SCADA IDS Signatures
From SCADApedia
Network Intrusion Detection Systems (IDS) are passive devices that receive and evaluate information sent over a network against a set of signatures. IDS signatures have been developed for most published vulnerabilities and for potentially dangerous activity in common IT protocols. The SCADA IDS signatures leverage the existing IDS equipment by developing signatures for control system protocols including Modbus/TCP, DNP3 and ICCP.
Contents |
Protocols
The SCADA signatures identify unauthorized requests, malformed protocol requests and responses, rare used and dangerous commands, and other situations that are likely or possible attacks. There currently are signatures available for three protocols and a set of signatures to identify attacks on disclosed control system vulnerabilities.
Release Package
The SCADA release package includes:
- Snort rules (.rules) file for each SCADA protocol
- Snort configuration (.conf) file for each SCADA protocol
- Snort reference config file to point to online documentation pages
- Test data for each signature in Wireshark pcap files
- Release note
The documentation is not included in the package. A documentation page with the rule, summary, impact, detailed information, affected systems, attack scenarios, ease of attack, false positives, false negatives, corrective action and contributors is available online for Digital Bond site subscribers.
Current Version is 3.1 released on 25 April 2007. Version 3.1
- added two new signatures, 1111013 Modbus TCP - Points List Scan and 1111014 Modbus TCP - Function Code Scan
- added additional content checks to the Modbus TCP signatures to further reduce false positives
Use in IPS
Most IDS vendors also offer an Intrusion Prevention System (IPS) capability that can not only detect a signature being triggered, but also block the offending communication. Given that availability is the most critical security issue in the vast majority of control systems, false positives in an IPS implementation could have disastrous results.
Many of the SCADA IDS signatures identify rare and potentially dangerous requests or responses, but this communication may be required in an emergency situation. For example, there are signatures that will trigger when systems are frequently rebooted and signatures when unknown clients try to read or write to a control server. Each signature documentation page includes a section on false positives.
Caution should be used when deploying the SCADA signatures in an inline IPS architecture. Fortunately most IPS offer the option to detect and not block by individual signature, so the signatures can be used without a risk to availability in a correctly configured IPS.
SCADA Signature Support
The signatures were initially developed as Snort rules, and the download from Digital Bond's website is still in a Snort format. Many IDS/IPS vendors either directly support or import Snort rules and have chosen to add the SCADA signatures to their rulebases. Vendors who support some or all of the SCADA signatures in their IDS/IPS product or MSSP service include:
- 3com/Tipping Point
- Cisco
- Counterpane/BT
- Fortinet
- Industrial Defender
- ISS/IBM
- Juniper
- McAfee
- Secureworks
- Symantec
- Tenable Security
Funding
The original Modbus/TCP and DNP3 signatures were developed under a DHS HSARPA Phase 1 contract.
The original ICCP signatures were developed with financial support from SecureWorks, a managed security service provider (MSSP) formerly known as Lurhq.
Digital Bond continues to develop and maintain the SCADA signatures as a pro bono project and solicits additional funding to continue this work on an accelerated basis. The current signatures merely scratch the surface of what is possible.
