Program Upload

From attackics
Jump to navigation Jump to search
Program Upload
Technique
ID T0845
Tactic Collection
Data Sources Sequential event recorder, Controller program, Network protocol analysis, Packet capture
Asset Safety Instrumented System/Protection Relay, Field Controller/RTU/PLC/IED

Description

Adversaries may attempt to upload a program from a PLC to gather information about an industrial process. Uploading a program may allow them to acquire and study the underlying logic. Methods of program upload include vendor software, which enables the user to upload and read a program running on a PLC. This software can be used to upload the target program to a workstation, jump box, or an interfacing device.


Procedure Examples

  • Stuxnet replaces the DLL responsible for reading projects from a PLC to the step7 software. This allows Stuxnet the ability to upload a program from the PLC.1

Mitigations

  • Authorization Enforcement - All field controllers should restrict program uploads to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism.
  • Communication Authenticity - Protocols used for device management should authenticate all network messages to prevent unauthorized system changes.
  • Network Allowlists - Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations.2
  • Access Management - Authenticate all access to field controllers before authorizing access to, or modification of, a device's state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS.
  • Network Segmentation - Segment operational network and systems to restrict access to critical system functions to predetermined management systems.2
  • Filter Network Traffic - Filter for protocols and payloads associated with program upload activity to prevent unauthorized access to device configurations.