Data from Information Repositories
|Data from Information Repositories|
|Data Sources||Application Log: Application Log Content, Logon Session: Logon Session Creation, File: File Access|
|Asset||Control Server, Data Historian, Engineering Workstation, Human-Machine Interface|
Adversaries may target and collect data from information repositories. This can include sensitive data such as specifications, schematics, or diagrams of control system layouts, devices, and processes. Examples of information repositories include reference databases or local machines in the process environment, as well as workstations and databases in the corporate network that might contain information about the ICS. 1
Information collected from these systems may provide the adversary with a better understanding of the operational environment, vendors used, processes, or procedures of the ICS.
In a campaign between 2011 and 2013 against ONG organizations, Chinese state-sponsored actors searched document repositories for specific information such as, system manuals, remote terminal unit (RTU) sites, personnel lists, documents that included the string “SCAD*”, user credentials, and remote dial-up access information.2
- Dragonfly 2.0 accessed workstations and servers within the corporate network that contained data from power generation control system environments. The files were related to the ICS and SCADA systems including vendor names and ICS reference documents such as wiring diagrams and panel layouts.1
- ACAD/Medre.A collects information related to the AutoCAD application. The worm collects AutoCAD (*.dwg) files with drawings from information repositories.3
- Duqu downloads additional modules for the collection of data in information repositories. The modules are named: infostealer 1, infostealer 2 and reconnaissance.4
- Flame has built-in modules to gather information from compromised computers.5
- Encrypt Sensitive Information - Information which is sensitive to the operation and architecture of the process environment may be encrypted to ensure confidentiality and restrict access to only those who need to know.67
- Privileged Account Management - Minimize permissions and access for service accounts to limit the information that may be exposed or collected by malicious users or software.7
- Restrict File and Directory Permissions - Protect files stored locally with proper permissions to limit opportunities for adversaries to interact and collect information from databases.67
- User Account Management - Ensure users and user groups have appropriate permissions for their roles through Identity and Access Management (IAM) controls to prevent misuse. Implement user accounts for each individual that may access the repositories for role enforcement and non-repudiation of actions.
- User Training - Develop and publish policies that define acceptable information to be stored in repositories.
- Audit - Consider periodic reviews of accounts and privileges for critical and sensitive repositories.
- Cybersecurity & Infrastructure Security Agency. (2018, March 15). Alert (TA18-074A) Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved October 11, 2019.
- Department of Justice (DOJ), DHS Cybersecurity & Infrastructure Security Agency (CISA). (2021, July 20). Chinese Gas Pipeline Intrusion Campaign, 2011 to 2013. Retrieved October 8, 2021.
- ESET. (n.d.). ACAD/Medre.A: 10000‘s of AutoCAD Designs Leaked in Suspected Industrial Espionage. Retrieved April 13, 2021.
- Symantec. (n.d.). W32.Duqu The precursor to the next Stuxnet. Retrieved November 3, 2019.
- Kevin Savage and Branko Spasojevic. (n.d.). W32.Flamer. Retrieved November 3, 2019.
- Keith Stouffer. (2015, May). Guide to Industrial Control Systems (ICS) Security. Retrieved March 28, 2018.
- National Institute of Standards and Technology. (2013, April). Security and Privacy Controls for Federal Information Systems and Organizations. Retrieved September 17, 2020.