My advice: Before going going all ballistic on "huge security problems" first learn about how instrument control over TCP/IP works and what protocols are there.
Another advice: NMAP just provides scan. Interpretation is left to the operator.
Siglent have SAME or better commitment to security as any T&M company has. Oscilloscopes (or any piece of T&M equipment) are not secured, hardened devices to be put on the Internet.
None of T&M protocols are secure... Devices also support easy enumeration by any host on LAN.
I dare you to take ANY scope from any manufacturer and you will see same or more ports.
Another fun fact: If you want to connect to your scope for some protocol you will need a service for that protocol and a listener listening on some port. Meaning if scope gives you a way of connecting to it, there will be ports open. I know, shocking.
Therefore, for security reason I think we should disable all ports on all devices. Kind of defeats the point of having a device with Ethernet interface but hey... It would be secure.
Most "security expert" "rules" are quite stupid generalizations. What is OK for a workstation is not ok for a server. Internal server is not the same as external web server. Etc. etc...
Inside network T&M devices are fine. If they are security risk when and how they are connected to your network, fire the idiot that did your network.
Simple as that.
As example: Keysight MSOX3104T (look up the price while you're at it..) and only IPv4:
Nmap scan report for xxx.xxx.xxx.xxx
Host is up (0.00069s latency).
Not shown: 993 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp oftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_02-01-22 22:11 <DIR> webdata
| ftp-syst:
|_ SYST: Windows_CE version 6.0.
|_ftp-bounce: server forbids bouncing to low ports <1025
80/tcp open http Microsoft Windows Embedded CE Web Server
| http-ntlm-info:
| Target_Name: k-mx3104t-71030
| NetBIOS_Domain_Name: k-mx3104t-71030\x00
|_ NetBIOS_Computer_Name: k-mx3104t-71030\x00
|_http-title: MSO-X 3104T Oscilloscope
|_http-favicon: Unknown favicon MD5: 5415808C5657E45613A4D0A6BD75D0CD
| http-methods:
|_ Supported Methods: GET HEAD
|_http-server-header: Microsoft-WinCE/6.00
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 395180 1 49152/tcp
|_ 395183 1 49152/tcp
443/tcp open tcpwrapped
5850/tcp open unknown
5900/tcp open vnc VNC (protocol 3.8 )
| vnc-info:
| Protocol version: 3.8
| Security types:
| None (1)
|_ WARNING: Server does not require authentication
49152/tcp open unknown 1 (RPC #395183)
MAC Address: 00:30:D3:29:D0:E8 (Agilent Technologies)
Device type: general purpose|media device
Running: Microsoft Windows Mobile 5.X|6.X, Microsoft embedded
OS CPE: cpe:/o:microsoft:windows_mobile:5 cpe:/o:microsoft:windows_mobile:6
OS details: Microsoft Windows Mobile 5.0 - 6.1 or Zune audio player (firmware 2.2)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=133 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OSs: Unix, Windows CE 6.0; CPE: cpe:/o:microsoft:windows_ce