Quickdraw SCADA IDS

SCADA IDS

Network Intrusion Detection Systems (IDS) are passive devices that receive and evaluate information sent over a network against a set of signatures. IDS signatures have been developed for most published vulnerabilities and for potentially dangerous activity in common IT protocols. Digital Bond’s Quickdraw SCADA┬áIDS signatures leverage the existing IDS equipment by developing signatures for control system protocols, devices and vulnerabilities.

Click here to download the entire Quickdraw package including all rules and preprocessors.

SCADA IDS Signatures

Digital Bond’s SCADA IDS signatures, or rules in Snort parlance, identify unauthorized requests, malformed protocol requests and responses, rarily used and dangerous commands, and other situations that are likely or possible attacks. There currently are signatures available for four control system protocols, a set of signatures to identify attacks on disclosed control system vulnerabilities, and a group of signatures that identify security events specific to a vendor system.

Available SCADA IDS Signatures

Click on the applicable link above to see a list of the signatures, links to the documentation pages, and download link for the applicable signatures each category.

SCADA IDS Preprocessors and Plugins

Digital Bond has developed SCADA IDS Preprocessors and Associated Plugins for the Snort IDS. These preprocessors take control system protocols, such as DNP3, EtherNet/IP and Modbus TCP, and prepare the communication for analysis by Snort rules. The SCADA preprocessors deal with control system protocol fragmentation and protocol state issues, and then the preprocessors extract message objects that can be analyzed using new SCADA payload detection rule options in Snort rules.

Plugins are available for each preprocessor that create keywords that can be used in Snort rules to evaluate decoded content in the preprocessor. In all cases, the preprocessors and plugins make writing Snort rules easier because the work of identifying the various fields is complete, much like a protocol decode makes analyzing a packet easier. In some cases, Snort rules would be difficult or impossible without the preprocessor. For example, there are some rules that are only applicable when a session has been established. A Snort rule that could not track this state would likely have both false positives and false negatives.

Finally the preprocessors improve Snort performance.

Release Package

Access to the download page is restricted to digitalbond.com site subscribers, but there is no charge to subscribe. Go to the home page and either login or create an account.

The Quickdraw download page has all of the signatures, preprocessors, plugins and pcap files to test the Quickdraw package.

Adoption by Other Commercial IDS

The Quickdraw SCADA IDS signatures were initially developed as Snort rules, and the download from digitalbond.com is still in a Snort format. Many IDS/IPS vendors either directly support or import Snort rules and have chosen to add the SCADA signatures to their rulebases. A partial list of vendors who support some or all of the Quickdraw signatures in their IDS/IPS product or MSSP service include:

  • 3com/Tipping Point
  • Cisco
  • Counterpane/BT
  • Fortinet
  • Industrial Defender
  • ISS/IBM
  • Juniper
  • McAfee
  • Secureworks
  • Symantec
  • Tenable Security

While Snort signatures are easily converted to another IDS/IPS format, the IDS Preprocessors are not easily converted. These preprocessors are essentially software programs that decode the protocol and store the fields in variables for analysis by new keywords created in accompanying SCADA IDS plugins. An IDS may not have a similar function to a preprocessor, and even if they do, it will be significant work to port the preprocessor code.

The EtherNet/IP signatures require the EtherNet/IP preprocessor and are unlikely to work in any IDS that does not have a Snort engine. Most of the other signatures have versions that work with and without a preprocessor, so these should be easy to port to another IDS/IPS.

Use in IPS

Most IDS vendors also offer an Intrusion Prevention System (IPS) capability that can not only detect a signature being triggered, but also block the offending communication. Given that availability is the most critical security issue in the vast majority of control systems, false positives in an IPS implementation could have disastrous results.

Many of the SCADA IDS signatures identify rare and potentially dangerous requests or responses, but this communication may be required in an emergency situation. For example, there are signatures that will trigger when systems are frequently rebooted and signatures when unknown clients try to read or write to a control server. Each signature documentation page includes a section on false positives.

Caution should be used when deploying the SCADA signatures in an inline IPS architecture. Fortunately most IPS offer the option to detect and not block by individual signature, so the signatures can be used without a risk to availability in a correctly configured IPS.

Funding

The original Modbus/TCP and DNP3 signatures were developed under a DHS HSARPA Phase 1 contract. The EtherNet/IP signatures and the preprocessors were developed with funding from DHS S&T.

Digital Bond continues to develop and maintain the Quickdraw signatures as a pro bono project and solicits additional funding to continue this work on an accelerated basis. The current signatures merely scratch the surface of what is possible.