Control Device Identification

From attackics
Jump to navigation Jump to search
Control Device Identification
Technique
ID T808
Tactic Discovery
Data Sources Network protocol analysis, Packet capture
Asset Field Controller/RTU/PLC/IED

Description

Adversaries may perform control device identification to determine the make and model of a target device. Management software and device APIs may be utilized by the adversary to gain this information. By identifying and obtaining device specifics, the adversary may be able to determine device vulnerabilities. This device information can also be used to understand device functionality and inform the decision to target the environment.


Procedure Examples

  • The Backdoor.Oldrea payload has the capability of enumerating OPC tags, in addition to more generic OPC server information. The server data and tag names can provide information about the names and function of control devices.12
  • Industroyer contains an OPC DA module that enumerates all OPC servers using the ICatInformation::EnumClassesOfCategories method with CATID_OPCDAServer20 category identifier and IOPCServer::GetStatus to identify the ones running. The OPC DA module also uses IOPCBrowseServerAddressSpace to look for items with the following strings: "ctlSelOn", "ctlOperOn", "ctlSelOff", "ctlOperOff", "\Pos and stVal".3
  • If the target device responds appropriately, the Industroyer IEC 61850 payload then sends an InitiateRequest packet using the Manufacturing Message Specification (MMS). If the expected answer is received, it continues, sending an MMS getNameList request. Thereby, the component compiles a list of object names in a Virtual Manufacturing Device.3
  • The PLC-Blaster worm starts by scanning for probable targets. Siemens SIMATIC PLCs may be identified by the port 102/tcp..4
  • The Siemens s7otbxdx.dll is responsible for handling PLC block exchange between the programming device (i.e., a computer running a Simatic manager on Windows) and the PLC. s7db_open function is an export hook that is used to obtain information used to create handles to manage a PLC (such a handle is used by APIs that manipulate the PLC). Stuxnet utilized this export hook to gain information about targeted PLCs such as model information. Stuxnet was specifically targeting CPUs 6ES7-315-2 (Series 300) with special system data block characteristics for sequence A or B and 6ES7-315-2 for sequence C. The PLC type can also be checked using the s7ag_read_szl API.5
  • The Triton Python script is also capable of autodetecting Triconex controllers on the network by sending a specific UDP broadcast packet over port 1502.6
  • The VPNFilter packet sniffer monitors ICS traffic, and is specific to the TP-LINK R600-VPN. The malware uses a raw socket to look for connections to a pre-specified IP address, only looking at TCP packets that are 150 bytes or larger. 'ps' identifies and logs on IPs and ports, but not the packet contents on port 502 (Modbus traffic). It does not validate the traffic as Modbus.78

Mitigation

  • In ICS environments with dial-up modems, disconnect the modems when not in use or automate their disconnection after being active for a given amount of time, if feasible.9
  • Restrict access to configuration settings, and security settings of IT products to the most restrictive possible, based on the environment.9 Control and protect against improper modifications before, during, and after system implementation for hardware, firmware, and software.
  • Restrict access to control room(s), portable devices, and removable media, which should be locked down and physically secured. Unauthorized and suspicious media should be avoided and kept away from systems and the network. Keep track of cables, to ensure that the ICS and IT environments remain separate and no interceptive, adversarial devices are installed.9
  • Hold new acquisitions to strict security requirements; be sure they are properly secured and haven’t been tampered with.9
  • Encryption of network traffic may help prevent adversaries from gaining device information by protecting the contents of communications.9