Detect and Block Safety Segments in CIP Packets

Use case: To detect and block CIP safety segments while allowing other CIP packets:

  • Create a custom network analysis policy called cip_safety.

  • Create access control rules in your access control policy to block CIP Safety and to allow all other packets.

To test the CIP Safety feature, enable the CIP inspector in the management center and assign it to an access control policy.

Procedure


Step 1

Go to Policies > Intrusion > Network Analysis Policies.

Step 2

Click the Snort 3 Version of the network analysis policy cip_safety that you created.

Step 3

Under Inspectors, click cip to expand it.

The default configuration appears in the left column and the overridden configuration appears in the right column under the inspector.

Step 4

Under Overridden Configuration on the right column, click the Edit Inspector icon and change the "enabled" field in cip from false (default) to true.

Step 5

Click OK.

Step 6

Click Save.

Step 7

To assign the cip inspector to the access control policy, choose Policies > Access Control > Edit and choose the Advanced Settings option from the More drop-down arrow at the end of the packet flow line.

Step 8

Click Edit (edit icon) next to Network Analysis and Intrusion Policies.

Step 9

In the Network Analysis and Intrusion Policies window, choose the access control policy cip_safety that you created from the Default Network Analysis Policy drop-down list.

The CIP inspector is now enabled in the management center and you can create the custom access control rules to block CIP Safety and to allow all other CIP packets.

Step 10

After you send live traffic containing CIP Safety packet flows, go to Connection Events to verify that the payload is the expected payload that contains CIP Safety packet logs for the detection and block use case as mentioned in this procedure. CIP is detected as an application protocol and client (see the Application Protocol and Client fields), and CIP Safety is shown under the Web Application field.