top of page
  • Writer's pictureotw

SCADA Hacking: Finding Specific SCADA Systems with Censys

Updated: Dec 28, 2022

Welcome back, my aspiring SCADA Security Engineer!

As you know, SCADA/ICS systems around the world are under attack. These systems are industrial systems that make up the infrastructure of any nation's economy and are the prime targets in any cyberwar. In such a war, these systems can be easily found via a variety of tools such as;

In this tutorial I will demonstrate another excellent source for scouring the Internet for industrial systems, Censys.

For an overview of Censys, see my tutorial here.

Censys for SCADA/ICS

Censys uses heuristic techniques to categorize hosts into "tags". These tags simply represent hosts that have similar "heuristics". Think of heuristics as "if it walks like duck and quacks like a duck, there is VERY high probability it IS a duck!

But as we know, these types of heuristic systems are prone to some error. Take these results as less than deterministic but with a high probability of being correct.

The figure below shows a list of the most widely found "tags" that Censys identifies on the internet.

We can use these tags to help us find systems that "quack" like a SCADA system. SCADA systems are so distinctively different from other systems that when scanned by Zmap scan or nmap, their probability of being SCADA systems is very high.

We can narrow our search by a multitude of choices, but if we were looking for SCADA systems where the PLC's were manufactured by the German industrial giant, Siemens (their PLC's were the target of the Stuxnet attack on Iran) we could create a search such as;

tags:scada AND metadata.manufacturer:siemens

We can further narrow our search to those found in a particular country such as Germany, using the logical AND and then appending an additional condition of location.country_code and giving it a value of DE (Germany).

tags:scada AND metadata.manufacturer:siemens AND location.country_code:DE


One of the features I like best about Censys if the concept of "boosting". This comes in handy if you have two fields where one is far more important than the other. The logical "AND" normally gives equal weight to both terms. In this way, you can relay that one field is more important than the other. Furthermore, this boosting can be weighted.

For instance, if I were looking for systems with the modbus protocol and had a tag of "SCADA", I would probably want to place a lot on more weight on the modbus protocol and less on Censys's SCADA tag. Remember, the tag is developed by heuristics and won't always be correct.

We could convey to Censys this unweighted importance by appending a "^" plus a number registering the weight you want to give to that field.

tags:scada AND protocols:"502/modbus"^3

As you can see in the results above, we were able to retrieve information on sites that are tagged SCADA AND are running the modbus protocol with a heavier emphasis on "modbus".


We can find SCADA/ICS systems connected to the Internet through a variety of tools such as Shodan and nmap, but Censys can augment that data with nearly real-time data from a wide-variety of fields gathered via Zmap.

I think Censys takes us to the next level of understanding the attack surface of nearly every system on the planet in nearly real-time. That makes Censys an incredibly powerful tool to monitor the threat landscape of your company and cyber war landscape of geopolitics.

1,903 views2 comments

Recent Posts

See All


Jan 03, 2023

Do you suspect your spouse of cheating, are you being overly paranoid or seeing signs of infidelity…Then he sure is cheating: I was in that exact same position when I met Henry through my best friend James who helped me hack into my boyfriend’s phone, it was like a miracle when he helped me clone my boyfriend’s phone and I got first-hand information from his phone. Now I get all his incoming and outgoing text messages, emails, call logs, web browsing history, photos and videos, instant messengers(facebook, whatsapp, bbm, IG etc) , GPS locations, phone taps to get live transmissions on all phone conversations. if you need help contact his gmail on ,, and you can also , whatsap…


You can hire Henryclarkethicalhacker for all your hacking needs which include clearing of criminal and driving records, credit hack fix, college grade changes, cloning phones, spying on anyone, hacking all social media accounts, etc,. Reach him via Henryclarkethicalhacker @ gmail com,

Text him,, Whatsapp,,+1 8 1 3 4 2 1 1 3 2 6.

bottom of page