Eyal Rashelbach

How to detect or prevent SCADA protocol commands activity on specific time or date

Discussion created by Eyal Rashelbach Moderator on Aug 30, 2017
Latest reply on Aug 30, 2017 by Shlomi Feldman

Hi Everyone,

Time determined activities in ICS network are common in use. An anomaly can be devastating and as a result might be a threat to the ICS network. Even a simple fuzzing attack can trigger a time determined activity, harming the ICS network normal behavior. As a consequence it is required to detected or even prevented improper triggering of such activities. Logic protections on the PLC side can prevent this risk, however in most cases OT people don’t implement the required protection.  
Following we will see how we can create an application based on SCADA protocol command and address which trigger the proper ICS activity , link it with a policy and detect and prevent it based on time configuration

 

 

Let consider that we manage an Industrial Control system based on Modbus protocol. The process requires a daily machinery backwash sequence at a specific time of the day. During the rest of the day we want to be advised or even to block any attempt to start the backwash sequence, as it can damage or even cause production to stop.

 

How we can solve this necessity with Check Point ICS solution:

  1. In the application control blade, we will create an application to monitor the Modbus write function command for a single address in the PLC, which is responsible for the activation of the backwash sequence.
  2. In addition we will create a new policy and link it with application we created. As the sequence activation out of the required time might harm the process, we will rank the policy as high risk.
  3. Now we can modify the policy time configuration to meet our operational requirements, restricting the command execution out of the permitted hours. The application control blade allows us to configure the time on daily based, days of the week and days of the month. This provide us wider flexibility while required to configure policy time restrictions. Any attempt to start the backwash out of the required time, would be blocked and will not arrive to the destination PLC address.  

 

 

For further information please contact .

 

Shlomi Feldman

ICS Solution Expert

 

Direct line: +972-73-2265136

Cell:           +972-54-5583040

Outcomes