Loss of View

From attackics
Jump to navigation Jump to search
Loss of View
Technique
ID T0829
Tactic Impact
Asset Human-Machine Interface, Engineering Workstation

Description

Adversaries may cause a sustained or permanent loss of view where the ICS equipment will require local, hands-on operator intervention; for instance, a restart or manual operation. By causing a sustained reporting or visibility loss, the adversary can effectively hide the present state of operations. This loss of view can occur without affecting the physical processes themselves.123


Procedure Examples

  • Industroyer's data wiper component removes the registry "image path" throughout the system and overwrites all files, rendering the system unusable.4
  • KillDisk erases the master boot record (MBR) and system logs, leaving the system unusable.5
  • Some of Norsk Hydro's production systems were impacted by a LockerGoga infection. This resulted in a loss of view which forced the company to switch to manual operations.67

Mitigations

  • Out-of-Band Communications Channel - Provide operators with redundant, out-of-band communication to support monitoring and control of the operational processes, especially when recovering from a network outage 8. Out-of-band communication should utilize diverse systems and technologies to minimize common failure modes and vulnerabilities within the communications infrastructure. For example, wireless networks (e.g., 3G, 4G) can be used to provide diverse and redundant delivery of data.
  • Redundancy of Service - Hot-standbys in diverse locations can ensure continued operations if the primarily system is compromised or unavailable. At the network layer, protocols such as the Parallel Redundancy Protocol can be used to simultaneously use redundant and diverse communication over a local network.9
  • Data Backup - Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans 10, including the management of "gold-copy" back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.