This site has been deprecated in favor of https://attack.mitre.org and will remain in place until 11/1/22.

Block Command Message

From attackics
Jump to navigation Jump to search

To visit this technique’s new page please go to and update your links to https://attack.mitre.org/techniques/T0803

Block Command Message
Technique
ID T0803
Tactic Inhibit Response Function
Data Sources Network Traffic: Network Traffic Flow, Network Traffic: Network Connection Creation, Application Log: Application Log Content, Process: Process Termination, Operational Databases: Process History/Live Data, Operational Databases: Process/Event Alarm
Asset Field Controller/RTU/PLC/IED, Device Configuration/Parameters

Description

Adversaries may block a command message from reaching its intended target to prevent command execution. In OT networks, command messages are sent to provide instructions to control system devices. A blocked command message can inhibit response functions from correcting a disruption or unsafe condition.12


Procedure Examples

  • In the Ukraine 2015 Incident, Sandworm Team blocked command messages by using malicious firmware to render communication devices inoperable.2
  • In Industroyer the first COM port from the configuration file is used for the actual communication and the two other COM ports are just opened to prevent other processes accessing them. Thus, the IEC 101 payload component is able to take over and maintain control of the RTU device.3

Mitigations

  • Network Allowlists - Utilize network allowlists to restrict unnecessary connections to network devices (e.g., comm servers, serial to ethernet converters) and services, especially in cases when devices have limits on the number of simultaneous sessions they support.
  • Out-of-Band Communications Channel - Provide an alternative method for sending critical commands message to outstations, this could include using radio/cell communication to send messages to a field technician that physically performs the control function.
  • Static Network Configuration - Unauthorized connections can be prevented by statically defining the hosts and ports used for automation protocol connections.


References

  1. ^  Bonnie Zhu, Anthony Joseph, Shankar Sastry. (2011). A Taxonomy of Cyber Attacks on SCADA Systems. Retrieved January 12, 2018.
  2. a b  Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018.
  1. ^  Anton Cherepanov, ESET. (2017, June 12). Win32/Industroyer: A new threat for industrial control systems. Retrieved September 15, 2017.



v · d · e
Adversary Techniques
Initial Access
Execution
Persistence
Evasion
Discovery
Lateral Movement
Collection
Inhibit Response Function
Impair Process Control
Impact


Retrieved from "https://collaborate.mitre.org/attackics/index.php?title=Technique/T0803&oldid=9791"