ICS Protocols

railway-chacho

This is just a short primer on 12 common protocols used in various industrial control systems (ICS). The goal of this entry is just to get a quick at-a-glance understanding of what the protocol is used for and why/how indicators of compromise might be identified in a system that has been attacked.

1. Modbus¶

Introduction: Used in industrial control systems like manufacturing, water treatment, and energy for communication between devices such as PLCs and sensors/actuators.
Overview: A simple, open serial protocol operating over serial lines (Modbus RTU) or TCP/IP networks (Modbus TCP).
Indicators of Compromise:
- Unexpected traffic from unauthorized IP addresses.
- Unusual function codes in Modbus packets.
- High frequency of commands indicating reconnaissance or brute-force attempts.
Exploitation Methods:
- Man-in-the-Middle (MitM) Attacks: Intercepting and altering messages.
- Unauthorized Commands: Sending malicious commands to change configurations or disable processes.
- Replay Attacks: Capturing and replaying messages to disrupt operations.
Potential Attack Examples:
- MitM Attack: Altering commands to change a pump's setpoint.
- Unauthorized Commands: Sending Function Code 5 (Write Single Coil) or Function Code 6 (Write Single Register).
- Replay Attack: Replaying captured traffic to repeat commands.
Display Filter Suggestions:
Detect Unauthorized Commands:
```
modbus.func_code == 5 || modbus.func_code == 6
```
Useful to identify potentially malicious commands that could alter device configurations.
High Frequency of Commands:
```
modbus && frame.time_delta < 0.1
```
Useful for detecting a high volume of commands that could indicate a brute-force attack.
Unexpected Source/Destination IPs:
```
ip.src != {expected_ip} && ip.dst == {modbus_device_ip}
```
Useful to identify traffic from unauthorized IPs targeting Modbus devices.

2. DNP3 (Distributed Network Protocol 3)¶

Introduction: Used in critical infrastructure like electricity and water utilities for communication between master stations, RTUs, and IEDs.
Overview: Designed for long-distance and unreliable network communication.
Indicators of Compromise:
- Traffic outside expected communication paths.
- High volume of unsolicited responses or unexpected function codes.
- Frequent status changes or unexpected resets of devices.
Exploitation Methods:
- Buffer Overflow: Causing denial of service or executing arbitrary code.
- Device State Manipulation: Sending unauthorized commands.
- Protocol Fuzzing: Sending malformed packets.
Potential Attack Examples:
- Buffer Overflow: Exploiting vulnerabilities to crash devices.
- Device State Manipulation: Changing control points.
- Protocol Fuzzing: Finding vulnerabilities.
Display Filter Suggestions:
Detect Abnormal DNP3 Traffic:
```
dnp3 && !(dnp3.src == {trusted_ip} || dnp3.dst == {trusted_ip})
```
Useful to identify unauthorized communication involving DNP3 devices.
Identify Unexpected Function Codes:
```
dnp3.func_code == 3 || dnp3.func_code == 5 || dnp3.func_code == 6
```
Useful for spotting function codes not typically used in the environment.
Detect Malformed Packets:
```
dnp3 && frame.len > {expected_length}
```
Useful to identify packets that suggest buffer overflow attempts or fuzzing.

3. IEC 60870-5-104¶

Introduction: IEC 60870-5-104 is used in the energy sector for telecontrol, providing communication between control centers and substations in SCADA systems.
Overview: A protocol for remote control and monitoring in utilities.
Indicators of Compromise:
- Abnormal command sequences or unexpected function codes.
- Unexpected disconnections or reconnections.
- Unusual packet sizes or patterns.
Exploitation Methods:
- Replay and Injection Attacks: Manipulating states.
- Denial of Service (DoS): Flooding networks with traffic.
- Command Manipulation: Sending unauthorized commands.
Potential Attack Examples:
- Replay Attack: Replaying control commands.
- DoS: Overwhelming devices with commands.
- Command Manipulation: Altering settings.
Display Filter Suggestions:
Detect Unusual Command Sequences:
```
iec104 && !(iec104.ioa == {expected_ioa})
```
Useful to identify abnormal or unauthorized commands being sent.
Identify Unexpected Disconnections:
```
tcp.flags.reset == 1 && ip.dst == {iec_device_ip}
```
Useful to detect tampering or network disruptions.

