Fortinet white logo
Fortinet white logo

Administration Guide

Detecting IEC 61850 MMS protocol in IPS

Detecting IEC 61850 MMS protocol in IPS

IEC 61850 is a SCADA protocol whose services are mapped to a number of protocols, including MMS services. MMS/ICCP detection is supported in IPS. The purpose of the MMS dissectors is to identify every IEC 61850 service to distinguish different MMS/ICCP messages. IPS engine 6.0.12 and later support MMS dissectors.

The following scenarios are also supported:

  • Multiple MMS PDUs are transferred in one TCP payload, and the IPS engine identifies individuals.
  • An MMS message is split over multiple TCP segments, where MMS runs over COTP segments.
  • ICCP/TASE.2 that also uses MMS transport (ISO transport over TCP for ICCP) is detected.

Industrial signatures must be enabled in the global IPS settings to receive MMS/ICCP signatures. By default, industrial signatures are excluded.

config ips global
    set exclude-signatures none
end

Below are some industrial signatures for MMS/ICCP messages that can be detected by the IPS engine. This is not an exhaustive list.

  • MMS_GetNameList.Request
  • MMS_GetNamedVariableListAttributes.Request
  • MMS_GetVariableAccessAttributes.Request
  • MMS_Identify.Request
  • MMS_Initiate.Request
  • MMS_Read.Request
  • MMS_Reset.Request
  • ICCP_Transfer.Reporting
  • ICCP_Create.Dataset
  • ICCP_Abort
  • ICCP_Start.Transfer.DSTransferSet
  • ICCP_Get.Dataset.Element.Values
  • ICCP_Get.Next.DSTransfer.Set.Value
  • ICCP_Delete.Dataset
  • ICCP_Start.Transfer.IMTransferSet

Diagnose command

The COTP dissector adds support for identifying every MMS PDU, and let the IPS engine separate them, like the Modbus and IEC-104 services for example.

# diagnose ips debug enable all
# diagnose debug enable
[284@78]ips_l7_dsct_processor: serial=8142 create: cotp                
[284@78]ips_l7_dsct_processor: serial=8142 create: iec104
[284@78]ips_l7_dsct_processor: serial=8142 create: modbus

Log samples

MMS dissectors can be triggered, and MMS/ICCP signatures can be monitored and logged.

Log samples:
date=2020-03-26 time=15:51:10 logid="1059028704" type="utm" subtype="app-ctrl" eventtype="signature" level="information" vd="vd1" eventtime=1585263070836106492 tz="-0700" appid=43699 srcip=10.1.100.242 dstip=172.16.200.106 srcport=50963 dstport=102 srcintf="port13" srcintfrole="undefined" dstintf="port14" dstintfrole="undefined" proto=6 service="tcp/26112" direction="outgoing" policyid=1 sessionid=2711 applist="test" action="pass" appcat="Industrial" app="MMS_Read.Request" incidentserialno=376610508 msg="Industrial: MMS_Read.Request," apprisk="elevated"
date=2020-03-26 time=16:15:45 logid="1059028704" type="utm" subtype="app-ctrl" eventtype="signature" level="information" vd="vd1" eventtime=1585091746264983273 tz="-0700" appid=44684 srcip=10.1.100.242 dstip=172.16.200.106 srcport=41665 dstport=102 srcintf="port13" srcintfrole="undefined" dstintf="port14" dstintfrole="undefined" proto=6 service="tcp/26112" direction="incoming" policyid=1 sessionid=194463 applist="test" action="pass" appcat="Industrial" app="ICCP_Transfer.Reporting" incidentserialno=762763993 msg="Industrial: ICCP_Transfer.Reporting," apprisk="elevated"

Detecting IEC 61850 MMS protocol in IPS

Detecting IEC 61850 MMS protocol in IPS

IEC 61850 is a SCADA protocol whose services are mapped to a number of protocols, including MMS services. MMS/ICCP detection is supported in IPS. The purpose of the MMS dissectors is to identify every IEC 61850 service to distinguish different MMS/ICCP messages. IPS engine 6.0.12 and later support MMS dissectors.

The following scenarios are also supported:

  • Multiple MMS PDUs are transferred in one TCP payload, and the IPS engine identifies individuals.
  • An MMS message is split over multiple TCP segments, where MMS runs over COTP segments.
  • ICCP/TASE.2 that also uses MMS transport (ISO transport over TCP for ICCP) is detected.

Industrial signatures must be enabled in the global IPS settings to receive MMS/ICCP signatures. By default, industrial signatures are excluded.

config ips global
    set exclude-signatures none
end

Below are some industrial signatures for MMS/ICCP messages that can be detected by the IPS engine. This is not an exhaustive list.

  • MMS_GetNameList.Request
  • MMS_GetNamedVariableListAttributes.Request
  • MMS_GetVariableAccessAttributes.Request
  • MMS_Identify.Request
  • MMS_Initiate.Request
  • MMS_Read.Request
  • MMS_Reset.Request
  • ICCP_Transfer.Reporting
  • ICCP_Create.Dataset
  • ICCP_Abort
  • ICCP_Start.Transfer.DSTransferSet
  • ICCP_Get.Dataset.Element.Values
  • ICCP_Get.Next.DSTransfer.Set.Value
  • ICCP_Delete.Dataset
  • ICCP_Start.Transfer.IMTransferSet

Diagnose command

The COTP dissector adds support for identifying every MMS PDU, and let the IPS engine separate them, like the Modbus and IEC-104 services for example.

# diagnose ips debug enable all
# diagnose debug enable
[284@78]ips_l7_dsct_processor: serial=8142 create: cotp                
[284@78]ips_l7_dsct_processor: serial=8142 create: iec104
[284@78]ips_l7_dsct_processor: serial=8142 create: modbus

Log samples

MMS dissectors can be triggered, and MMS/ICCP signatures can be monitored and logged.

Log samples:
date=2020-03-26 time=15:51:10 logid="1059028704" type="utm" subtype="app-ctrl" eventtype="signature" level="information" vd="vd1" eventtime=1585263070836106492 tz="-0700" appid=43699 srcip=10.1.100.242 dstip=172.16.200.106 srcport=50963 dstport=102 srcintf="port13" srcintfrole="undefined" dstintf="port14" dstintfrole="undefined" proto=6 service="tcp/26112" direction="outgoing" policyid=1 sessionid=2711 applist="test" action="pass" appcat="Industrial" app="MMS_Read.Request" incidentserialno=376610508 msg="Industrial: MMS_Read.Request," apprisk="elevated"
date=2020-03-26 time=16:15:45 logid="1059028704" type="utm" subtype="app-ctrl" eventtype="signature" level="information" vd="vd1" eventtime=1585091746264983273 tz="-0700" appid=44684 srcip=10.1.100.242 dstip=172.16.200.106 srcport=41665 dstport=102 srcintf="port13" srcintfrole="undefined" dstintf="port14" dstintfrole="undefined" proto=6 service="tcp/26112" direction="incoming" policyid=1 sessionid=194463 applist="test" action="pass" appcat="Industrial" app="ICCP_Transfer.Reporting" incidentserialno=762763993 msg="Industrial: ICCP_Transfer.Reporting," apprisk="elevated"