|Tactic||Persistence, Impair Process Control|
|Data Sources||Sequential event recorder, Digital signatures, Network protocol analysis, Packet capture|
|Asset||Field Controller/RTU/PLC/IED, Safety Instrumented System/Protection Relay|
Adversaries may install malicious or vulnerable firmware onto modular hardware devices. Control system devices often contain modular hardware devices. These devices may have their own set of firmware that is separate from the firmware of the main control system equipment.
This technique is similar to System Firmware, but is conducted on other system components that may not have the same capabilities or level of integrity checking. Although it results in a device re-image, malicious device firmware may provide persistent access to remaining devices.1
An easy point of access for an adversary is the Ethernet card, which may have its own CPU, RAM, and operating system. The adversary may attack and likely exploit the computer on an Ethernet card. Exploitation of the Ethernet card computer may enable the adversary to accomplish additional attacks, such as the following:1
- Delayed Attack - The adversary may stage an attack in advance and choose when to launch it, such as at a particularly damaging time.
- Brick the Ethernet Card - Malicious firmware may be programmed to result in an Ethernet card failure, requiring a factory return.
- "Random" Attack or Failure - The adversary may load malicious firmware onto multiple field devices. Execution of an attack and the time it occurs is generated by a pseudo-random number generator.
- A Field Device Worm - The adversary may choose to identify all field devices of the same model, with the end goal of performing a device-wide compromise.
- Attack Other Cards on the Field Device - Although it is not the most important module in a field device, the Ethernet card is most accessible to the adversary and malware. Compromise of the Ethernet card may provide a more direct route to compromising other modules, such as the CPU module.
- Access to device configuration settings should be restricted. IT products should be secured, in the most restrictive mode, on par with ICS operational requirements.2
- Maintain and patch module firmware, checking to ensure the version and state are as expected. Firmware that requires a cryptographic key will be harder for the adversary to alter.2
- Be wary of improper modifications before, during, and after system implementation.2
- Ensure field devices require source and data authentication in order for users to update firmware and perform similar options. Enforcing proper firmware update policies and procedures may help distinguish intended update activity from malicious activity. Note that compromised devices may continue to function as expected by an asset owner, and that it is possible for many to be compromised in such a way.1
- Restrict access to control room(s), portable devices, and removable media, which should be locked down and physically secured. Unauthorized and suspicious media should be avoided and kept away from systems and the network.2
- Ensure ICS and IT network cables are kept separate and that devices are locked up when possible, to reduce the likelihood they can be tampered with.2
- Hold new acquisitions to strict security requirements; be sure they are properly secured and haven’t been tampered with. Monitor existing module firmware with applicable assessments to ensure devices are at the expected versions.2
- Monitor the network and enforce access control practices, such as whitelisting, to reduce points of contact to and from control system devices, where applicable. Utilize intrusion detection system (IDS) capabilities to assist with detecting and preventing the spread of malicious files.2
- Limit access to the network and require authentication as a barrier. Test access to field devices from outside the network, to help determine if an adversary could reach them.2