Detect Malformed Data Packets:

iec104 && (frame.len < {expected_length} || frame.len > {expected_length})

Useful for identifying abnormal packet sizes.

4. OPC (OLE for Process Control)¶

Introduction: Used in industrial automation for data exchange, providing interoperability between control devices and software platforms, particularly in manufacturing and process control.
Overview: Facilitates communication between various software and hardware systems; OPC-UA is the secure version.
Indicators of Compromise:
- Unusual traffic patterns between OPC servers and clients.
- Unauthorized access attempts or configuration changes.
- Unexpected server shutdowns.
Exploitation Methods:
- Credential Theft: Stealing credentials to manipulate OPC servers.
- MitM Attacks: Modifying data exchanges.
- DoS Attacks: Exploiting server vulnerabilities.
Potential Attack Examples:
- Credential Theft: Extracting credentials from captured traffic.
- MitM Attacks: Disrupting communication or injecting commands.
- DoS: Flooding servers with requests.
Display Filter Suggestions:
Unauthorized Access Attempts:
```
opcua && !(opcua.request_id in {expected_request_ids})
```
Useful to detect attempts to access OPC servers with unauthorized request IDs.
Unexpected Server Communication:
```
opcua && (ip.src != {trusted_ip} || ip.dst != {trusted_ip})
```
Useful to identify unexpected communication patterns indicating a possible MitM attack.
High Volume of Requests:
```
opcua && frame.time_delta < 0.1
```
Useful for detecting DoS attempts by identifying a large number of requests in a short time frame.

5. MVB (Multifunction Vehicle Bus)¶

Introduction: Used in railways for communication between train subsystems (e.g., engines, brakes, doors) and is part of the Train Communication Network (TCN).
Overview: Ensures data exchange within train vehicles for various components.
Indicators of Compromise:
- Unexpected or malformed MVB messages.
- High error rates or communication faults.
- Abnormal device resets or status changes.
Exploitation Methods:
- Data Injection: Manipulating train functions.
- DoS Attacks: Disrupting communication.
- Firmware Manipulation: Exploiting firmware vulnerabilities.
Potential Attack Examples:
- Data Injection: Sending malicious messages to alter train commands.
- DoS: Flooding the network to cause failures.
- Firmware Manipulation: Introducing malicious behavior.
Display Filter Suggestions:
Unexpected Messages:
```
mvb && !(mvb.src_address == {expected_address})
```
Useful to detect communication from unknown sources within the train network.
High Traffic Volume:
```
mvb && frame.time_delta < 0.05
```
Useful for identifying excessive traffic that could indicate a DoS attack.
Abnormal Error Rates:
```
mvb.error_count > {threshold}
```
Useful to detect high error rates that could signal protocol manipulation or faulty devices.

6. Ethernet/IP¶

Introduction: Used in industrial environments for real-time communication between controllers, actuators, and other devices.
Overview: Utilizes standard Ethernet for industrial automation networks.
Indicators of Compromise:
- Traffic from unknown IP addresses.
- High frequency of connection requests or error messages.
- Changes in network configurations or unauthorized firmware updates.
Exploitation Methods:
- MitM Attacks: Intercepting and altering packets.
- Remote Code Execution: Exploiting vulnerabilities in devices.
- Unauthorized Access: Exploiting weak credentials.
Potential Attack Examples:
- MitM Attacks: Injecting commands or disrupting communication.
- Remote Code Execution: Using known vulnerabilities to access devices.
- Unauthorized Access: Manipulating devices via default credentials.
Display Filter Suggestions:
Unauthorized Device Communication: plaintext enip && (ip.src != {trusted_ip} || ip.dst != {trusted_ip}) Useful to detect communication from unauthorized devices.
High Volume of Traffic:
```
enip && frame.time_delta < 0.1
```
Useful for identifying potential DoS attacks due to a high number of requests.
Malicious Commands:
```
enip.command in {unauthorized_command_set}
```
Useful to detect command types that are not authorized within the environment.

