![]() ![]() I have personally implemented support for over 30 application layer protocols inīut unlike Steve I’ve always had access to at least one PCAP file and some form of documentation of the protocol. ![]() So, how difficult is it to write a parser for a proprietary protocol? Even Ralph Langner has opposed to the idea of capturing ICS network traffic in However, asset owners sometimes try to argue that there is no point in capturing their traffic since I’ve been trying to convince asset owners, who use ICS in their power plants, factories,Ĭapturing the network traffic and storing it as PCAP filesįor many years now. ![]() Malicious commands used by the TRITON malware to read and write to the RAM of the SIS controller as well as to execute code.Packets sent to the controller from an unauthorized host.Snort IDS rules specifically for the TriStation protocol. Wireshark dissector for the TriStation protocol. Lua dissector for the TriStation protocol.Īnd some time later the people from Nozomi Networks even implemented a proper Text2pcap Steve managed to piece together anĪctual PCAP file containing a single frame with a TriStation packet inside.Īs you can see in the image above, Wireshark doesn’t decode any of the application layer data coming from The only piece of actual TriStation network traffic he was able to get hold of was a hex dump of a TriStation packet in anĪrmed with only the hexdump and Wireshark’s Which made it really difficult to reverse engineer the protocol implementation in the TRITON malware. Unfortunately Steve wasn’t able to get hold of a single PCAP file with the TriStation network protocol, To this was “Awesome, undocumented things are my favorite things!” There was also no Wireshark dissector that could parse TriStation traffic. This means that there were no publicly available specifications available for the protocol at that time. The communication protocol used by the Triconex controllers is called TriStation, which is a proprietary protocol. I could elaborate a lot regarding the consequences of attacking the SIS, but the good guys from Dragos have alreadyĭone a great job explaining this in their A SIS is typically not used to control the process of a plant,īut rather to detect abnormal operating conditions and safely shut down the industrial process if needed. The TRITON malware (also called TRISIS) was used to target a safety instrumented system (SIS)įrom Schneider Electric called Triconex. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |