Communication Authenticity

From attackics
Jump to navigation Jump to search
Communication Authenticity
Mitigation
ID M0802
NIST SP 800-53 Rev. 4 SC-8; SC-23
IEC 62443-3-3:2013 SR 3.1
IEC 62443-4-2:2019 CR 3.1

Description

When communicating over an untrusted network, utilize secure network protocols that both authenticate the message sender and can verify its integrity. This can be done either through message authentication codes (MACs) or digital signatures, to detect spoofed network messages and unauthorized connections.


Techniques Addressed by Mitigation

NameUse
Activate Firmware Update ModeProtocols used for device management should authenticate all network messages to prevent unauthorized system changes.
Change Operating ModeProtocols used for device management should authenticate all network messages to prevent unauthorized system changes.
Detect Operating ModeProtocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).
Device Restart/ShutdownProtocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).
Man in the MiddleCommunication authenticity will ensure that any messages tampered with through MITM can be detected, but cannot prevent eavesdropping on these. In addition, providing communication authenticity around various discovery protocols, such as DNS, can be used to prevent various MITM procedures.
Manipulation of ControlProtocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).
Manipulation of ViewProtocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).
Module FirmwareProtocols used for device management should authenticate all network messages to prevent unauthorized system changes.
Point & Tag IdentificationProtocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).
Program DownloadProtocols used for device management should authenticate all network messages to prevent unauthorized system changes.
Program UploadProtocols used for device management should authenticate all network messages to prevent unauthorized system changes.
Rogue MasterProtocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).
Spoof Reporting MessageProtocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).
System FirmwareProtocols used for device management should authenticate all network messages to prevent unauthorized system changes.
Unauthorized Command MessageProtocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).
Wireless CompromiseDo not inherently rely on the authenticity provided by the network/link layer (e.g., 802.11, LTE, 802.15.4), as link layer equipment may have long lifespans and protocol vulnerabilities may not be easily patched. Provide defense-in-depth by implementing authenticity within the associated application-layer protocol, or through a network-layer VPN.1 Furthermore, ensure communication schemes provide strong replay protection, employing techniques such as timestamps or cryptographic nonces.