Control Device Identification
|Control Device Identification|
|Data Sources||Network protocol analysis, Packet capture|
Adversaries may perform control device identification to determine the make and model of a target device. Management software and device APIs may be utilized by the adversary to gain this information. By identifying and obtaining device specifics, the adversary may be able to determine device vulnerabilities. This device information can also be used to understand device functionality and inform the decision to target the environment.
- The Backdoor.Oldrea payload has the capability of enumerating OPC tags, in addition to more generic OPC server information. The server data and tag names can provide information about the names and function of control devices.12
- Industroyer contains an OPC DA module that enumerates all OPC servers using the
CATID_OPCDAServer20category identifier and
IOPCServer::GetStatusto identify the ones running. The OPC DA module also uses
IOPCBrowseServerAddressSpaceto look for items with the following strings: "ctlSelOn", "ctlOperOn", "ctlSelOff", "ctlOperOff", "\Pos and stVal".3
- If the target device responds appropriately, the Industroyer IEC 61850 payload then sends an
InitiateRequestpacket using the Manufacturing Message Specification (MMS). If the expected answer is received, it continues, sending an MMS
getNameListrequest. Thereby, the component compiles a list of object names in a Virtual Manufacturing Device.3
- The PLC-Blaster worm starts by scanning for probable targets. Siemens SIMATIC PLCs may be identified by the port 102/tcp..4
- The Siemens s7otbxdx.dll is responsible for handling PLC block exchange between the programming device (i.e., a computer running a Simatic manager on Windows) and the PLC. s7db_open function is an export hook that is used to obtain information used to create handles to manage a PLC (such a handle is used by APIs that manipulate the PLC). Stuxnet utilized this export hook to gain information about targeted PLCs such as model information. Stuxnet was specifically targeting CPUs 6ES7-315-2 (Series 300) with special system data block characteristics for sequence A or B and 6ES7-315-2 for sequence C. The PLC type can also be checked using the s7ag_read_szl API.5
- The Triton Python script is also capable of autodetecting Triconex controllers on the network by sending a specific UDP broadcast packet over port 1502.6
- The VPNFilter packet sniffer monitors ICS traffic, and is specific to the TP-LINK R600-VPN. The malware uses a raw socket to look for connections to a pre-specified IP address, only looking at TCP packets that are 150 bytes or larger. 'ps' identifies and logs on IPs and ports, but not the packet contents on port 502 (Modbus traffic). It does not validate the traffic as Modbus.78
- In ICS environments with dial-up modems, disconnect the modems when not in use or automate their disconnection after being active for a given amount of time, if feasible.9
- Restrict access to configuration settings, and security settings of IT products to the most restrictive possible, based on the environment.9 Control and protect against improper modifications before, during, and after system implementation for hardware, firmware, and software.
- Restrict access to control room(s), portable devices, and removable media, which should be locked down and physically secured. Unauthorized and suspicious media should be avoided and kept away from systems and the network. Keep track of cables, to ensure that the ICS and IT environments remain separate and no interceptive, adversarial devices are installed.9
- Hold new acquisitions to strict security requirements; be sure they are properly secured and haven’t been tampered with.9
- Encryption of network traffic may help prevent adversaries from gaining device information by protecting the contents of communications.9
- ICS-CERT. (2018, August 22). Advisory (ICSA-14-178-01). Retrieved April 1, 2019.
- Daavid Hentunen, Antti Tikkanen. (2014, June 23). Havex Hunts For ICS/SCADA Systems. Retrieved April 1, 2019.
- Anton Cherepanov, ESET. (2017, June 12). Win32/Industroyer: A new threat for industrial control systems. Retrieved September 15, 2017.
- Spenneberg, Ralf, Maik Brüggemann, and Hendrik Schwartke. (2016, March 31). Plc-blaster: A worm living solely in the plc.. Retrieved September 19, 2017.
- Nicolas Falliere, Liam O Murchu, Eric Chien. (2011, February). W32.Stuxnet Dossier (Version 1.4). Retrieved September 22, 2017.
- ICS-CERT. (2018, December 18). Advisory (ICSA-18-107-02) - Schneider Electric Triconex Tricon (Update B). Retrieved March 8, 2019.
- William Largent. (2018, June 06). VPNFilter Update - VPNFilter exploits endpoints, targets new devices. Retrieved March 28, 2019.
- Carl Hurd. (2019, March 26). VPNFilter Deep Dive. Retrieved March 28, 2019.
- Keith Stouffer. (2015, May). Guide to Industrial Control Systems (ICS) Security. Retrieved March 28, 2018.