|Data Sources||Network protocol analysis, Packet capture|
Adversaries may perform location identification using device data to inform operations and targeted impact for attacks. Location identification data can come in a number of forms, including geographic location, location relative to other control system devices, time zone, and current time. An adversary may use an embedded global positioning system (GPS) module in a device to figure out the physical coordinates of a device. NIST SP800-82 recommends that devices utilize GPS or another location determining mechanism to attach appropriate timestamps to log entries1. While this assists in logging and event tracking, an adversary could use the underlying positioning mechanism to determine the general location of a device. An adversary can also infer the physical location of serially connected devices by using serial connection enumeration.
An adversary attempt to attack and cause Impact could potentially affect other control system devices in close proximity. Device local-time and time-zone settings can also provide adversaries a rough indicator of device location, when specific geographic identifiers cannot be determined from the system.
- The Backdoor.Oldrea payload has the capability of enumerating OPC tags, in addition to more generic OPC server information. The tag names, depending on the naming convention, can provide information about facilities and locations.23
- Authorization Enforcement - Systems and devices should restrict access to any data with confidentiality concerns, including location information.
- Human User Authentication - All remote services should require strong authentication before providing user access.
- Communication Authenticity - Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).
- Network Allowlists - Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations.4
- Operational Information Confidentiality - Protect information that may disclose locations of key physical assets.
- Access Management - All devices or systems changes, including all administrative functions, should require authentication. Consider using access management technologies to enforce authorization on all management interface access attempts, especially when the device does not inherently provide strong authentication and authorization functions.
- Software Process and Device Authentication - Devices should authenticate all messages between master and outstation assets.
- Encrypt Sensitive Information - Encrypt sensitive location data when feasible to prevent unauthorized access.
- Restrict File and Directory Permissions - Restrict permissions on information that may disclose locations of key physical assets.
- Filter Network Traffic - Inline allow/denylists can be used to prevent devices from sending unauthorized location information across automation protocols (e.g., OPC).