Static Network Configuration

From attackics
Jump to navigation Jump to search
Static Network Configuration
Mitigation
ID M0814
NIST SP 800-53 Rev. 4 CM-7
IEC 62443-3-3:2013 SR 7.7
IEC 62443-4-2:2019 CR 7.7

Description

Configure hosts and devices to use static network configurations when possible, protocols that require dynamic discovery/addressing (e.g., ARP, DHCP, DNS) can be used to manipulate network message forwarding and enable various MitM attacks. This mitigation may not always be usable due to limited device features or challenges introduced with different network configurations.


Techniques Addressed by Mitigation

NameUse
Alarm SuppressionUnauthorized connections can be prevented by statically defining the hosts and ports used for automation protocol connections.
Block Command MessageUnauthorized connections can be prevented by statically defining the hosts and ports used for automation protocol connections.
Block Reporting MessageUnauthorized connections can be prevented by statically defining the hosts and ports used for automation protocol connections.
Man in the MiddleStatically defined ARP entries can prevent manipulation and sniffing of switched network traffic, as some MitM techniques depend on sending spoofed ARP messages to manipulate network host's dynamic ARP tables.
Network SniffingStatically defined ARP entries can prevent manipulation and sniffing of switched network traffic, as some MitM techniques depend on sending spoofed ARP messages to manipulate network host's dynamic ARP tables.
Remote System DiscoveryICS environments typically have more statically defined devices, therefore minimize the use of both IT discovery protocols (e.g., DHCP, LLDP) and discovery functions in automation protocols.12 Examples of automation protocols with discovery capabilities include OPC UA Device Discovery 3, BACnet 4, and Ethernet/IP.5
Remote System Information DiscoveryICS environments typically have more statically defined devices, therefore minimize the use of both IT discovery protocols (e.g., DHCP, LLDP) and discovery functions in automation protocols.12 Examples of automation protocols with discovery capabilities include OPC UA Device Discovery 3, BACnet 4, and Ethernet/IP.5