This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Eyal_Rashelbach
Employee
Employee
‎2017-08-30 05:29 AM

How to detect or prevent SCADA protocol commands activity on specific time or date

Hi Everyone,

Time determined activities in ICS network are common in use. An anomaly can be devastating and as a result might be a threat to the ICS network. Even a simple fuzzing attack can trigger a time determined activity, harming the ICS network normal behavior. As a consequence it is required to detected or even prevented improper triggering of such activities. Logic protections on the PLC side can prevent this risk, however in most cases OT people don’t implement the required protection.  
Following we will see how we can create an application based on SCADA protocol command and address which trigger the proper ICS activity , link it with a policy and detect and prevent it based on time configuration

 

 

Let consider that we manage an Industrial Control system based on Modbus protocol. The process requires a daily machinery backwash sequence at a specific time of the day. During the rest of the day we want to be advised or even to block any attempt to start the backwash sequence, as it can damage or even cause production to stop.

 

How we can solve this necessity with Check Point ICS solution:

  1. In the application control blade, we will create an application to monitor the Modbus write function command for a single address in the PLC, which is responsible for the activation of the backwash sequence.
  2. In addition we will create a new policy and link it with application we created. As the sequence activation out of the required time might harm the process, we will rank the policy as high risk.
  3. Now we can modify the policy time configuration to meet our operational requirements, restricting the command execution out of the permitted hours. The application control blade allows us to configure the time on daily based, days of the week and days of the month. This provide us wider flexibility while required to configure policy time restrictions. Any attempt to start the backwash out of the required time, would be blocked and will not arrive to the destination PLC address.  

 

 

For further information please contact .

 

Shlomi Feldman

ICS Solution Expert

 

Direct line: +972-73-2265136

Cell:           +972-54-5583040

3 Replies
Shlomi_Feldman
Employee
Employee
‎2017-08-30 10:29 PM

Thanks Eyal

0 Kudos
Iain_King
Collaborator
‎2018-11-19 06:19 PM

I'm very curious to know how this is going to work in R80.20.. I see that the application control for Modbus was just removed in R80.20.

Do you have any information on that?

0 Kudos
Sunny_Gill
Employee
Employee
‎2018-11-20 01:19 AM
In response to Iain_King

Hi Iain,

SCADA Protocols, Functions & Commands are still available in Application Control blade in R80.20. What has been (re)moved is Deep Protocol Inspection of Modbus and three other protocols that allowed 'value-based' policy i.e. the ability to do a policy not only on the protocol, function/command but the value too. This ability is now available as an API rather than a GUI function of Application Control. You can find more details in the ICS user guide