Data Historian Compromise
|Data Historian Compromise|
|External Contributors||Joe Slowik - Dragos|
Adversaries may compromise and gain control of a data historian to gain a foothold into the control system environment. Access to a data historian may be used to learn stored database archival and analysis information on the control system. A dual-homed data historian may provide adversaries an interface from the IT environment to the OT environment.
Dragos has released an updated analysis on CrashOverride that outlines the attack from the ICS network breach to payload delivery and execution.1 The report summarized that CrashOverride represents a new application of malware, but relied on standard intrusion techniques. In particular, new artifacts include references to a Microsoft Windows Server 2003 host, with a SQL Server. Within the ICS environment, such a database server can act as a data historian. Dragos noted a device with this role should be "expected to have extensive connections" within the ICS environment. Adversary activity leveraged database capabilities to perform reconnaissance, including directory queries and network connectivity checks.
- In Industroyer, after pivoting into the ICS environment, the adversary gained Initial Access to devices involved with critical process operations through a Microsoft Windows Server 2003 running a SQL Server.1
- Authorization Enforcement - All remotely accessible services should implement access control mechanisms to restrict the information or services accessible to users.
- Human User Authentication - All remote services should require strong authentication before providing user access.
- Network Allowlists - Network allowlists can be implemented through either host-based files or system host files to specify what external connections (e.g., IP address, MAC address, port, protocol) can be made from a device. Allowlist techniques that operate at the application layer (e.g., DNP3, Modbus, HTTP) are addressed in the Filter Network Traffic mitigation.
- Software Process and Device Authentication - All communication sessions with the historian should be authenticated to prevent unauthorized access.
- Disable or Remove Feature or Program - Consider the disabling or removal of features or programs which are not required by that asset's function within the environment.
- Network Segmentation - Consider placing the historian into a demilitarized zone (DMZ) to allow access from enterprise networks, while protecting the control system network23.
- Software Configuration - Consider the principle of least functionality when configuring ICS software to limit host or network-based capabilities within the control environment.
- Filter Network Traffic - Filter network traffic to data historians to ensure only authorized data flows are allowed, especially across network boundaries.