Remote System Information Discovery
|Remote System Information Discovery|
|Data Sources||Network Traffic: Network Traffic Content, Application Log: Application Log Content|
|Asset||Field Controller/RTU/PLC/IED, Safety Instrumented System/Protection Relay|
An adversary may attempt to get detailed information about remote systems and their peripherals, such as make/model, role, and configuration. Adversaries may use information from Remote System Information Discovery to aid in targeting and shaping follow-on behaviors. For example, the system’s operational role and model information can dictate whether it is a relevant target for the adversary’s operational objectives. In addition, the system’s configuration may be used to scope subsequent technique usage.
Requests for system information are typically implemented using automation and management protocols and are often automatically requested by vendor software during normal operation. This information may be used to tailor management actions, such as program download and system or module firmware. An adversary may leverage this same information by issuing calls directly to the system’s API.
- The Backdoor.Oldrea payload gathers server information that includes CLSID, server name, Program ID, OPC version, vendor information, running state, group count, and server bandwidth. This information helps indicate the role the server has in the control process.12
- The Industroyer IEC 61850 component sends the domain-specific MMS
getNameListrequest to determine what logical nodes the device supports. It then searches the logical nodes for the “CSW” value, which indicates the device performs a circuit breaker or switch control function. 3
- Industroyer's OPC DA module also uses
IOPCBrowseServerAddressSpaceto look for items with the following strings: "ctlSelOn", "ctlOperOn", "ctlSelOff", "ctlOperOff", "\Pos and stVal".3
- Industroyer IEC 60870-5-104 module includes a range mode to discover Information Object Addresses (IOAs) by enumerating through each.3
- Stuxnet enumerates and parses the System Data Blocks (SDB) using the s7blk_findfirst and s7blk_findnext API calls in s7otbxdx.dll. Stuxnet must find an SDB with the DWORD at offset 50h equal to 0100CB2Ch. This specifies that the system uses the Profibus communications processor module CP 342-5. In addition, specific values are searched for and counted: 7050h and 9500h. 7050h is assigned to part number KFC750V3 which appears to be a frequency converter drive (also known as variable frequency drive) manufactured by Fararo Paya in Teheran, Iran. 9500h is assigned to Vacon NX frequency converter drives manufactured by Vacon based in Finland.4
- Stuxnet was specifically targeting CPUs 6ES7-315-2 (Series 300) with special system data block characteristics for sequence A or B and 6ES7-315-2 for sequence C. The PLC type can also be checked using the s7ag_read_szl API.4
- Static Network Configuration - ICS environments typically have more statically defined devices, therefore minimize the use of both IT discovery protocols (e.g., DHCP, LLDP) and discovery functions in automation protocols.56 Examples of automation protocols with discovery capabilities include OPC UA Device Discovery 7, BACnet 8, and Ethernet/IP.9
- Disable or Remove Feature or Program - Ensure that unnecessary ports and services are closed to prevent risk of discovery and potential exploitation.
- Network Intrusion Prevention - Use network intrusion detection/prevention systems to detect and prevent remote service scans.
- Network Segmentation - Ensure proper network segmentation is followed to protect critical servers and devices.
- ICS-CERT. (2018, August 22). Advisory (ICSA-14-178-01). Retrieved April 1, 2019.
- Daavid Hentunen, Antti Tikkanen. (2014, June 23). Havex Hunts For ICS/SCADA Systems. Retrieved April 1, 2019.
- Anton Cherepanov, ESET. (2017, June 12). Win32/Industroyer: A new threat for industrial control systems. Retrieved September 15, 2017.
- Nicolas Falliere, Liam O Murchu, Eric Chien. (2011, February). W32.Stuxnet Dossier (Version 1.4). Retrieved September 22, 2017.
- D. Parsons and D. Wylie. (2019, September). Practical Industrial Control System (ICS) Cybersecurity: IT and OT Have Converged – Discover and Defend Your Assets. Retrieved September 25, 2020.
- Colin Gray. (n.d.). How SDN Can Improve Cybersecurity in OT Networks. Retrieved September 25, 2020.
- Josh Rinaldi. (2016, April). Still a Thrill: OPC UA Device Discovery. Retrieved September 25, 2020.
- Aditya K Sood. (2019, July). Discovering and fingerprinting BACnet devices. Retrieved September 25, 2020.
- Langner. (2018, November). Why Ethernet/IP changes the OT asset discovery game. Retrieved September 25, 2020.