SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals

Experience SANS training through course previews.
Learn MoreLet us help.
Contact usBecome a member for instant access to our free resources.
Sign UpWe're here to help.
Contact UsOT Security emerges as a necessity due to its flat network implementation and criticality of systems operated over the network. Supervisory Control And Data Acquisition (SCADA) 60870-5-104 is widely used in Europe by most Utility operators, making it a target for attackers. While IDS signatures for SCADA IEC104 have been developed, most of its signatures are generic and bind to the standard protocol itself, not to the specific implementation of each customer. For example, an interrogation command telegram in a customer environment might be harmless, while others might be critical information. This paper explains the underlying construct of an IEC104 telegram and how to customize standard snort rules for that specific telegram. In this way, each SCADA command can be interpreted, evaluated for permit/monitor/deny to any controlled device, for each particular SCADA implementation.