App-IDs for

ICS and SCADA

Support for Industrial Control Systems Protocols and
Applications

Palo Alto Networks | App-IDs for ICS and SCADA | Datasheet 1

Overview ICS App-IDs with Function-Level
This document is a listing of the application identifiers, or Variants
App-IDs, supported by App-ID™ technology on Palo Alto
Several App-IDs, in addition to a base identifier, also have
Networks Next-Generation Firewall for Industrial Control
function-level variants to allow more granular visibility and
Systems applications and protocols. It is broken up into four
precise control. These are listed below.
sections as follows:
• App-IDs with base-level variants Table 2: Modbus
• App-IDs with base- and function-level variants
modbus-base
• Decoders for creating custom, function-level App-IDs
modbus-encapsulated-transport
• Submitting new App-ID requests
modbus-mask-write-register
Note that new App-IDs for ICS are being added on a regular
basis. If your protocol/application of interest is not covered modbus-read-coils
in this document, make sure to check the Palo Alto Networks
modbus-read-discrete-inputs
­Applipedia database for the most current information on
App-IDs. Visit https://applipedia.paloaltonetworks.com. modbus-read-fifo-queue

modbus-read-file-record

Supported Base ICS App-IDs modbus-read-holding-registers

The following base ICS App-IDs are available in Applipedia. modbus-read-input-registers

modbus-read-write-register
Table 1: Base ICS App-IDs
modbus-write-file-record
104 APCI IEC 60870-5-104
modbus-write-multiple-coils
ABB Network Manager Irig-106
modbus-write-multiple-registers
ABB-rp570 Modbus

ADDP MQTT modbus-write-single-coil

BACnet MTConnect modbus-write-single-register

CC-Link Net-c-x to protocols list

CIP EtherNet IP OPC-DA*

Table 3: CIP-EtherNet-IP

COAP OPC UA cip-ethernet-ip-base

Cygnet SCADA OSIsoft PI Systems cip-ethernet-ip-list-identity

DLMS / COSEM / IEC 62056 R-goose cip-ethernet-ip-reg-session

DNP3 Rockwell FactoryTalk cip-ethernet-ip-send-rr-data
Elcom 90 RTCM (GPS/IP)
cip-ethernet-ip-send-unit-data
Emerson-delta-v RTPS

ETHER-S-I/O (esio) Schneider OASyS Table 4: DNP3

Fanuc-focas Schneider Wonderware Suitelink dnp3-abort-file
Fisher-ROC Schweitzer Engineering SEL
dnp3-assign-class
Fast Messaging

Foundation Fieldbus Siemens S7-Comm-Plus dnp3-authenticate-file

GE EGD Siemens FactoryLink dnp3-base

GE-Historian Siemens Profinet IO dnp3-close-file

GE iFIX Siemens-P2 dnp3-cold-restart
Honeywell Matrikon OPC T
­ unneller Siemens S7
dnp3-confirm
ICCP (IEC 60870-6 / TASE.2) Synchrophasor (IEEE C37.118)
dnp3-delay-measurement
* OPC-DA is also referred to as “OPC Classic”
dnp3-delete-file

dnp3-direct-operate

dnp3-direct-operate-no-resp

Palo Alto Networks | App-IDs for ICS and SCADA | Datasheet 2

 Table 4: DNP3 (continued) Table 5: IEC 60870-5-104 (continued)
dnp3-disable-unsolicited 104asdu-file-transfer-type124

dnp3-enable-unsolicited 104asdu-file-transfer-type125

dnp3-freeze 104asdu-file-transfer-type126

dnp3-freeze-at-time 104asdu-file-transfer-type127

dnp3-freeze-at-time-no-resp 104asdu-param-control

dnp3-freeze-clear 104asdu-param-control-type110

dnp3-freeze-clear-no-resp 104asdu-param-control-type111

dnp3-freeze-no-resp 104asdu-param-control-type112

dnp3-get-file-information 104asdu-param-control-type113

dnp3-initialize-application 104asdu-process-control

dnp3-initialize-data 104asdu-process-control-type45

dnp3-open-file 104asdu-process-control-type46

dnp3-operate 104asdu-process-control-type47

dnp3-read 104asdu-process-control-type48

dnp3-record-current-time 104asdu-process-control-type49

dnp3-save-configuration 104asdu-process-control-type50

dnp3-select 104asdu-process-control-type51

dnp3-start-application 104asdu-process-control-type58

dnp3-stop-application 104asdu-process-control-type59

dnp3-unsolicited-message 104asdu-process-control-type60

dnp3-warm-restart 104asdu-process-control-type61

dnp3-write 104asdu-process-control-type62

104asdu-process-control-type63
Additional function-level App-IDs can be created with the
DNP3 decoder. See the next section for more details. 104asdu-process-control-type70

