This site has been deprecated in favor of https://attack.mitre.org and will remain in place until 11/1/22.
|Data Sources||Application Log: Application Log Content, Network Traffic: Network Traffic Content|
|Asset||Safety Instrumented System/Protection Relay, Field Controller/RTU/PLC/IED|
Adversaries may attempt to upload a program from a PLC to gather information about an industrial process. Uploading a program may allow them to acquire and study the underlying logic. Methods of program upload include vendor software, which enables the user to upload and read a program running on a PLC. This software can be used to upload the target program to a workstation, jump box, or an interfacing device.
- Triton calls the SafeAppendProgramMod to transfer its payloads to the Tricon. Part of this call includes preforming a program upload.1
- Authorization Enforcement - All field controllers should restrict program uploads to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism.
- Human User Authentication - All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support Account Use Policies, Password Policies, and User Account Management.
- Communication Authenticity - Protocols used for device management should authenticate all network messages to prevent unauthorized system changes.
- Network Allowlists - Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations.2
- Access Management - Authenticate all access to field controllers before authorizing access to, or modification of, a device's state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS.
- Software Process and Device Authentication - Authenticate connections from software and devices to prevent unauthorized systems from accessing protected management functions.
- Network Segmentation - Segment operational network and systems to restrict access to critical system functions to predetermined management systems.2
- Filter Network Traffic - Filter for protocols and payloads associated with program upload activity to prevent unauthorized access to device configurations.