Brute Force I/O
|Brute Force I/O|
|Tactic||Impair Process Control|
|Data Sources||Alarm history, Sequential event recorder, Data historian, Netflow/Enclave netflow, Network protocol analysis, Packet capture|
|Asset||Control Server, Field Controller/RTU/PLC/IED|
Adversaries may brute force I/O addresses on a device and attempt to exhaustively perform an action. By enumerating the full range of I/O addresses, an adversary may manipulate a process function without having to target specific I/O interfaces. More than one process function manipulation and enumeration pass may occur on the targeted I/O range in a brute force attempt.
- The Industroyer IEC 104 module has 3 modes available to perform its attack. These modes are range, shift, and sequence. The range mode operates in 2 stages. The first stage of range mode gathers Information Object Addresses (IOA) and sends "select and execute" packets to switch the state. The second stage of range mode has an infinite loop where it will switch the state of all of the previously discovered IOAs. Shift mode is similar to range mode, but instead of staying within the same range, it will add a shift value to the default range values.1
- Network Allowlists - Utilize network allowlists to restrict unnecessary connections to network devices (e.g., comm servers, serial to ethernet converters) and services, especially in cases when devices have limits on the number of simultaneous sessions they support.
- Software Process and Device Authentication - Devices should authenticate all messages between master and outstation assets.
- Network Segmentation - Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment.2345
- Filter Network Traffic - Allow/denylists can be used to block access when excessive I/O connections are detected from a system or device during a specified time period.
- Anton Cherepanov, ESET. (2017, June 12). Win32/Industroyer: A new threat for industrial control systems. Retrieved September 15, 2017.
- Karen Scarfone; Paul Hoffman. (2009, September). Guidelines on Firewalls and Firewall Policy. Retrieved September 25, 2020.
- Keith Stouffer. (2015, May). Guide to Industrial Control Systems (ICS) Security. Retrieved March 28, 2018.