experimentation in a comprehensive water treatment testbed, we demonstrate SimaticScan’s effectiveness in determining a range of vulnerabilities across three distinct PLCs, including a previously unknown vulnerability in one of the PLCs. Our experiments also show that SimaticScan outperforms the widely used Nessus vulnerability scanner (with relevant ICS-specific plugins deployed).

Item Type:
Contribution in Book/Report/Proceedings
ID Code:
Deposited By:
Deposited On:
27 Jul 2016 10:18
Last Modified:
18 Jul 2024 00:10