78 CHAPTER 4 Industrial Network Protocols Most commercially available IDS and IPS devices support a wide range of detec- tion signatures for OLE and RPC and therefore can also detect many of the underly- ing vulnerabilities of OPC. Similarly, most open-source and commercial log analysis and threat detection tools are capable of collecting and assessing Windows logs. TIP OPC-UA and OPC-XI, as well as certain OPC Classic vulnerabilities, may require the use of a SCADA-IDS or SCADA-IPS rather than an enterprise IDS or IPS. Enterprise devices typi- cally detect exploits via inspection of OLE, RPC, and DCOM and may not be able to detect all threats targeting OPC. In some cases, enterprise IDS and IPS devices may be adapted to detect a wider range of OPC threats, using Snort ® compatible preprocessors and detec- tion signatures available from Digital Bond. OTHER INDUSTRIAL NETWORK PROTOCOLS There are dozens of industrial protocols--more than can be covered in even cursory detail within this book. Several warrant mention, as they introduce new concepts and/or concerns regarding industrial network security. These include Ethernet/IP, Profibus, EtherCAT, Ethernet Powerlink, and SERCOS III. Ethernet/IP Ethernet/IP uses standard Ethernet frames (ethertype 0x80E1) in conjunction with the Common Industrial Protocol (CIP) suite to communicate with nodes. Communication is typically client/server, although an "implicit" mode is supported to handle real-time requirements. Implicit mode uses connectionless transport--specifically the User Datagram Protocol (UDP) and multicast transmissions--to minimize latency and jitter. NOTE The "IP" in Ethernet/IP derives from "Industrial Protocol" and not "Internet Protocol," because of the use of the Common Industrial Protocol (CIP). Similarly, the acronym "CIP" meaning "Common Industrial Protocol" should not be confused with "Critical Infrastructure Protection" of NERC CIP. The CIP uses object models to define the various qualities of a device. There are three types of objects: Required Objects, which define attributes such as device iden- tifiers, routing identifiers, and other attributes of a device such as the manufacturer, serial number, date of manufacture, etc.; Application Objects, which define input and output profiles for devices; and Vendor-specific Objects, which enable vendors to add proprietary objects to a device. Objects (other than vendor-specific objects) are standardized by device type and function, to facilitate interoperability: if one brand