|Tactic||Persistence, Inhibit Response Function, Impair Process Control|
|Data Sources||Sequential event recorder, Controller program, Network protocol analysis, Packet capture|
|External Contributors||Joe Slowik - Dragos|
|Asset||Field Controller/RTU/PLC/IED, Safety Instrumented System/Protection Relay|
Adversaries may perform a program download to load malicious or unintended program logic on a device as a method of persistence or to disrupt response functions or process control. Program download onto devices, such as PLCs, allows adversaries to implement custom logic. Malicious PLC programs may be used to disrupt physical processes or enable adversary persistence. The act of a program download will cause the PLC to enter a STOP operation state, which may prevent response functions from operating correctly.
- Stuxnet infects PLCs with different code depending on the characteristics of the target system. An infection sequence consists of code blocks and data blocks that will be downloaded to the PLC to alter its behavior.1
- Triton leveraged the TriStation protocol to download programs onto Triconex Safety Instrumented System.2
- Authorization Enforcement - All field controllers should restrict the modification of programs to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism.
- Human User Authentication - All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support Account Use Policies, Password Policies, and User Account Management.
- Communication Authenticity - Protocols used for device management should authenticate all network messages to prevent unauthorized system changes.
- Network Allowlists - Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations.3
- Access Management - Authenticate all access to field controllers before authorizing access to, or modification of, a device's state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS.
- Software Process and Device Authentication - Authenticate connections from software and devices to prevent unauthorized systems from accessing protected management functions.
- Code Signing - Utilize code signatures to verify the integrity of the installed program on safety or control assets has not been changed.
- Network Segmentation - Segment operational network and systems to restrict access to critical system functions to predetermined management systems.3
- Filter Network Traffic - Filter for protocols and payloads associated with program download activity to prevent unauthorized device configurations.
- Audit - Provide the ability to verify the integrity of control logic or programs loaded on a controller. While techniques like CRCs and checksums are commonly used, they are not cryptographically strong and can be vulnerable to collisions. Preferably cryptographic hash functions (e.g., SHA-2, SHA-3) should be used.4