Table 5: IEC 60870-5-104 104asdu-process-monitor

104apci-supervisory 104asdu-process-monitor-type1

104apci-unnumbered 104asdu-process-monitor-type10

104apci-unnumbered-startdt-act 104asdu-process-monitor-type11

104apci-unnumbered-startdt-con 104asdu-process-monitor-type12

104apci-unnumbered-stopdt-act 104asdu-process-monitor-type13
104apci-unnumbered-stopdt-con 104asdu-process-monitor-type14
104apci-unnumbered-test-act
104asdu-process-monitor-type15
104apci-unnumbered-test-con
104asdu-process-monitor-type16
104asdu-file-transfer
104asdu-process-monitor-type17
104asdu-file-transfer-type120
104asdu-process-monitor-type18
104asdu-file-transfer-type121
104asdu-process-monitor-type19
104asdu-file-transfer-type122
104asdu-process-monitor-type2
104asdu-file-transfer-type123
104asdu-process-monitor-type20

104asdu-process-monitor-type21

Palo Alto Networks | App-IDs for ICS and SCADA | Datasheet 3

 Table 5: IEC 60870-5-104 (continued) Table 6: ICCP (continued)

104asdu-process-monitor-type3 iccp-delete-named-variable-list

104asdu-process-monitor-type30 iccp-delete-semaphore

104asdu-process-monitor-type31 iccp-delete-variable-access

iccp-download-segment
104asdu-process-monitor-type32
iccp-get-name-list
104asdu-process-monitor-type33
iccp-get-named-type-attr
104asdu-process-monitor-type34
iccp-get-named-var-list-attr
104asdu-process-monitor-type35
iccp-get-scattered-access-attr
104asdu-process-monitor-type36
iccp-get-variable-access-attr
104asdu-process-monitor-type37
iccp-identity
104asdu-process-monitor-type38
iccp-initiate-download-seq
104asdu-process-monitor-type39
iccp-initiate-upload-seq
104asdu-process-monitor-type4
iccp-input
104asdu-process-monitor-type40 iccp-output

104asdu-process-monitor-type5 iccp-read

104asdu-process-monitor-type6 iccp-relinquish-control

104asdu-process-monitor-type7 iccp-rename

104asdu-process-monitor-type8 iccp-report-pool-sem-status

104asdu-process-monitor-type9 iccp-report-sem-entry-status

iccp-report-semaphore-status
104asdu-system-control
iccp-status
104asdu-system-control-type100
iccp-take-control
104asdu-system-control-type101
iccp-terminate-download-seq
104asdu-system-control-type102
iccp-write
104asdu-system-control-type103

104asdu-system-control-type104 See the next section for information on how to use the
ICCP decoder to create ICCP function-level App-IDs.
104asdu-system-control-type105

104asdu-system-control-type106 Table 7: Siemens S7

104asdu-system-control-type107 siemens-s7-base

104asdu-system-monitor siemens-s7-check-password-set

104asdu-system-monitor-type64 siemens-s7-controller

iec-60870-5-104-base siemens-s7-download-program

siemens-s7-read
Table 6: ICCP
siemens-s7-set-clock
iccp-base
siemens-s7-setup-communication
iccp-define-named-type
siemens-s7-start
iccp-define-named-variable
siemens-s7-stop
iccp-define-named-variable-list
siemens-s7-upload-program
iccp-define-scattered-access

iccp-define-semaphore siemens-s7-warm-restart

iccp-delete-named-type

Palo Alto Networks | App-IDs for ICS and SCADA | Datasheet 4

 Table 8: Siemens S7-Comm-Plus Table 10: ADDP

siemens-s7-comm-plus-base addp-base

siemens-s7-comm-plus-run-cpu addp-dhcp-network-config-req (functional)

siemens-s7-comm-plus-set-time addp-dhcp-network-config-resp (functional)

addp-discovery-request (functional)
siemens-s7-comm-plus-stop-cpu
addp-discovery-response (functional)

Table 9: BACnet addp-reboot-request (functional)

bacnet-ack-alarm addp-reboot-response (functional)

bacnet-add-list-element addp-static-network-config-req (functional)

bacnet-atomic-read-file addp-static-network-config-resp (functional)

bacnet-atomic-write-file Table 11: COAP

bacnet-authenticate coap-base

bacnet-base coap-delete-request (functional)

bacnet-confirmed-cov-notify coap-get-request (functional)

coap-post-request (functional)
bacnet-confirmed-event-notify
coap-put-request (functional)
bacnet-confirmed-private-xfer

bacnet-confirmed-text-message
Table 12: OPC-UA
bacnet-create-object opc-ua-acknowledge (functional)

bacnet-delete-object opc-ua-activate-session-req (functional)

bacnet-device-comm-control opc-ua-add-nodes-req (functional)

opc-ua-add-references-req (functional)
bacnet-get-alarm-summary
opc-ua-browse-next-req (functional)
bacnet-get-enrollment-summary
opc-ua-browse-req (functional)
bacnet-get-event-information
opc-ua-call-method-req (functional)
bacnet-life-safety-operation
opc-ua-call-req (functional)
bacnet-read-prop-conditional opc-ua-cancel-req (functional)

