|Tactic||Inhibit Response Function|
|Data Sources||Network Traffic: Network Traffic Content, Application Log: Application Log Content, Operational Databases: Process History/Live Data, Operational Databases: Process/Event Alarm|
|External Contributors||Marina Krotofil; Jos Wetzels - Midnight Blue|
|Asset||Field Controller/RTU/PLC/IED, Safety Instrumented System/Protection Relay, Device Configuration/Parameters|
Adversaries may target protection function alarms to prevent them from notifying operators of critical conditions. Alarm messages may be a part of an overall reporting system and of particular interest for adversaries. Disruption of the alarm system does not imply the disruption of the reporting system as a whole.
In the Maroochy Attack, the adversary suppressed alarm reporting to the central computer.1
A Secura presentation on targeting OT notes a dual fold goal for adversaries attempting alarm suppression: prevent outgoing alarms from being raised and prevent incoming alarms from being responded to.2 The method of suppression may greatly depend on the type of alarm in question:
- An alarm raised by a protocol message
- An alarm signaled with I/O
- An alarm bit set in a flag (and read)
In ICS environments, the adversary may have to suppress or contend with multiple alarms and/or alarm propagation to achieve a specific goal to evade detection or prevent intended responses from occurring.2 Methods of suppression may involve tampering or altering device displays and logs, modifying in memory code to fixed values, or even tampering with assembly level instruction code.
- Network Allowlists - Utilize network allowlists to restrict unnecessary connections to network devices (e.g., comm servers, serial to ethernet converters) and services, especially in cases when devices have limits on the number of simultaneous sessions they support.
- Network Segmentation - Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment.3456
- Out-of-Band Communications Channel - Provide an alternative method for alarms to be reported in the event of a communication failure.
- Static Network Configuration - Unauthorized connections can be prevented by statically defining the hosts and ports used for automation protocol connections.
- Marshall Abrams. (2008, July 23). Malicious Control System Cyber Security Attack Case Study– Maroochy Water Services, Australia. Retrieved March 27, 2018.
- Jos Wetzels, Marina Krotofil. (2019). A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded Devices. Retrieved November 1, 2019.
- Karen Scarfone; Paul Hoffman. (2009, September). Guidelines on Firewalls and Firewall Policy. Retrieved September 25, 2020.
- Keith Stouffer. (2015, May). Guide to Industrial Control Systems (ICS) Security. Retrieved March 28, 2018.
- Department of Homeland Security. (2016, September). Retrieved September 25, 2020.
- Dwight Anderson. (2014). Protect Critical Infrastructure Systems With Whitelisting. Retrieved September 25, 2020.