Cisco 2000 Series Connected Grid Routers

Cisco IOS Intrusion Prevention System (IPS) for Connected Energy

  • Viewing Options

  • PDF (582.5 KB)
  • Feedback

Product Overview

As more sophisticated communications technology is deployed in the energy infrastructure, security is top of mind for utilities and energy companies. Fortunately, the migration from legacy, proprietary systems to an IP standards-based technology platform provides many security capabilities that were not possible with older technology. Cisco®, the market leader in IP technology during the past 25 years, provides industry-leading network security in its routing and switching platforms.

For in-depth security, the Cisco 2010 Connected Grid Router (CGR 2010) offers an integrated Intrusion Prevention System (IPS). Cisco IPS solutions provide an inline, deep-packet inspection-based solution that enables Cisco IOS® Software to effectively mitigate a wide range of network attacks. The Cisco IOS IPS uses “signatures,” which are anticipated attack patterns, to monitor traffic flowing through the network. If a pattern of data matches a known attack outlined by the signature, the router can take user-defined action to prevent exploits or attacks. The system contains over 3000 general signatures used by customers worldwide.

Specifically for the energy industry, Cisco has implemented Supervisory Control and Data Acquisition (SCADA)-specific signatures on the CGR 2010. These SCADA signatures are based on anticipated attacks using Distributed Network Protocol 3 (DNP3) and Modbus protocols. By utilizing the CGR 2010 and providing this security down to the substation level, attacks can be countered right at the substation rather than back at the data center or central IT center. Figure 1 displays the Cisco IPS with the Cisco CGR 2010.

Figure 1.     Cisco IOS IPS with the CGR 2010

Primary Benefits

There are several benefits of the Cisco IOS IPS. The feature:

   Provides network-wide, distributed protection from many attacks, exploits, worms, and viruses that can exploit vulnerabilities in operating systems and applications

   Provides enhanced security down to the substation level and prevents attacks at the substation rather than waiting for information to travel back to the data center

   Offers a unique, risk-rating-based signature event action processor that dramatically improves the ease of management of IPS policies

   Offers field-customizable worm and attack signature sets and event actions

   Offers inline inspection of traffic passing through any combination of router LAN and WAN interfaces in both directions

   Works with Cisco IOS Firewall, control-plane policing, and other Cisco IOS Software security features to protect the router and networks behind the router

   Supports SCADA-specific signatures for monitoring SCADA traffic for vulnerabilities

   Help utilities meet North American Electric Reliability Corporation’s Critical Infrastructure Protection (NERC CIP) requirements (see figure 2)


Figure 2.     Cisco Firewall and IOS IPS Help Meet NERC-CIP Requirements


SCADA-Specific Signatures: DNP3 and Modbus

Cisco IOS IPS on the CGR 2010 now supports SCADA-specific signatures that help identify attacks on the utility network. To develop these signatures, Cisco security experts worked with partners to develop anticipated attack scenarios using data with DNP3 and Modbus protocols. The CGR 2010 can reside in the substation and monitor traffic to and from Remote Terminal Units (RTUs) and Intelligent Electronic Devices (IEDs) for security vulnerabilities. Table 1 lists the currently supported signatures.

