Tuesday, December 20, 2016

IEC60870-5-104 Protocol Detection Rules

This post was authored by Marshall, Carlos Pacho, and reviewed by Warren Mercer.

Cisco Talos has released 33 Snort rules which are used to analyze/inspect IEC 60870-5-104 network traffic. These rules will help Industrial Control Systems/Supervisory Control and Data Acquisition (ICS/SCADA) asset owners to allow the identification of both normal and abnormal traffic in their environments.

In order for these rules to be effective they should be selectively turned on/enabled. SIDS 41053-41077 will detect various TypeIDs, if that specific TypeID is not in use then the rule should be enabled. SIDS 41078-41079 will detect IEC 104 traffic entering/exiting the ICS network. If 104 traffic is not supposed to enter/exit the ICS network then these sids should be enabled.

The rules will require both Snort $EXTERNAL_NET and $HOME_NET variables to be correctly configured for some of the rules to be effective. If a network does not have IEC 104 traffic these rules should not be enabled as they are only intended to detect IEC 104 traffic and will likely result in false positives (FPs) on non-IEC 104 traffic.

What is IEC 104?

IEC 104 is a network protocol that is commonly used in ICS/SCADA environments. Various ICS/SCADA devices use IEC 104 to communicate with other ICS devices such as, but not limited to, Programmable Logic Controllers, Remote Terminal Unit, etc.

Snort Rules Breakdown

The PROTOCOL-SCADA rules we have released will detect network traffic that complies with the IEC 104 standard and are intended to give an insight to ICS/SCADA network administrators awareness of activity on Operational Technology (OT) networks.

SIDS 41047-41052 will alert on the following:


SIDS 41053-41077 will alert on the following TypeIDs:
  • counter interrogation command
  • clock sync command
  • interrogation command
  • read command
  • rest process command
  • test command with time tag
  • ack file
  • list directory
  • file ready
  • last section
  • end of initialization
  • bitstring of 32 bits
  • double command issued
  • regulating step command
  • single command
  • set point command
  • query Log
  • double point information
  • packed start events
  • integrated totals
  • measured value
  • single point information
  • step point information
  • parameter value

SIDS 41053-41077 will alert on normal IEC 104 traffic. An ICS/SCADA asset owner needs to enable/disable the rules they want to see alerts for. The asset owner should establish a baseline for normal (expected) traffic and enable rules that alert on unexpected traffic.

For example if a ICS network is running IEC 104, but the devices never use the the clock sync and list directory commands, then the clock sync and list directory Snort rules (SID 41074 & 41060) should be enabled. If those sids alert unexpectedly this could be indicative of malicious activity within the network and should be investigated. In order to enable a specific sid, edit the policy, search for the rule, and check the box to enable it.

SIDS 41077 and 41078-41079 will alert on the following abnormalities:

  • A unknown ASDU TypeID detected
  • IEC 104 traffic detected to/from $EXTERNAL_NET

SIDS 41077 and 41078-41079 should be enabled in most IEC 104 environments. These sids will detect two things. SIDS 41078-41079 will detect IEC 104 traffic entering/exiting the network to $EXTERNAL_NET. This variable must be configured in order for these rules to function correctly.. For example, $EXTERNAL_NET can be set any IP address outside of OT network. If IEC 104 traffic is seen exiting or entering the OT network this rule will alert. The second rule (SID 41077) will alert if an unknown TypeID is specified. Unknown TypeIDs are identified as those that not been specified in the IEC 104 protocol spec.

In order to set $HOME_NET and $EXTERNAL_NET in FirePower 6.1 navigate to "Objects" then select "Variable Set". From this menu you are able to set the variables. Additional FirePower documentation can be found here.


These 33 PROTOCOL-SCADA rules will assist ICS asset owners to analyse and inspect IEC 104 network traffic. In order for some of these rules to work $EXTERNAL_NET and $HOME_NET need to be configured. Furthermore these rules need to be enabled selectively and only on IEC 104 networks.