Block Reporting Message

From attackics
Jump to navigation Jump to search
Block Reporting Message
ID T804
Tactic Inhibit Response Function
Data Sources Alarm History, Data historian, Network protocol analysis, Packet capture
Asset Field Controller/RTU/PLC/IED, Input/Output Server


Adversaries may block or prevent a reporting message from reaching its intended target. Reporting messages relay the status of control system devices, which can include event log data and I/O values of the associated device. By blocking these reporting messages, an adversary can potentially hide their actions from an operator.

Blocking reporting messages in control systems that manage physical processes may contribute to system impact, causing inhibition of a response function. A control system may not be able to respond in a proper or timely manner to an event, such as a dangerous fault, if its corresponding reporting message is blocked.1

In the 2015 attack on the Ukranian power grid, malicious firmware was used to render communication devices inoperable and effectively block messages from being reported.2

Procedure Examples

  • Industroyer uses the first COM port from the configuration file for the communication and the other two COM ports are opened to prevent other processes accessing them. This may block processes or operators from getting reporting messages from a device.3


  • Implement Virtual Local Area Networks (VLANs) to divide physical networks into smaller, logical ones with isolated traffic from each other.4
  • Secure the environment to minimize wires susceptible to interference and limit access points to cables. Keep the ICS and IT networks separate.4
  • Monitor the network for expected outcomes and to detect unexpected states. For instance, an expected report does not occur may indicate reason for concern.4
  • Implement antivirus and malware detection tools to protect against threats, such as code enabling improper network access.4
  • Authenticate wireless users’ access with a secure IEEE 802.1x authentication protocol, that authenticates users via user certificates or a Remote Authentication Dial In User Service (RADIUS) server.4