Stephen has been busy cranking out the Project Redpoint Nmap enumeration scripts for ICS applications, devices and protocols. The latest we have made public is a NSE to identify and enumerate EtherNet/IP devices.
EtherNet/IP is used in the Logix family of Allen Bradley PLCs and a variety of other smaller vendors that are members of the ODVA. It is another insecure by design ICS protocol, and we released a Metasploit module to demonstrate this as part of Project Basecamp.
The script allows Nmap to positively identify EtherNet/IP protocol stacks and collect enumeration information such as vendor, product name and device type. The Device IP address can differ from the address scanned if the EtherNet/IP Device IP is being NATed. This is useful if you are trying to route through or pivot from the device.
Of course you will find EtherNet/IP devices on the Internet, but we use it to insure there are not EtherNet/IP devices on the corporate network and for carefully selected scanning of the ICS network.