7. GSM-R (Global System for Mobile Communications – Railway)¶

Introduction: A wireless communication standard for railways, used for secure voice and data communication between train drivers and control centers.
Overview: Ensures secure and reliable communication in railway operations.
Indicators of Compromise:
- Unauthorized devices on the network.
- Anomalous signaling messages or unexpected traffic patterns.
- Communication interference or unauthorized call attempts.
Exploitation Methods:
- Eavesdropping: Intercepting communications.
- Jamming: Disrupting communication channels.
- SIM Cloning and Spoofing: Gaining unauthorized access.
Potential Attack Examples:
- Eavesdropping: Using rogue base stations to capture communications.
- Jamming: Using RF interference to disrupt signals.
- SIM Cloning: Spoofing devices to gain network access.
Display Filter Suggestions:
Unauthorized Device Connections:
```
gsm_map && gsm_map.imsi != {authorized_imsi}
```
Useful for detecting unauthorized devices trying to connect to the GSM-R network.
Unexpected Traffic Patterns:
```
gsm_sms && !(gsm_sms.ota_message in {expected_message_set})
```
Useful for identifying traffic that does not match expected operational patterns.
Unusual Signaling Messages:
```
gsm_a && gsm_a.cm_service_type != {expected_type}
```
Useful to spot unexpected signaling activities that could indicate an attack.

8. CBTC (Communication-Based Train Control)¶

Introduction: A signaling protocol for real-time train control, providing precise positioning, speed control, and communication with central control.
Overview: Used in modern rail signaling for automation and control.
Indicators of Compromise:
- Irregular positioning and speed data.
- Communication faults or anomalies.
- Abnormal train behavior like sudden stops or acceleration.
Exploitation Methods:
- Spoofing: Sending false data to control systems.
- DoS Attacks: Disrupting communication.
- Data Manipulation: Altering speed or positioning data.
Potential Attack Examples:
- Spoofing: Sending false positioning data to mislead control systems.
- DoS: Overwhelming control communication.
- Data Manipulation: Forcing trains into unsafe conditions.
Display Filter Suggestions:
Anomalous Positioning Data:
```
cbtc && cbtc.position_data != {expected_data}
```
Useful for detecting false data being sent to control systems.
Unusual Control Commands:
```
cbtc && cbtc.command_type != {expected_command}
```
Useful to identify unauthorized control commands that could indicate an attack.
Excessive Traffic:
```
cbtc && frame.time_delta < 0.1
```
Useful for detecting potential DoS attacks due to excessive traffic.

9. BACnet (Building Automation and Control Networks)¶

Introduction: Used in building automation systems, such as HVAC, lighting, and access control, to facilitate communication between different building control devices.
Overview: A protocol for integrating and managing various building systems.
Indicators of Compromise:
- Unauthorized access attempts to controllers.
- Unusual changes in system configurations.
- Unexpected traffic to/from devices.
Exploitation Methods:
- Unauthorized Access: Using default or weak credentials.
- Command Injection: Sending malicious commands.
- Network Scanning: Identifying and exploiting vulnerabilities.
Potential Attack Examples:
- Unauthorized Access: Gaining control over building systems.
- Command Injection: Altering HVAC or security settings.
- Network Scanning: Identifying devices for exploitation.
Display Filter Suggestions:
- Unexpected Traffic:
```
bacnet && !(bacnet.src == {trusted_ip})
```
  Useful to detect traffic from unauthorized sources targeting BACnet devices.
Unauthorized Commands:
```
bacnet && bacnet.pdu_type == 4
```
Useful for identifying unauthorized commands being sent to devices.
Network Scanning Indicators:
```
bacnet && frame.time_delta < 0.05
```
Useful for spotting rapid traffic indicative of scanning activities.

