Property:Has technical description

From attackics
Jump to navigation Jump to search

This is a property of type Text.

Showing 20 pages using this property.
Access Management technologies can be used to enforce authorization polices and decisions, especially when existing field devices do not provided sufficient capabilities to support user identification and authentication.[[CiteRef::mitigation - NIST 1800-2 IDAM - 201807]] These technologies typically utilize an in-line network device or gateway system to prevent access to unauthenticated users, while also integrating with an authentication service to first verify user credentials.[[CiteRef::Guidance - DHS Cert remote access - 201011]]  +
Configure features related to account use like login attempt lockouts, specific login times, etc.  +
Adversaries may activate firmware update mode on devices to prevent expected response functions from engaging in reaction to an emergency or process malfunction. For example, devices such as protection relays may have an operation mode designed for firmware installation. This mode may halt process monitoring and related functions to allow new firmware to be loaded. A device left in update mode may be placed in an inactive holding state if no firmware is provided to it. By entering and leaving a device in this mode, the adversary may deny its usual functionalities.  +
Configure Active Directory to prevent use of certain techniques; use security identifier (SID) Filtering, etc.  +
Adversaries may target protection function alarms to prevent them from notifying operators of critical conditions. Alarm messages may be a part of an overall reporting system and of particular interest for adversaries. Disruption of the alarm system does not imply the disruption of the reporting system as a whole. In the Maroochy Attack, the adversary suppressed alarm reporting to the central computer.[[CiteRef::Maroochy - MITRE - 200808]] A Secura presentation on targeting OT notes a dual fold goal for adversaries attempting alarm suppression: prevent outgoing alarms from being raised and prevent incoming alarms from being responded to.[[CiteRef::References - Secura - 2019]] The method of suppression may greatly depend on the type of alarm in question: * An alarm raised by a protocol message * An alarm signaled with I/O * An alarm bit set in a flag (and read) In ICS environments, the adversary may have to suppress or contend with multiple alarms and/or alarm propagation to achieve a specific goal to evade detection or prevent intended responses from occurring.[[CiteRef::References - Secura - 2019]] Methods of suppression may involve tampering or altering device displays and logs, modifying in memory code to fixed values, or even tampering with assembly level instruction code.  +
Use signatures or heuristics to detect malicious software. Within industrial control environments, antivirus/antimalware installations should be limited to assets that are not involved in critical or real-time operations. To minimize the impact to system availability, all products should first be validated within a representative test environment before deployment to production systems.[[CiteRef::Report - NCCIC AV update - 201808]]  +
This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of.  +
Restrict the execution of code to a virtual environment on or in-transit to an endpoint system.  +
Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses. Perform periodic integrity checks of the device to validate the correctness of the firmware, software, programs, and configurations. Integrity checks, which typically include cryptographic hashes or digital signatures, should be compared to those obtained at known valid states, especially after events like device reboots, program downloads, or program restarts.  +
The device or system should restrict read, manipulate, or execute privileges to only authenticated users who require access based on approved security policies. Role-based Access Control (RBAC) schemes can help reduce the overhead of assigning permissions to the large number of devices within an ICS. For example, IEC 62351 provides examples of roles used to support common system operations within the electric power sector [[CiteRef::standard - IEC 62351 - 202007]], while IEEE 1686 defines standard permissions for users of IEDs.[[CiteRef::standard - IEEE 1686-2013 - 201401]]  +
Adversaries may automate collection of industrial environment information using tools or scripts. This automated collection may leverage native control protocols and tools available in the control systems environment. For example, the OPC protocol may be used to enumerate and gather information. Access to a system or interface with these native protocols may allow collection and enumeration of other attached, communicating servers and devices.  +
Adversaries may block a command message from reaching its intended target to prevent command execution. In OT networks, command messages are sent to provide instructions to control system devices. A blocked command message can inhibit response functions from correcting a disruption or unsafe condition.[[CiteRef::Research - Research - Taxonomy Cyber Attacks on SCADA]][[CiteRef::Ukraine15 - EISAC - 201603]]  +
Adversaries may block or prevent a reporting message from reaching its intended target. In control systems, reporting messages contain telemetry data (e.g., I/O values) pertaining to the current state of equipment and the industrial process. By blocking these reporting messages, an adversary can potentially hide their actions from an operator. Blocking reporting messages in control systems that manage physical processes may contribute to system impact, causing inhibition of a response function. A control system may not be able to respond in a proper or timely manner to an event, such as a dangerous fault, if its corresponding reporting message is blocked.[[CiteRef::Research - Research - Taxonomy Cyber Attacks on SCADA]][[CiteRef::Ukraine15 - EISAC - 201603]]  +
