It took longer than expected, but our first set of ICCP rules are available on the SCADA IDS site. Want to know why it took so long? Take a look at the ICCP stack in the diagram below.

It takes a lot of work or an ICCP client to compromise the integrity of an ICCP server. However, unusual protocols at many layers offer a large attack surface. To prove this point, we created at least one Snort IDS rule at the MMS, ACSE, OSI PSEL, OSI SSEL, COTP and TPKT layers. There is a lot more rule or signature work to do on ICCP. The first set of signatures identify when a rogue client has tried or is trying to affect the integrity of an ICCP server.

Like most SCADA protocols, ICCP has very little security designed into the protocol. So if an attacker can gain access to a ICCP client and IP connectivity to a server, she stands a good chance of compromising an ICCP server. This will be more difficult when Secure ICCP is deployed with its SSL and ACSE layer authentication.

While our focus was on ICCP protocol related signatures, we unintentionally found vulnerabilities due to implementation errors in certain ICCP servers. There is a good chance given the complex ICCP stack and the difficulty of secure application design, that there will be some systemic implementation vulnerabilities in ICCP servers like those found in web servers, databases, …

All of the SCADA IDS signatures and tools are available free of charge to any bona fide SCADA user, vendor, consultant or other industry member.