Program Upload

From attackics
Jump to navigation Jump to search
Program Upload
Technique
ID T0845
Tactic Collection
Data Sources Sequential event recorder, Controller program, Network protocol analysis, Packet capture
Asset Safety Instrumented System/Protection Relay, Field Controller/RTU/PLC/IED

Description

Adversaries may attempt to upload a program from a PLC to gather information about an industrial process. Uploading a program may allow them to acquire and study the underlying logic. Methods of program upload include vendor software, which enables the user to upload and read a program running on a PLC. This software can be used to upload the target program to a workstation, jump box, or an interfacing device.


Procedure Examples

  • Triton calls the SafeAppendProgramMod to transfer it's payloads to the Tricon. Part of this call includes preforming a program upload.1

Mitigations

  • Authorization Enforcement - All field controllers should restrict program uploads to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism.
  • Communication Authenticity - Protocols used for device management should authenticate all network messages to prevent unauthorized system changes.
  • Network Allowlists - Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations.2
  • Access Management - Authenticate all access to field controllers before authorizing access to, or modification of, a device's state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS.
  • Network Segmentation - Segment operational network and systems to restrict access to critical system functions to predetermined management systems.2
  • Filter Network Traffic - Filter for protocols and payloads associated with program upload activity to prevent unauthorized access to device configurations.