1. Home
  2. Techniques
  3. ICS
  4. Remote System Discovery
  5. Port Scan

Remote System Discovery: Port Scan

ID Name
T0846.001 Port Scan
T0846.002 Broadcast Discovery
T0846.003 Multicast Discovery

Adversaries may perform a port scan on a system, device, or network to identify live hosts, enumerate open ports and running services, identify operating systems, and map out the network.[1] The results of a port scan may inform adversary Discovery, Lateral Movement, and vulnerability exploitation decisions (Exploitation for Evasion, Exploitation for Privilege Escalation, Exploitation of Remote Services).

Some common tools for executing a port scan include nmap, netcat, and the Advanced Port Scanner.

ID: T0846.001
Sub-technique of:  T0846
Tactic: Discovery
Version: 1.0
Created: 20 April 2026
Last Modified: 23 April 2026
Version Permalink

Procedure Examples

ID Name Description
C0063 2025 Poland Wiper Attacks

During the 2025 Poland Wiper Attacks, the adversaries used Advanced Port Scanner and Advanced IP Scanner to conduct remote system discovery activities.[2]
S1045 INCONTROLLER

INCONTROLLER has the ability to perform scans for TCP port 4840 to identify devices running OPC UA servers.[3]
S0604 Industroyer

The Industroyer IEC 61850 payload component has the ability to discover relevant devices in the infected host's network subnet by attempting to connect on port 102.[4]
S1006 PLC-Blaster

PLC-Blaster scans the network to find other Siemens S7 PLC devices to infect. It locates these devices by checking for a service listening on TCP port 102.[5]

Targeted Assets

ID Asset
A0008 Application Server
A0007 Control Server
A0009 Data Gateway
A0006 Data Historian
A0017 Distributed Control System (DCS) Controller
A0016 Firewall
A0002 Human-Machine Interface (HMI)
A0005 Intelligent Electronic Device (IED)
A0012 Jump Host
A0018 Programmable Automation Controller (PAC)
A0003 Programmable Logic Controller (PLC)
A0004 Remote Terminal Unit (RTU)
A0014 Routers
A0010 Safety Controller
A0015 Switch
A0011 Virtual Private Network (VPN) Server
A0001 Workstation

Mitigations

ID Mitigation Description
M0931 Network Intrusion Prevention

Use network intrusion detection/prevention systems to detect and prevent port scans.
M0930 Network Segmentation

Ensure proper network segmentation is followed to protect critical systems and devices.
M0814 Static Network Configuration

ICS environments typically have more statically defined devices, therefore minimize the use of both IT discovery protocols (e.g., DHCP, LLDP) and discovery functions in automation protocols.[6][7] Examples of automation protocols with discovery capabilities include OPC UA Device Discovery[8], BACnet[9], and Ethernet/IP.[10]

Detection Strategy

ID Name Analytic ID Analytic Description
DET0907 Detection of Port Scan AN2050

Monitor for new processes engaging in scanning activity or connecting to multiple systems by correlating process creation network data.

Monitor for hosts enumerating network connected resources using non-ICS enterprise protocols.

References

  1. Keith Stouffer. (2023, September). Guide to Operational Technology (OT) Security. Retrieved April 22, 2026.
  2. CERT Polska. (2026, January 30). Energy Sector Incident Report – 29 December. Retrieved April 22, 2026.
  3. Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.
  4. Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15
  5. Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke 2016, March 31 Plc-blaster: A worm living solely in the plc. Retrieved. 2017/09/19
  1. D. Parsons and D. Wylie 2019, September Practical Industrial Control System (ICS) Cybersecurity: IT and OT Have Converged Discover and Defend Your Assets Retrieved. 2020/09/25
  2. Colin Gray D. Parsons and D. Wylie 2019, September Practical Industrial Control System (ICS) Cybersecurity: IT and OT Have Converged Discover and Defend Your Assets Retrieved. 2020/09/25 How SDN Can Improve Cybersecurity in OT Networks Retrieved. 2020/09/25
  3. Josh Rinaldi 2016, April Still a Thrill: OPC UA Device Discovery Retrieved. 2020/09/25
  4. Aditya K Sood 2019, July Discovering and fingerprinting BACnet devices Retrieved. 2020/09/25
  5. Langner 2018, November Why Ethernet/IP changes the OT asset discovery game Retrieved. 2020/09/25