The Intrusion Protection System (IPS) vendors have been pushing to use the Modbus and DNP3 signatures to prevent potential attacks rather than just detect attacks. We have counseled against this in general because a large portion of the signatures detect commands that are probably attacks, but may be legitimate and important commands in rare circumstances. Only a small number of signatures with suitable restrictions by IP addresses could be safely used to block communication. Idea 1: Perhaps we need to add a field to the documentation and signature to identify IPS friendly signatures.

Idea 2: What if we tied the signature response to the operational state of the system. For example, if we say there are three states, start up / shut down, normal operations, and declared emergency, we may be able to alter the response by the system state. A signature triggered during normal operation may block communication while the same signature could simply generate an alert during a declared emergency. This would take a slight modification to the mode of operation for MSSP’s and SEM products.

(Hat Tip to Tom Phinney who often buffer overflows my mind with good ideas and info.)