bacnet-read-prop-multiple opc-ua-close (functional)

bacnet-read-property opc-ua-close-secure-channel-req (functional)

opc-ua-close-session-req (functional)
bacnet-read-range
opc-ua-create-session-req (functional)
bacnet-reinitialize-device
opc-ua-create-subscription-req (functional)
bacnet-remove-list-element
opc-ua-delete-nodes-req (functional)
bacnet-request-key
opc-ua-delete-references-req (functional)
bacnet-subscribe-cov opc-ua-delete-subscriptions-req (functional)

bacnet-subscribe-cov-property opc-ua-error (functional)

bacnet-vt-close opc-ua-find-server-req (functional)

bacnet-vt-data opc-ua-get-endpoints-req (functional)

opc-ua-hello (functional)
bacnet-vt-open
opc-ua-history-read-req (functional)
bacnet-write-prop-multiple
opc-ua-register-nodes-req (functional)
bacnet-write-property
opc-ua-register-servers-req (functional)

Palo Alto Networks | App-IDs for ICS and SCADA | Datasheet 5

 Table 12: OPC-UA (continued)
opc-ua-republish-req (functional)
opc-ua-set-monitoring-mode-req (functional)
opc-ua-set-publishing-mode-req (functional)
opc-ua-set-triggering-req (functional)
opc-ua-unregister-node-req (functional)
opc-ua-write-req (functional)
opc-ua-history-update-req (functional)
opc-ua-open (functional)
opc-ua-open-secure-channel-req (functional)
opc-ua-publish-req (functional)
opc-ua-query-first-req (functional)
opc-ua-query-next-req (functional)
opc-ua-read-req (functional)
Custom App-ID Decoders
Protocol decoders are also provided in PAN-OS® to allow cre-
ation of custom App-IDs. For more information on the use of
application protocol decoders to create custom App-IDs, refer
to the section in the PAN-OS Administrator’s Guide section on
custom applications.
For ICS protocols, both a DNP3 decoder and ICCP decoder are
available.
DNP3 Decoder
The DNP3 protocol standard defines thirty-three function
codes: thirty-one request functions and two response func-
tions. The DNP3 protocol decoder included in PAN-OS expos-
es the Function Code field as a “context” such that users can
specify for which function code variant of the DNP3 protocol
they would like to create a custom App-ID.
The DNP3 decoder also exposes the Object Type field as
­another context to users. This allows for the creation of cus-
tom App-IDs with varying Object Types. The function code
context and the object type can be logically ANDed to create a
unique function-code and object-type combination.
ICCP Decoder
Similarly, the ICCP protocol decoder included in PAN-OS ex-
poses the Function Code field as a “context” such that users
can specify for which function code variant of the ICCP proto-
col they would like to create a custom App-ID.
3000 Tannery Way
Santa Clara, CA 95054
Main: +1.408.753.4000
Sales: +1.866.320.4788
Support: +1.866.898.9087
www.paloaltonetworks.com
IEC104 Decoder
The IEC-60870-5-104 protocol standard defines sixty-eight
function codes. The IEC 104 decoder included in PAN-OS ex-
poses the Function Code field as a “context” allowing users
to specify the function code variant of IEC-60870-5-104 for
which they would like to define a custom App-ID.
Submitting New App-ID Requests
If your App-ID of interest is not available in ­Applipedia,
you can submit new App-ID requests for review at:
http://researchcenter.paloaltonetworks.com/submit-an-­
application.
In addition to your online request, please provide your
Palo Alto Networks systems engineer the following
­information, along with your new App-ID requests:
1. Reference packet captures (PCAPs) for the application/
traffic of interest. Make sure to include full session setup
and close for each type of traffic of interest. These are the
most important items used by our engineers in ­creating
new App-IDs. To facilitate analysis, multiple PCAPs of
short sessions, each covering one protocol and a ­particular
traffic type of interest, are preferred over long session
PCAPs covering multiple protocols and function types.
2. Description of the traffic flow, IP address, and associated
devices. This background is helpful for our engineering
team developing the App-IDs.
3. Documentation of the ICS protocol or application. More
detailed protocol/application documentation is better,
especially documents that describe the ports used and the
packet structure.
4. Technical contact person from the requester and/or
ICS vendor. Engineering often needs to interact with the
­requester to get more technical information or ­additional
PCAP specimens to help in developing a robust App-ID.
Having a fixed technical point of contact facilitates faster
turnaround time. It would also be beneficial to have a con-
tact point at the actual ICS vendor who has deep expertise
on the protocol of interest.
© 2020 Palo Alto Networks, Inc. Palo Alto Networks is a registered
­trademark of Palo Alto Networks. A list of our trademarks can be found at
https://www.paloaltonetworks.com/company/trademarks.html. All other
marks mentioned herein may be trademarks of their respective companies.
app-ids-for-ics-and-scada-ds-052620