Modify Alarm Settings

From attackics
Jump to navigation Jump to search
Modify Alarm Settings
ID T838
Tactic Inhibit Response Function
Data Sources Sequential event recorder, Controller parameters, Network protocol analysis, Packet capture
Asset Human-Machine Interface, Control Server, Safety Instrumented System/Protection Relay, Field Controller/RTU/PLC/IED


Adversaries may modify alarm settings to prevent alerts that may inform operators of their presence or to prevent responses to dangerous and unintended scenarios. Reporting messages are a standard part of data acquisition in control systems. Reporting messages are used as a way to transmit system state information and acknowledgements that specific actions have occurred. These messages provide vital information for the management of a physical process, and keep operators, engineers, and administrators aware of the state of system devices and physical processes.

If an adversary is able to change the reporting settings, certain events could be prevented from being reported. This type of modification can also prevent operators or devices from performing actions to keep the system in a safe state. If critical reporting messages cannot trigger these actions then a Impact could occur.

In ICS environments, the adversary may have to use Alarm Suppression or contend with multiple alarms and/or alarm propagation to achieve a specific goal to evade detection or prevent intended responses from occurring.1 Methods of suppression often rely on modification of alarm settings, such as modifying in memory code to fixed values or tampering with assembly level instruction code.

In the Maroochy Attack, the adversary disabled alarms at four pumping stations. This caused alarms to not be reported to the central computer.2


  • Restrict access to report settings changes and automatically log any such changes, keeping actions accountable to user accounts.3
  • Restrict ICS user privileges to only those necessary to perform one’s job using Role-Based Access Control (RBAC). Configure these “roles” based on the principle of least privilege. Levels of access can dictate several factors, such as the ability to view, use, and alter specific ICS data or device functions.3
  • Auditing tools can provide tangible records of evidence and system integrity, and should be done on a real-time basis when feasible. 3 These tools may include monitoring of sensors, logs, Intrusion Detection Systems (IDS), antivirus, patch management, policy management software, and other security mechanisms.3
  • Secure and restrict authorization to the control room and the physical environment. ICS devices should stay in their designated areas. Portable ICS assets should be secured and used only in the ICS network.3
  • Intrusion detection systems (IDS) monitor events on a network and ensure unusual activity is brought to attention. Comparing the reporting commands, or lack of certain reports, against the IDS can assist with detecting anomalies.3
  • For instance, reporting behavior for critical or unsafe conditions and safety alarms should rarely, if ever, be turned off. Unsafe conditions coupled with no reports could indicate an attack.3