Protocol validations

The link has been dropped because of a TCP RST sent by the producer.

Verify that the device is working properly, no misconfigurations are in place and that network does not suffer excessive latency.

A new sync (e.g. General Interrogation in iec101 and iec104) command has been issued, while in some links it is sent only once per started connection. It may be due to a specific sync request of an operator, a cyclic sync, or to someone trying to discover the process global state.

Investigate on the protocol implementation and possible presence of malicious actors.

The time stamp specified in process data is not aligned with current time. There could be a time sync issue with the source device, a malfunctioning or a packet injection.

Verify the device configuration and status.

One or more hosts have sent a great amount of ARP packets

Verify the device configuration and status, and the possible presence of malicious actors.

ARP messages have shown a duplicated IP address in the network. It may be a misconfiguration of one of the devices, or a tentative of a MITM attack.

Investigate on the network configuration and the possible presence of malicious actors.

A suspicious Distributed Denial of Service has been detected on the network.

Verify that all the devices in the network are allowed and behaving correctly.

A suspicious DHCP operation has been detected. This is related to the presence of new Mac addresses served by DHCP server, and to DHCP wrong replies.

Investigate on the network configuration and the possible presence of malicious actors.

A request with illegal parameters (e.g. outside from a legal range) has been issued. This may mean that a malfunctioning software is trying to perform an operation without success or that a malicious attacker is trying to understand the functionalities of the device.

Verify the device configuration and status, and the possible presence of malicious actors.

A packet with an IP reserved for special purposes (e.g. loopback addresses) has been detected. Packets with such addresses can be related to misconfigurations or spoofing/denial of service attacks.

Investigate on the network configuration and the possible presence of malicious actors.

A high number of new MAC addresses has appeared in a short time. This can be a flooding technique.

Investigate on the network configuration and the possible presence of malicious actors.

A L7 malformed packet has been detected. A maliciously malformed packet can target known issues in devices or software versions, and thus should be considered carefully as a source of a possible attack.

Investigate on the protocol implementation and the possible presence of malicious actors.

An attempted communication by a protocol known to be related to threats has been detected.

Verify the device configuration and status, and the possible presence of malicious actors.

A host has repeatedly been denied access to a resource.

Verify whether the calling device is supposed to access those resources and tune the authorization permissions accordingly.

A host has repeatedly tried to reserve the usage of an OT device causing a potential denial-of-service.

Verify the device configuration and status, and the possible presence of malicious actors.

A host has repeatedly tried to login to a service without success. It can be either an user or a script, and due to a malicious entity, or a wrong configuration.

Verify whether the calling device is supposed to access the target device and tune the authentication credentials accordingly.

A packet containing a semantically invalid sequence below the application layer has been observed.

Investigate on the protocol implementation, and the possible presence of malicious actors.

An attempt to reach many target hosts or ports in a target network (vertical or horizontal scan) has been detected.

Investigate whether it is an expected behavior or a malicious scan activity is undergoing.

An attempt to access an unexisting variable has been made. This may be due to a misconfiguration or a tentative to discover valid variables inside a producer. Example: COT 47 in iec104.

Verify the device configuration and status, and the possible presence of malicious actors.

An attempt to access an unexisting virtual RTU (controller's logical portion) has been made. This may be due to a misconfiguration or a tentative to discover valid virtual producer RTU. Example: COT 46 in iec104.

Verify the device configuration and status, and the possible presence of malicious actors.

A generic protocol error occurred, this usually relates to a wrong field, option or other general violation of the protocol.

Investigate on the protocol implementation, and the possible presence of malicious actors.

One or more hosts have sent a suspiciously high amount of packets with the same application layer (e.g., ping requests) to a single, target host.

Verify the device configuration and status, and the possible presence of malicious actors.

A correct protocol packet injected in the wrong context has been detected: this may cause equipment to operate improperly. Example: a correct GOOSE message sent with a wrong sequence number (that, if received in the right moment, would just work instead).

Investigate on the protocol implementation, and the possible presence of malicious actors.

One or more hosts have sent a great amount of anomalous TCP packets or TCP FIN packets to a single, target host.

Verify the device configuration and status, and the possible presence of malicious actors.

One or more hosts have sent a great amount of UDP packets to a single target host.

Verify the device configuration and status, and the possible presence of malicious actors.

An unsupported function (e.g. not defined in the specification) has been used on the OT device. This may be a malfunctioning software trying to perform an operation without success or a malicious attacker trying to understand the device functionalities. Example: COT 44 in iec104.

Verify the device configuration and status, and the possible presence of malicious actors.