|Tactic||Impair Process Control|
|Data Sources||Sequential event recorder, Application logs, Network protocol analysis, Packet capture|
|Asset||Control Server, Field Controller/RTU/PLC/IED, Safety Instrumented System/Protection Relay, Human-Machine Interface|
Adversaries may modify parameters used to instruct industrial control system devices. These devices operate via programs that dictate how and when to perform actions based on such parameters. Such parameters can determine the extent to which an action is performed and may specify additional options. For example, a program on a control system device dictating motor processes may take a parameter defining the total number of seconds to run that motor.
An adversary can potentially modify these parameters to produce an outcome outside of what was intended by the operators. By modifying system and process critical parameters, the adversary may cause Impact to equipment and/or control processes. Modified parameters may be turned into dangerous, out-of-bounds, or unexpected values from typical operations. For example, specifying that a process run for more or less time than it should, or dictating an unusually high, low, or invalid value as a parameter.
In the Maroochy Attack, Vitek Boden gained remote computer access to the control system and altered data so that whatever function should have occurred at affected pumping stations did not occur or occurred in a different way. The software program installed in the laptop was one developed by Hunter Watertech for its use in changing configurations in the PDS computers. This ultimately led to 800,000 liters of raw sewage being spilled out into the community.1
- In states 3 and 4 Stuxnet sends two network bursts (done through the DP_SEND primitive). The data in the frames are instructions for the frequency converter drives. For example one of the frames contains records that change the maximum frequency (the speed at which the motor will operate). The frequency converter drives consist of parameters, which can be remotely configured via Profibus. One can write new values to these parameters changing the behavior of the device.2
- Restrict user privileges with Role-Based Access Control (RBAC). Configure and assign “roles” based on the principle of least privilege. Levels of access can dictate several factors, including the ability to view, use, and alter specific ICS data or device functions.3
- Access to device configuration settings should be restricted. IT products should be secured, in the most restrictive mode, on par with ICS operational requirements. Be wary of improper modifications before, during, and after system implementation.3
- Monitor system parameters for safe, expected settings and raise alerts when unsafe parameters, unexpected changes, or odd system states occur. Logging and/or associating device changes to accounts may also be beneficial, as an ICS environment rarely changes.3
- Secure and restrict authorization to the control room and the physical environment. Ensure ICS and IT network cables are kept separate and that devices are locked up when possible.3