Introduction

Most of the time, industrial protocols are designed for a functional purpose, without necessarily taking into account security aspects.

In general, they allow client machines to request actions from PLCs (Programmable Logic Controllers), expecting such actions to be run in return. Client workstations may as such ask a PLC to write data in memory or simply order it to shut down.

Such requests for action are defined in a particular field of the protocol called the "function code". As industrial protocols do not include any security mechanisms such as the verification of the message sender's identity, any machine on the network would then be able to request actions from the PLC.

The aim of this document is to set out a method that would allow identifying a protocol's various function codes exchanged over the corporate industrial network. After this capture, the administrator would be able to build up a security policy adapted to the function codes to be allowed or prohibited for each machine found on the network.

Therefore, suspicious machines located on the network would not be able to send messages to the PLC as the Stormshield Network Firewall would filter them.

Requirements

SNS firewall in version 2.3.4 or higher.