Adversaries may block access to serial COM to prevent instructions or configurations from reaching target devices. Serial Communication ports (COM) allow communication with control system devices. Devices can receive command and configuration messages over such serial COM. Devices also use serial COM to send command and reporting messages. Blocking device serial COM may also block command messages and block reporting messages. A serial to Ethernet converter is often connected to a serial COM to facilitate communication between serial and Ethernet devices. One approach to blocking a serial COM would be to create and hold open a TCP session with the Ethernet side of the converter. A serial to Ethernet converter may have a few ports open to facilitate multiple communications. For example, if there are three serial COM available -- 1, 2 and 3 --, the converter might be listening on the corresponding ports 20001, 20002, and 20003. If a TCP/IP connection is opened with one of these ports and held open, then the port will be unavailable for use by another party. One way the adversary could achieve this would be to initiate a TCP session with the serial to Ethernet converter at <code></code> via Telnet on serial port 1 with the following command: <code>telnet 20001</code>.  +
Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.  +
Adversaries may brute force I/O addresses on a device and attempt to exhaustively perform an action. By enumerating the full range of I/O addresses, an adversary may manipulate a process function without having to target specific I/O interfaces. More than one process function manipulation and enumeration pass may occur on the targeted I/O range in a brute force attempt.  +
Adversaries may change the operating mode of a controller to gain additional access to engineering functions such as Program Download. Programmable controllers typically have several modes of operation that control the state of the user program and control access to the controller’s API. Operating modes can be physically selected using a key switch on the face of the controller but may also be selected with calls to the controller’s API. Operating modes and the mechanisms by which they are selected often vary by vendor and product line. Some commonly implemented operating modes are described below: *Program - This mode must be enabled before changes can be made to a device’s program. This allows program uploads and downloads between the device and an engineering workstation. Often the PLC’s logic Is halted, and all outputs may be forced off.[[CiteRef::reference - Forum Automation OP mode - 012020]] *Run - Execution of the device’s program occurs in this mode. Input and output (values, points, tags, elements, etc.) are monitored and used according to the program’s logic. <span class="smw-format list-format "><span class="smw-row"><span class="smw-field"><span class="smw-value">[[Technique/T0845|Program Upload]]</span></span></span></span> and <span class="smw-format list-format "><span class="smw-row"><span class="smw-field"><span class="smw-value">[[Technique/T0843|Program Download]]</span></span></span></span> are disabled while in this mode.[[CiteRef::reference - Omron OP mode - 012020]][[CiteRef::reference - machine info systems OP mode - 012020]][[CiteRef::reference - Forum Automation OP mode - 012020]][[CiteRef::reference - PLCguru OP mode - 012020]] *Remote - Allows for remote changes to a PLC’s operation mode.[[CiteRef::reference - PLCguru OP mode - 012020]] *Stop - The PLC and program is stopped, while in this mode, outputs are forced off.[[CiteRef::reference - machine info systems OP mode - 012020]] *Reset - Conditions on the PLC are reset to their original states. Warm resets may retain some memory while cold resets will reset all I/O and data registers.[[CiteRef::reference - machine info systems OP mode - 012020]] *Test / Monitor mode - Similar to run mode, I/O is processed, although this mode allows for monitoring, force set, resets, and more generally tuning or debugging of the system. Often monitor mode may be used as a trial for initialization.[[CiteRef::reference - Omron OP mode - 012020]]  
Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.  +
Adversaries may utilize command-line interfaces (CLIs) to interact with systems and execute commands. CLIs provide a means of interacting with computer systems and are a common feature across many types of platforms and devices within control systems environments.[[CiteRef::EAttack Command-Line Interface]] Adversaries may also use CLIs to install and run new software, including malicious tools that may be installed over the course of an operation. CLIs are typically accessed locally, but can also be exposed via services, such as SSH, Telnet, and RDP. Commands that are executed in the CLI execute with the current permissions level of the process running the terminal emulator, unless the command specifies a change in permissions context. Many controllers have CLI interfaces for management purposes.  +
Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend in with normal network activity, to avoid more detailed inspection. They may use the protocol associated with the port, or a completely different protocol. They may use commonly open ports, such as the examples provided below. * TCP:80 (HTTP) * TCP:443 (HTTPS) * TCP/UDP:53 (DNS) * TCP:1024-4999 (OPC on XP/Win2k3) * TCP:49152-65535 (OPC on Vista and later) * TCP:23 (TELNET) * UDP:161 (SNMP) * TCP:502 (MODBUS) * TCP:102 (S7comm/ISO-TSAP) * TCP:20000 (DNP3) * TCP:44818 (Ethernet/IP)  +