This site has been deprecated in favor of https://attack.mitre.org and will remain in place until 11/1/22.
Program Upload
Jump to navigation
Jump to search
To visit this technique’s new page please go to and update your links to https://attack.mitre.org/techniques/T0845
| Program Upload | |
|---|---|
| Technique | |
| ID | T0845 |
| Tactic | Collection |
| Data Sources | Application Log: Application Log Content, Network Traffic: Network Traffic Content |
| Asset | Safety Instrumented System/Protection Relay, Field Controller/RTU/PLC/IED |
Description
Adversaries may attempt to upload a program from a PLC to gather information about an industrial process. Uploading a program may allow them to acquire and study the underlying logic. Methods of program upload include vendor software, which enables the user to upload and read a program running on a PLC. This software can be used to upload the target program to a workstation, jump box, or an interfacing device.
Procedure Examples
- Triton calls the SafeAppendProgramMod to transfer its payloads to the Tricon. Part of this call includes preforming a program upload.1
Mitigations
- Authorization Enforcement - All field controllers should restrict program uploads to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism.
- Human User Authentication - All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support Account Use Policies, Password Policies, and User Account Management.
- Communication Authenticity - Protocols used for device management should authenticate all network messages to prevent unauthorized system changes.
- Network Allowlists - Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations.2
- Access Management - Authenticate all access to field controllers before authorizing access to, or modification of, a device's state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS.
- Software Process and Device Authentication - Authenticate connections from software and devices to prevent unauthorized systems from accessing protected management functions.
- Network Segmentation - Segment operational network and systems to restrict access to critical system functions to predetermined management systems.2
- Filter Network Traffic - Filter for protocols and payloads associated with program upload activity to prevent unauthorized access to device configurations.
References
| ||||||||||||||||||||||||||||||||
