creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-11 21:54:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/detecting-attacks-on-scada-systems/references/api-reference.md
T
mukul975 c21af3347e Complete folder anatomy for all 649 cybersecurity skills + update LICENSE to Mahipal 
- Add scripts/agent.py and references/api-reference.md to all remaining skills
- Update all 648 LICENSE files: copyright now reads 'Mahipal'
- Add implementing-security-monitoring-with-datadog (new skill with full anatomy)
- All 649 skills now have: SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
2026-03-11 00:22:12 +01:00

55 lines
2.0 KiB
Markdown
Raw Blame History

# SCADA Attack Detection — API Reference
## Libraries
| Library | Install | Purpose |
|---------|---------|---------|
| pymodbus | `pip install pymodbus` | Modbus TCP client for PLC interaction |
| requests | `pip install requests` | SIEM and historian API queries |
## Common SCADA Protocols and Ports
| Port | Protocol | Vendor/Use |
|------|----------|------------|
| 502 | Modbus TCP | Universal PLC communication |
| 102 | S7comm (ISO-TSAP) | Siemens S7 PLCs |
| 44818 | EtherNet/IP CIP | Allen-Bradley / Rockwell |
| 20000 | DNP3 | Power grid, water systems |
| 4840 | OPC-UA | Universal ICS integration |
| 47808 | BACnet | Building automation |
| 34962 | PROFINET RT | Siemens distributed I/O |
## Modbus Attack Indicators
| Indicator | Description | Severity |
|-----------|-------------|----------|
| Broadcast unit ID (0/255) | Access to all devices simultaneously | CRITICAL |
| Write to coils from IT network | Unauthorized process control change | CRITICAL |
| Unusual function codes (8, 17, 43) | Diagnostic/recon commands | HIGH |
| Bulk register reads | Data exfiltration from PLC memory | MEDIUM |
## S7comm Connection Request (COTP CR)
| Field | Value | Description |
|-------|-------|-------------|
| TPKT version | 0x03 | ISO transport header |
| COTP PDU type | 0xe0 | Connection request |
| Source TSAP | 0x0100 | Client address |
| Destination TSAP | 0x0102 | PLC rack/slot |
## MITRE ATT&CK for ICS
| Technique | ID | Description |
|-----------|----|-------------|
| Point & Tag Identification | T0861 | Enumerate process data points |
| Unauthorized Command Message | T0855 | Send rogue commands to controller |
| Modify Controller Tasking | T0821 | Change PLC program logic |
| Denial of Service | T0814 | Disrupt SCADA communications |
## External References
- [pymodbus Documentation](https://pymodbus.readthedocs.io/)
- [MITRE ATT&CK for ICS](https://attack.mitre.org/matrices/ics/)
- [CISA ICS Advisories](https://www.cisa.gov/ics-advisories)
- [NIST SP 800-82 Rev 3](https://csrc.nist.gov/publications/detail/sp/800-82/rev-3/final)
Reference in New Issue View Git Blame Copy Permalink