|
|
Rule: 1111201
| SID |
1111201 / 11112011 |
| Message |
DNP3 – Disable Unsolicited Responses |
| Rule |
alert tcp any any -> $DNP3_SERVER $DNP3_PORTS (flow:from_client,established; content:”|15|”; offset:12; depth:1; msg:”SCADA_IDS: DNP3 – Disable Unsolicited Responses”; reference:url,digitalbond.com/tools/quickdraw/dnp3-rules; classtype:attempted-dos; sid:1111201; rev:2; priority:2;) |
| Preprocessor Rule |
alert tcp any any -> $DNP3_SERVER $DNP3_PORTS (msg:”SCADA_IDS: DNP3 – Disable Unsolicited Responses”; dnp3_cmd_fc:21; reference:url,digitalbond.com/tools/quickdraw/dnp3-rules; classtype:attempted-dos; sid:11112011; rev:1; priority:2;) |
| Summary |
An attacker stops unsolicited responses from field devices to prevent alarms and other critical events. |
| Impact |
System integrity. Denial of service. |
| Detailed Information |
DNP3 is a protocol commonly used in SCADA and DCS networks for process control.A DNP3 request packet with function code 15 Disable Unsolicited will cause a DNP3 server to stop sending unsolicited responses. |
| Affected Systems |
PLC’s and other field devices that contain DNP3 servers. |
| Attack Scenarios |
An attacker with IP connectivity sends a DNP3 request packet with function code 15 to one or more PLC’s to prevent these PLC’s from sending unsolicited responses.This cyber attack could be a precursor to a physical attack. |
| Ease of Attack |
Simple. DNP3 clients are available for free on the Internet. |
| False Positives |
Occassionally there is a need to disable unsolicited responses for troubleshooting or system modifications. |
| False Negatives |
None known |
| Corrective Action |
Enable unsolicited responses, identify who sent the unauthorized command, and take appropriate action to prevent subsequent attacks by this individual. |
| Contributors |
Dale Peterson |
|
