ICCP zeek plugin - need assistance

[Crubumble]

The protocol

IEC 60870 part 6 in electrical engineering and power system automation, 
is one of the IEC 60870 set of standards which define systems used for 
telecontrol (supervisory control and data acquisition) in electrical
engineering and power system automation applications

Source: Wikipedia

Typical features of real-world control systems — such as periodic or spontaneous data transfers, command outputs, and acknowledgments — are represented in TASE.2 using its own terminology.

TASE.2 is type-transparent, meaning it can transfer arbitrary data between connected systems. To support this, data structures must be explicitly defined as data objects. These are organized using conformance building blocks, as defined in the IEC 60870-6 series (503, 702, and 802).

Status of the plugin

Development of the protocol parser is progressing steadily. All protocol layers have been considered, and the zeek plugin for ICCP/TASE.2 is scheduled for release in two weeks.

To enhance the reliability of the parser, we are already evaluating how ICCP is used in real environments. For example, some implementations deviate from the standard, such as non-conformant usage of the ACSE protocol. These variations can be handled easily, but we need those examples and data structure that is used for this protocol.

To assist in this, we created explore-mms, a command-line tool for inspecting devices running an MMS server (IEC 61850 / EN 61850-8-1). It connects to the MMS server and outputs a JSON representation of the server’s identity, supported features, domains, and domain variables.

How you can help

Please run explore-mms against any accessible MMS-capable devices and share the resulting JSON files (with comments) either in this thread or on DINA-community ICCP. If needed, we can arrange an alternative method of data transfer.

Your feedback and test results are crucial to improving support for ICCP/TASE.2 in zeek. Help us bring this important industrial protocol into the security visibility landscape.

this text was enhanced by a LLM