ENIP SWAT PARSER Overview

Description

The parser parses CIP-ENIP packets specific to SUTD SWaT Testbed. It parses both TCP and UDP packets, and generates log files.

System Diagram

parser_overview

Decoding

Level 0 Communications

Packets in the level 0 communication are transmitted in UDP format.

In Wireshark, the protocol is called “cipio”.

The level 0 packets carry analog and digital inputs from sensors and actuators to PLCs, and digital outputs from PLCs to actuators.

At this level, the data values communicated are closest to the sensors and actuators, hence, it will best reflect the true values and states of the sensors and actuators.

Level 1 Communications

Packets in the level 1 communication are transmitted in TCP format encapsulating the ENIP and CIP headers.

In Wireshark, the protocol is called “cip”.

The User-Defined-Type (UDT), as specified in the RSLogix programme, are in the Command Specific Data section of the CIP header. The UDTs contain the data values processed in the RSLogix PLC code.

Datas Structure

The data structures were extracted from the PLC code .ACD file.

Parsing

CIP-ENIP

File: enip_swat_parser/src

  • enip-analyzer.pac
  • enip-dissector.pac
  • enip-protocol.pac
  • enip-util.pac
  • enip.pac
  • events.bif
  • const.pac

Decodes ENIP Header, CIP Header, and CIPIO.

Extracts the Request Path in the CIP Header of the request packet, and uses hashmap to map it to the response packet.

Decodes the ForwardOpen packets and uses hashmaps to keep track of the ConnectionID pairs (only for CIP packets, CIPIO packets are vaguely identified by IP and payload length).

The following is the main outputs to the SWaT-Add-on code.

  1. Pass to addons_cip_analyzer to decode the UDT and types as specified in RSLogix.
function process_data(
        service: int16, 
        enip_header: ENIP_Header, 
        cip_header: CIP_Header, 
        data: bytestring) 
        : bool
    %{
        addons_cip_analyzer(service, enip_header, cip_header, data);
        return true;
    %}
  1. Pass to addons_ciprio_analyzer to decode the CIPIO payload as specified in PLC code.
function process_cip_io(
        cip_io_item: CIP_IO)
        : bool
    %{
        if (!set_map_cip_conn_id_rio("process_cip_io", cip_io_item))
        {
            return true;
        }
        addons_ciprio_analyzer(cip_io_item);
        return true;
    %}

SWaT addons

File: enip_swat_parser/src

  • enip-analyzer-addons.pac
  • events_addons.bif
  • types_addons.bif
  • const_addons.pac

Decodes the level 1 communication User-Defined-Type (UDT) payload that is encapsulated in the CIP Header.

Decodes the level 0 communication CIPIO payload that are currently identified by the fixed packet length that vaguely distinguishes the three data structures: analog input, digital input, and digital output packets. The fixed packet lengths were retrieved from the PLC code.

Logging

General Logging

File: enip_swat_parser/scripts/icsnpp/enip/events

  • swat_events.zeek

For each event generated from the Analyzer, the script generates a log. This log contains data values associated to the User-Defined-Type (UDT) or CIPIO in zeek log format.

Decision Tree Logging

File: enip_swat_parser/scripts/icsnpp/enip/events

  • SWAT_ZEEK_SCRIPT_20220811_MotorValve_2-2_broker.zeek
  • SWAT_ZEEK_SCRIPT_20220823_Pump_broker.zeek

On each event generated from the Analyzer, the data values from the packets are passed through the Decision Trees. If there are discrepancies in the actual Digital Outputs from the packet compared to the computed Digital Outputs by the Decision Trees, the scripts will generate alerts to the alert log file.

INTRUSION DETECTION WITH AUTO-GENERATED ZEEK SCRIPTS

The level 0 analog input and digital input packets from the sensors and actuators to the PLC is presumed to be undisrupted, and it will always reflect the true values and states of the sensors and actuators. Hence, these data values are set as the baseline for the Zeek script to calculate the true actuator commands.

The level 0 digital output packets from the PLC to the sensor and actuators are assumed to be manipulable. The digital outputs are tested against the calculated true actuator commands from the Zeek script. Any discrepancies between the calculated values and the digital output from the PLC will raise an alarm in the Notice log.

The level 1 communication is where attacks can manipulate the processed data values in the PLC code. Falsified processed data values can result in malignant actuator commands that can harm the testbed by flooding or draining the tanks and overstressing the actuators.