Rogue Master Device

From attackics
(Redirected from Rogue Master Device)
Jump to navigation Jump to search
Rogue Master Device
Technique
ID T0848
Tactic Evasion, Impair Process Control
Data Sources Sequential event recorder, Asset management, Network protocol analysis, Packet capture
Asset Human-Machine Interface, Control Server, Engineering Workstation

Description

Adversaries may setup a rogue master to leverage control server functions to communicate with slave devices. A rogue master device can be used to send legitimate control messages to other control system devices, affecting processes in unintended ways. It may also be used to disrupt network communications by capturing and receiving the network traffic meant for the actual master device. Impersonating a master device may also allow an adversary to avoid detection.

In the Maroochy Attack, Vitek Boden falsified network addresses in order to send false data and instructions to pumping stations.1


Mitigations

  • Communication Authenticity - Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).
  • Network Allowlists - Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations.2
  • Network Segmentation - Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment.3425
  • Filter Network Traffic - Perform inline allowlisting of automation protocol commands to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid reporting messages.