Block Serial COM

From attackics
Jump to navigation Jump to search
Block Serial COM
Technique
ID T805
Tactic Inhibit Response Function
Data Sources Alarm history, Data historian, Network protocol analysis, Packet capture
Asset Field Controller/RTU/PLC/IED, Input/Output Server

Description

Adversaries may block access to serial COM to prevent instructions or configurations from reaching target devices. Serial Communication ports (COM) allow communication with control system devices. Devices can receive command and configuration messages over such serial COM. Devices also use serial COM to send command and reporting messages. Blocking device serial COM may also block command messages and block reporting messages.

A serial to Ethernet converter is often connected to a serial COM to facilitate communication between serial and Ethernet devices. One approach to blocking a serial COM would be to create and hold open a TCP session with the Ethernet side of the converter. A serial to Ethernet converter may have a few ports open to facilitate multiple communications. For example, if there are three serial COM available -- 1, 2 and 3 --, the converter might be listening on the corresponding ports 20001, 20002, and 20003. If a TCP/IP connection is opened with one of these ports and held open, then the port will be unavailable for use by another party. One way the adversary could achieve this would be to initiate a TCP session with the serial to Ethernet converter at 10.0.0.1 via Telnet on serial port 1 with the following command: telnet 10.0.0.1 20001.


Procedure Examples

  • In Industroyer the first COM port from the configuration file is used for the actual communication and the two other COM ports are just opened to prevent other processes accessing them. Thus, the IEC 101 payload component is able to take over and maintain control of the RTU device.1

Mitigation

  • In ICS environments with dial-up modems, disconnect the modems when not in use or automate their disconnection after being active for a given amount of time, if feasible.2
  • Restrict access to both physical control and network environments with strong passwords. Consider forms of multi-factor authentication, such introducing as biometrics, smart cards, or tokens, to supplement traditional passwords.2
  • Lock down and secure portable devices and removable media. Portable ICS assets should not be used outside of the ICS network.2
  • Use only authorized media in the physical environment and be aware of anomalies. Take care to keep backups and stored data in secure, protected locations.2
  • Implement antivirus and malware detection tools to detect improper access to serial COM by malicious or unexpected programs. Maintain environmental awareness to help detect instances when a serial COM may be blocked, resulting in commands or reports not being carried out.2