SCADA IDS Signatures

From SCADApedia

Jump to: navigation, search

Network Intrusion Detection Systems (IDS) are passive devices that receive and evaluate information sent over a network against a set of signatures. IDS signatures have been developed for most published vulnerabilities and for potentially dangerous activity in common IT protocols. The SCADA IDS signatures leverage the existing IDS equipment by developing signatures for control system protocols including Modbus/TCP, DNP3 and ICCP.

Contents

[edit]

Preprocessors

Digital Bond has developed control system protocol preprocessors for the Snort IDS under a DHS funded research program named Quickdraw. These preprocessors take control system protocols, such as DNP3, EtherNet/IP and Modbus TCP, and prepare the communication for analysis by Snort rules. The SCADA preprocessors deal with control system protocol fragmentation and protocol state issues, and then the preprocessors extract message objects that can be analyzed using new SCADA payload detection rule options in Snort rules.

In all cases, the preprocessors make writing Snort rules easier because the work of identifying the various fields is complete, much like a protocol decode makes analyzing a packet easier. In some cases, Snort rules would be difficult or impossible without the preprocessor. For example, there are some rules that are only applicable when a session has been established. A Snort rule that could not track this state would likely have both false positives and false negatives.

Finally the preprocessors improve Snort performance.

[edit]

Protocols

The SCADA signatures identify unauthorized requests, malformed protocol requests and responses, rare used and dangerous commands, and other situations that are likely or possible attacks. There currently are signatures available for three protocols and a set of signatures to identify attacks on disclosed control system vulnerabilities.

  1. DNP3
  2. ICCP
  3. Modbus TCP
  4. Vulnerability Exploit Attempts
[edit]

Quickdraw Snort Rules

The DHS funded Quickdraw project developed field device specific rules to identify security events that should be logged, create the security log event, and write the security log event to a local file or a syslog server. There is detail on the supported field devices and the Snort rules on the Quickdraw Snort Rules page.

The [[Quickdraw Release Packages | Quickdraw Release Package] includes the SCADA Preprocessors mentioned above, and it also includes Quickdraw Detection Plugins and Quickdraw Output Plugins.

[edit]

Release Package

The SCADA release package includes:

  • Snort rules (.rules) file for each SCADA protocol
  • Snort configuration (.conf) file for each SCADA protocol
  • Snort reference config file to point to online documentation pages
  • Test data for each signature in Wireshark pcap files
  • Release note

The documentation is not included in the package. A documentation page with the rule, summary, impact, detailed information, affected systems, attack scenarios, ease of attack, false positives, false negatives, corrective action and contributors is available online for Digital Bond site subscribers.

Current Version is 3.1 released on 25 April 2007. Version 3.1

  • added two new signatures, 1111013 Modbus TCP - Points List Scan and 1111014 Modbus TCP - Function Code Scan
  • added additional content checks to the Modbus TCP signatures to further reduce false positives
[edit]

Use in IPS

Most IDS vendors also offer an Intrusion Prevention System (IPS) capability that can not only detect a signature being triggered, but also block the offending communication. Given that availability is the most critical security issue in the vast majority of control systems, false positives in an IPS implementation could have disastrous results.

Many of the SCADA IDS signatures identify rare and potentially dangerous requests or responses, but this communication may be required in an emergency situation. For example, there are signatures that will trigger when systems are frequently rebooted and signatures when unknown clients try to read or write to a control server. Each signature documentation page includes a section on false positives.

Caution should be used when deploying the SCADA signatures in an inline IPS architecture. Fortunately most IPS offer the option to detect and not block by individual signature, so the signatures can be used without a risk to availability in a correctly configured IPS.

[edit]

SCADA Signature Support

The signatures were initially developed as Snort rules, and the download from Digital Bond's website is still in a Snort format. Many IDS/IPS vendors either directly support or import Snort rules and have chosen to add the SCADA signatures to their rulebases. Vendors who support some or all of the SCADA signatures in their IDS/IPS product or MSSP service include:

  • 3com/Tipping Point
  • Cisco
  • Counterpane/BT
  • Fortinet
  • Industrial Defender
  • ISS/IBM
  • Juniper
  • McAfee
  • Secureworks
  • Symantec
  • Tenable Security
[edit]

Funding

The original Modbus/TCP and DNP3 signatures were developed under a DHS HSARPA Phase 1 contract.

The original ICCP signatures were developed with financial support from SecureWorks, a managed security service provider (MSSP) formerly known as Lurhq.

Digital Bond continues to develop and maintain the SCADA signatures as a pro bono project and solicits additional funding to continue this work on an accelerated basis. The current signatures merely scratch the surface of what is possible.

[edit]

External Links

Download SCADA IDS Package

Modbus/TCP Signature Documentation

DNP3 Signature Documentation

ICCP Signature Documentation

Snort Web Site

Retrieved from "http://www.digitalbond.com/wiki/index.php/SCADA_IDS_Signatures"
Personal tools