Table 1.       SCADA Signature List




DNP3 - Unsolicited Response Storm


DNP3 - Cold Restart Request


DNP3 - Disable Unsolicited Responses


DNP3 - Read Request to a PLC


DNP3 - Stop Application


DNP3 - Warm Restart


DNP3 - Broadcast Request


Non-DNP3 Communication on a DNP3 Port


Non-DNP3 Communication on a DNP3 Port


DNP3 - Write Request to a PLC


DNP3 - Miscellaneous Request to a PLC


Modbus TCP - Force Listen Only Mode


Modbus TCP - Restart Communications Option


Modbus TCP - Clear Counters and Diagnostic Registers


Modbus TCP - Clear Counters and Diagnostic Registers


Modbus TCP - Report Server Information


Modbus TCP - Illegal Packet Size


Modbus TCP - Illegal Packet Size


Modbus Slave Device Busy Exception Code Delay


Modbus Acknowledge Exception Code Delay


Modbus TCP - Read Request to a PLC


Modbus TCP - Read Request to a PLC


Modbus TCP - Non-Modbus Communication


Modbus TCP - Non-Modbus Communication


Signature Selection for Cisco IOS IPS

Cisco IOS IPS signature provisioning on the CGR 2010 is accomplished by selecting one of two signature categories—basic or default. Cisco IOS Basic and Default signature categories are pre-selected signature sets intended to serve as a good starting set for most users of Cisco IOS IPS. They contain the latest high-fidelity (low false-positives) worm, virus, instant messaging, or peer-to-peer blocking signatures for detecting security threat. This allows for easier deployment and signature management.

The SCADA IPS signatures are supported in Cisco IOS Software Release 15.2.(2)T and later releases of the CGR 2010 IOS Software. Users can add or remove individual SCADA signatures and can tune signature parameters using Cisco Configuration Professional (CCP). They can also do so through the command-line interface (CLI) which allows easy scripting to manage signature configuration for a large number of routers. CCP is a GUI-based device management tool for Cisco routers and switches. This tool simplifies routing, firewall, IPS, VPN, unified communications, WAN, and LAN configuration through GUI-based easy-to-use wizards. CCP is offered as a free tool with the purchase of the CGR 2010. Customers can find more information and download the CCP tool at

Configuration and Signature Provisioning

The router CLI or CCP Version 2.4 or later can be used for configuration of Cisco IOS IPS as well as highly granular provisioning and tuning of IPS signatures on a single router running Cisco IOS Software Releases 15.2(2)M and 15.2(2)T and later releases.

Actions for Detected Signatures

Each individual signature or category of signatures selected can be configured to take any combination of the following five actions when triggered:

1. Send an alarm using a syslog message or log an alarm in Secure Device Event Exchange (SDEE) format

2. Drop malicious packet

3. Send TCP-reset packets to both ends of the connection to terminate the session

4. Deny all packets from the attacker (source address) temporarily

5. Deny further packets belonging to the same TCP session (connection) from the attacker (source address).

Note:    Some actions are more CPU-intensive and have different effects on router throughput speeds.

Event Monitoring

Upon detecting an attack signature, Cisco IOS IPS can send a syslog message or log an alarm in SDEE format. CCP may be used to monitor events generated by a single router and Cisco IPS Manager Express (IME) may be used to monitor IPS events generated by up to five routers.

Signature Micro Engines

Cisco IOS IPS uses Signature Micro-Engines (SMEs) to load into the router’s memory, and scan for a set of attack signatures. Each engine is customized for inspecting a Layer 4 or 7 protocol and its fields and arguments. Within each packet carrying data for that protocol, it looks for a set of legal parameters that have allowable ranges or sets of values. It also scans for malicious activity specific to that protocol using a parallel signature scanning technique to scan for multiple patterns within an SME at any given time.

SCADA Signatures on the Cisco 2010 Connected Grid Router

In order to have these SCADA-specific signatures on the CGR 2010, customers must purchase the security license for this router. The security license provides a wide set of firewall and security features for the platform. The 22 SCADA-specific DNP3 and Modbus signatures are included with the 3000 other signatures when purchasing the security license.

However, if customers would like to get signature updates, including new signatures as they are released, it is necessary to purchase a subscription to Cisco IPS services. The IPS subscription can be purchased for both Cisco Base and Cisco SMARTnet® services contracts. Table 2 lists the part numbers and descriptions.

Table 2.       SKU Summary




Cisco CGR2010 security bundle w/SEC license PAK


Cisco SMARTnet with IPS subscription


SP Base with IPS subscription


For More Information

To learn more about the Cisco IOS IPS please visit

To learn more about the Cisco 2010 Connected Grid Router please visit