10. HL7 (Health Level Seven)¶

Introduction: A standard for electronic data exchange in healthcare environments, used to integrate medical devices and systems for patient data exchange.
Overview: Facilitates communication between various medical systems and devices.
Indicators of Compromise:
- Anomalous HL7 messages or unauthorized access attempts.
- Unexpected changes in patient data or medical records.
- Unusual traffic to/from HL7 servers.
Exploitation Methods:
- Data Manipulation: Altering patient data.
- Unauthorized Access: Exploiting weak authentication.
- DoS Attacks: Sending malformed messages.
Potential Attack Examples:
- Data Manipulation: Intercepting and altering messages.
- Unauthorized Access: Gaining access to medical data.
- DoS: Crashing hospital systems with malformed messages.
Display Filter Suggestions:
- Anomalous HL7 Messages:
```
hl7 && !(hl7.message_type == {expected_type})
```
  Useful to identify unexpected message types that could indicate tampering.
Unauthorized Access Attempts:
```
hl7 && hl7.security != {expected_security_token}
```
Useful to detect attempts to bypass security controls.
Unexpected Traffic Patterns:
```
hl7 && frame.time_delta < 0.1
```
Useful for identifying traffic anomalies that may indicate an attack.

11. DICOM (Digital Imaging and Communications in Medicine)¶

Introduction: For managing and transmitting medical imaging data across hospital networks.
Overview: Standardizes communication for medical imaging devices and systems.
Indicators of Compromise:
- Unauthorized access attempts to servers or storage.
- Unusual image requests or downloads.
- Anomalies in medical imaging files.
Exploitation Methods:
- Data Theft: Accessing patient images.
- Malware Distribution: Embedding malware in DICOM files.
- Data Manipulation: Altering medical imaging data.
Potential Attack Examples:
- Data Theft: Unauthorized downloads of medical images.
- Malware Distribution: Compromising devices via DICOM files.
- Data Manipulation: Affecting diagnosis or treatment.
Display Filter Suggestions:
Unauthorized Access Attempts:
```
dicom && dicom.assoc_ac != {expected_association}
```
Useful for detecting unauthorized attempts to connect to DICOM servers.
Unexpected Image Transfers:
```
dicom && dicom.pdu_type == 0x01 && ip.src != {trusted_ip}
```
Useful for spotting unusual image transfers from unexpected sources.
Malformed DICOM Files:
```
dicom && frame.len > {expected_length}
```
Useful for identifying anomalies in DICOM files that may indicate manipulation.

12. LonWorks¶

Introduction: A protocol used in building automation for controlling functions like HVAC, lighting, and security.
Overview: Designed for communication between building systems and control networks.
Indicators of Compromise:
- Unusual device behavior or control changes.
- Unauthorized traffic to LonWorks devices.
- Frequent device resets or reboots.
Exploitation Methods:
- Unauthorized Access: Exploiting weak security configurations.
- Command Injection: Sending malicious commands.
- Firmware Exploitation: Compromising device firmware.
Potential Attack Examples:
- Unauthorized Access: Controlling building systems via weak credentials.
- Command Injection: Disrupting building operations.
- Firmware Exploitation: Gaining control over critical functions.
Display Filter Suggestions:
- Unexpected Device Communication:
```
lonworks && ip.src != {trusted_ip}
```
  Useful for detecting unauthorized traffic targeting LonWorks devices.
- Unauthorized Commands:
```
lonworks && lonworks.command_code != {expected_command}
```
  Useful to identify commands that are not part of normal operations.
- High Frequency of Commands:
```
lonworks && frame.time_delta < 0.1
```
  Useful for spotting rapid command sequences that could indicate malicious activity.