SCADA IDS Signatures
From SCADApedia
Network Intrusion Detection Systems (IDS) are passive devices that receive and evaluate information sent over a network against a set of signatures. IDS signatures have been developed for most published vulnerabilities and for potentially dangerous activity in common IT protocols. Digital Bond's SCADA IDS signatures leverage the existing IDS equipment by developing signatures for control system protocols, devices and vulnerabilities.
Contents |
Protocols
The SCADA signatures identify unauthorized requests, malformed protocol requests and responses, rarily used and dangerous commands, and other situations that are likely or possible attacks. There currently are signatures available for four control system protocols, a set of signatures to identify attacks on disclosed control system vulnerabilities, and a group of signatures that identify security events specific to a vendor system.
SCADA IDS Signatures and Snort
The signatures were initially developed as Snort rules, and the download from Digital Bond's website is still in a Snort format. Many IDS/IPS vendors either directly support or import Snort rules and have chosen to add the SCADA signatures to their rulebases. A partial list of vendors who support some or all of the SCADA signatures in their IDS/IPS product or MSSP service include:
- 3com/Tipping Point
- Cisco
- Counterpane/BT
- Fortinet
- Industrial Defender
- ISS/IBM
- Juniper
- McAfee
- Secureworks
- Symantec
- Tenable Security
While Snort signatures are easily converted to another IDS/IPS format, the SCADA IDS Preprocessors are not easily converted. These preprocessors are essentially software programs that decode the protocol and store the fields in variables for analysis by new keywords created in accompanying SCADA IDS plugins. An IDS may not have a similar function to a preprocessor, and even if they do, it will be significant work to port the preprocessor code.
The EtherNet/IP Signatures require the EtherNet/IP preprocessor and are unlikely to work in any IDS that does not have a Snort engine. Most of the other signatures have versions that work with and without a preprocessor, so these should be possible to port to another IDS/IPS.
Release Package
The SCADA release package includes:
- Snort rules (.rules) file for each SCADA protocol or category
- A Snort configuration (.conf) file
- Test data for each signature in Wireshark pcap files
- Release notes
The documentation is not included in the package. Each rule has a documentation page with the rule, summary, impact, detailed information, affected systems, attack scenarios, ease of attack, false positives, false negatives, corrective action and contributors, and it is available online for Digital Bond site subscribers.
Use in IPS
Most IDS vendors also offer an Intrusion Prevention System (IPS) capability that can not only detect a signature being triggered, but also block the offending communication. Given that availability is the most critical security issue in the vast majority of control systems, false positives in an IPS implementation could have disastrous results.
Many of the SCADA IDS signatures identify rare and potentially dangerous requests or responses, but this communication may be required in an emergency situation. For example, there are signatures that will trigger when systems are frequently rebooted and signatures when unknown clients try to read or write to a control server. Each signature documentation page includes a section on false positives.
Caution should be used when deploying the SCADA signatures in an inline IPS architecture. Fortunately most IPS offer the option to detect and not block by individual signature, so the signatures can be used without a risk to availability in a correctly configured IPS.
Funding
The original Modbus/TCP and DNP3 signatures were developed under a DHS HSARPA Phase 1 contract.
The original ICCP signatures were developed with financial support from SecureWorks, a managed security service provider (MSSP) formerly known as Lurhq.
Digital Bond continues to develop and maintain the SCADA signatures as a pro bono project and solicits additional funding to continue this work on an accelerated basis. The current signatures merely scratch the surface of what is possible.
