Control Device Identification

From attackics
Jump to navigation Jump to search
Control Device Identification
ID T0808
Tactic Discovery
Data Sources Network protocol analysis, Packet capture
Asset Field Controller/RTU/PLC/IED


Adversaries may perform control device identification to determine the make and model of a target device. Management software and device APIs may be utilized by the adversary to gain this information. By identifying and obtaining device specifics, the adversary may be able to determine device vulnerabilities. This device information can also be used to understand device functionality and inform the decision to target the environment.

Procedure Examples

  • The Backdoor.Oldrea payload has the capability of enumerating OPC tags, in addition to more generic OPC server information. The server data and tag names can provide information about the names and function of control devices.12
  • If the target device responds appropriately, the Industroyer IEC 61850 payload then sends an InitiateRequest packet using the Manufacturing Message Specification (MMS). If the expected answer is received, it continues, sending an MMS getNameList request. Thereby, the component compiles a list of object names in a Virtual Manufacturing Device.3
  • Industroyer contains an OPC DA module that enumerates all OPC servers using the ICatInformation::EnumClassesOfCategories method with CATID_OPCDAServer20 category identifier and IOPCServer::GetStatus to identify the ones running. The OPC DA module also uses IOPCBrowseServerAddressSpace to look for items with the following strings: "ctlSelOn", "ctlOperOn", "ctlSelOff", "ctlOperOff", "\Pos and stVal".3
  • The PLC-Blaster worm starts by scanning for probable targets. Siemens SIMATIC PLCs may be identified by the port 102/tcp..4
  • The Siemens s7otbxdx.dll is responsible for handling PLC block exchange between the programming device (i.e., a computer running a Simatic manager on Windows) and the PLC. s7db_open function is an export hook that is used to obtain information used to create handles to manage a PLC (such a handle is used by APIs that manipulate the PLC). Stuxnet utilized this export hook to gain information about targeted PLCs such as model information. Stuxnet was specifically targeting CPUs 6ES7-315-2 (Series 300) with special system data block characteristics for sequence A or B and 6ES7-315-2 for sequence C. The PLC type can also be checked using the s7ag_read_szl API.5
  • The Triton Python script is also capable of autodetecting Triconex controllers on the network by sending a specific UDP broadcast packet over port 1502.6
  • The VPNFilter packet sniffer monitors ICS traffic, and is specific to the TP-LINK R600-VPN. The malware uses a raw socket to look for connections to a pre-specified IP address, only looking at TCP packets that are 150 bytes or larger. 'ps' identifies and logs on IPs and ports, but not the packet contents on port 502 (Modbus traffic). It does not validate the traffic as Modbus.78


  • Network Allowlists - Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations.9
  • Network Segmentation - Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment.1011912
  • Filter Network Traffic - Perform inline allow/denylisting of automation protocol requests associated with device identification, such as IEC 61850 getNameList or OPC DA IOPCServer::GetStatus requests.