In mid-December we completed the Quickdraw project which creates security events for legacy PLC’s that lack a security event logging capability. In the following weeks I will write a blog series on Quickdraw, but a lot of this work involves adding SCADA preprocessors and plugins to Snort. So let’s start with a SCADA Snort blog series.
While these were necessary and valuable for Quickdraw, they also will be very helpful for IDS/IPS and may play a role in adding deep inspection to field firewalls.
We are already in discussions with managed security service providers and IDS/IPS vendors who want to integrate this technology in their products. We view this as highly likely to occur since Digital Bond’s earlier developed SCADA IDS signatures have been integrated into every major IDS/IPS, and these vendors have been clamoring for more.
So here is a breakdown of the Snort series to come:
- Part 2: SCADA Preprocessors – These preprocessors deal with SCADA protocol fragmentation and session issues and then parse the protocol into objects.
- Part 3: SCADA Detection Plugins – The detection plugins create keywords that can be used in Snort rules to evaluate the objects from the preprocessor against a criteria in the Snort rule. In all cases it makes rule writing easier. For some protocols, such as EtherNet/IP, it would be impossible to write reliable Snort rules without the preprocessor / detection plugins.
- Part 4: New SCADA IDS Rules – The process of writing new SCADA IDS signatures leveraging the detection plugins.
- Part 5: Output Plugins – How the objects in the preprocessors can be output to a file or syslog server rather than a static Snort rule message.
We have put together courseware for a 3 hour module on using these Snort enhancements as part of the pre S4 training day. The response has been larger than expected, and we may offer an additional Bandolier / SCADA Snort class in conjunction with another industry event in the first part of the year.
The US Department of Homeland Security, Science and Technology Directorate funded this work under a research contract. We are very appreciative of this, and these results, as well as earlier SCADA IDS signatures, would not be possible without this funding.