Filter Network Traffic
Jump to navigation
Jump to search
| Filter Network Traffic | |
|---|---|
| Mitigation | |
| ID | M1037 |
| NIST SP 800-53 Rev. 4 | AC-3; SC-7 |
| IEC 62443-3-3:2013 | SR 5.1 |
| IEC 62443-4-2:2019 | CR 5.1 |
Description
Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.
Perform inline allow/denylisting of network messages based on the application layer (OSI Layer 7) protocol, especially for automation protocols. Application allowlists are beneficial when there are well-defined communication sequences, types, rates, or patterns needed during expected system operations. Application denylists may be needed if all acceptable communication sequences cannot be defined, but instead a set of known malicious uses can be denied (e.g., excessive communication attempts, shutdown messages, invalid commands). Devices performing these functions are often referred to as deep-packet inspection (DPI) firewalls, context-aware firewalls, or firewalls blocking specific automation/SCADA protocol aware firewalls.1
Techniques Addressed by Mitigation
| Name | Use |
|---|---|
| Activate Firmware Update Mode | Filter for protocols and payloads associated with firmware activation or updating activity. |
| Brute Force I/O | Allow/denylists can be used to block access when excessive I/O connections are detected from a system or device during a specified time period. |
| Change Program State | Utilize allow/denylists to prevent any unauthorized network messages used to change program state, including any messages that may change the programs running on a device. |
| Connection Proxy | Traffic to known anonymity networks and C2 infrastructure can be blocked through the use of network allow and block lists. It should be noted that this kind of blocking may be circumvented by other techniques like Domain Fronting. |
| Control Device Identification | Perform inline allow/denylisting of automation protocol requests associated with device identification, such as IEC 61850 getNameList or OPC DA IOPCServer::GetStatus requests. |
| Data Historian Compromise | Filter network traffic to data historians to ensure only authorized data flows are allowed, especially across network boundaries. |
| Detect Operating Mode | Perform inline allowlisting of automation protocol commands to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid messages. |
| Detect Program State | Perform inline allowlisting of automation protocol commands to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid messages. |
| Device Restart/Shutdown | Application denylists can be used to block automation protocol functions used to initiate device shutdowns or restarts, such as DNP3's 0x0D function code, or vulnerabilities that can be used to trigger device shutdowns (e.g., CVE-2014-9195, CVE-2015-5374). |
| Engineering Workstation Compromise | Ensure all communication is filtered for potentially malicious content, especially for mobile workstations that may not be protected by boundary firewalls. |
| Location Identification | Inline allow/denylists can be used to prevent devices from sending unauthorized location information across automation protocols (e.g., OPC). |
| Man in the Middle | Use network appliances and host-based security software to block network traffic that is not necessary within the environment, such as legacy protocols that may be leveraged for MiTM. |
| Module Firmware | Filter for protocols and payloads associated with firmware activation or updating activity. |
| Point & Tag Identification | Perform inline allowlisting of automation protocol commands to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid messages. |
| Program Download | Filter for protocols and payloads associated with program download activity to prevent unauthorized device configurations. |
| Program Upload | Filter for protocols and payloads associated with program upload activity to prevent unauthorized access to device configurations. |
| Rogue Master Device | Perform inline allowlisting of automation protocol commands to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid reporting messages. |
| Role Identification | Perform inline allowlisting of automation protocol commands to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid reporting messages. |
| Spoof Reporting Message | Perform inline allowlisting of automation protocol commands to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid reporting messages. |
| System Firmware | Filter for protocols and payloads associated with firmware activation or updating activity. |
| Unauthorized Command Message | Perform inline allowlisting of automation protocol commands to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid messages. |
| Valid Accounts | Consider using IP allowlisting along with user account management to ensure that data access is restricted not only to valid users but only from expected IP ranges to mitigate the use of stolen credentials to access data. |
