Technical Tip: FortiGuard Application Control Signatures for Schneider UMAS ICS protocol (aka Modbus Unity)
Description
This article provides a series of Application Control signatures that have been created for scanning and identifying Schneider Electric's Modbus-based Unified Messaging Application Services (UMAS) protocol for Industrial Control Systems (ICS)/SCADA. Additionally, there is a comparison table showing the list of FortiGuard's signatures and the equivalent signatures of other vendors.
Scope
FortiGate, Application Control, Modbus protocol.
Solution
Schneider Electric uses a proprietary protocol named UMAS for configuring/monitoring their programmable logic controllers (PLCs) via TCP/502. To identify this traffic protocol, the FortiGuard team has implemented Application Control signatures under the 'Modbus. Unity' family of Industrial Application Control signatures (which requires the FortiGuard Operational Technology (OT) Security Service license).
The following is a list of the currently available Modbus.Unity/UMAS Application Control signatures via FortiGuard, along with some known equivalent signatures from other vendors, where available. For more information regarding the individual signatures, refer to the FortiGuard Labs website regarding Application Signatures: FortiGuard Labs - Modbus.Unity
| FortiGuard Modbus.Unity/UMAS Signatures | Palo Alto UMAS Signatures (based on this whitepaper) |
| Modbus | modbus-base |
| Modbus.Unity | umas-base |
| Modbus.Unity_Check.PLC | |
| Modbus.Unity_Download.Block | umas-download-block |
| ModBus.Unity_End.Strategy.Download | |
| ModBus.Unity_End.Strategy.Upload | |
| ModBus.Unity_Get.Status.Module | |
| Modbus.Unity_Init.Comm | umas-init-comm |
| Modbus.Unity_Initialize.Download | umas-initialize-download |
| Modbus.Unity_Initialize.Upload | umas-initialize-upload |
| ModBus.Unity_Keep.Alive | |
| Modbus.Unity_Monitor.PLC.Read | umas-monitor-bits-read/umas-monitor-words-read |
| Modbus.Unity_Monitor.PLC.Write | umas-monitor-bits-write/umas-monitor-words-write |
| ModBus.Unity_Read.Card.Info | |
| Modbus.Unity_Read.Coils.Registers | umas-coils-registers-read |
| ModBus.Unity_Read.Eth.Master.Data | |
| Modbus.Unity_Read.ID | umas-read-id |
| Modbus.Unity_Read.IO.Object | |
| Modbus.Unity_Read.Memory.Block | umas-memory-block-read |
| ModBus.Unity_Read.PLC.Info | |
| ModBus.Unity_Read.Project.Info | |
| Modbus.Unity_Read.Variables | umas-variables-read |
| Modbus.Unity_Release.PLC.Reservation | umas-plc-reservation-release |
| Modbus.Unity_Repeat | umas-repeat-request |
| Modbus.Unity_SD.Backup.Make | umas-sd-backup-make |
| Modbus.Unity_SD.Backup.Restore | umas-sd-backup-restore |
| Modbus.Unity_Start.PLC | umas-plc-start |
| Modbus.Unity_Stop.PLC | umas-plc-stop |
| Modbus.Unity_Take.PLC.Reservation | umas-plc-reservation-take |
| Modbus.Unity_Upload.Block | umas-upload-block |
| Modbus.Unity_Write.Coils.Registers | umas-coils-registers-write |
| ModBus.Unity_Write.IO.Object | umas-io-object-write |
| ModBus.Unity_Write.Memory.Block | umas-memory-block-write |
| Modbus.Unity_Write.Variables | umas-variables-write |