Rogue Master Device
|Rogue Master Device|
|Tactic||Evasion, Impair Process Control|
|Data Sources||Sequential event recorder, Asset management, Network protocol analysis, Packet capture|
|Asset||Human-Machine Interface, Control Server, Engineering Workstation|
Adversaries may setup a rogue master to leverage control server functions to communicate with slave devices. A rogue master device can be used to send legitimate control messages to other control system devices, affecting processes in unintended ways. It may also be used to disrupt network communications by capturing and receiving the network traffic meant for the actual master device. Impersonating a master device may also allow an adversary to avoid detection.
In the Maroochy Attack, Vitek Boden falsified network addresses in order to send false data and instructions to pumping stations.1
- Implement Virtual Local Area Networks (VLANs) to divide physical networks into smaller, logical ones with isolated traffic from each other. This limits both broadcast traffic and unnecessary flooding.2
- Encrypt and protect the integrity of wireless device communications, while taking care not to degrade end device performance. OSI Layer 2 encryption, rather than Layer 3, can reduce encryption-based latency. Hardware accelerator solutions for cryptographic functions may also be considered.2
- Protect physical devices and restrict access to different locations with authentication to reduce the likelihood the adversary can introduce an outside device. Inventorying of devices and capabilities can assist in finding unknown entities.2
- Check new acquisitions for unexpected features and tampering that could enable them to masquerade as another device.2
- When creating security rules, avoid exclusions based on file name or file path. Require signed binaries. Use file system access controls to protect folders such as C:\Windows\System32. Use tools that restrict program execution via whitelisting by attributes other than file name.2
- Identify potentially malicious software that may look like a legitimate program based on name and location, and audit and/or block it by using whitelisting3 tools like AppLocker45 or Software Restriction Policies6 where appropriate.7
- Marshall Abrams. (2008, July 23). Malicious Control System Cyber Security Attack Case Study– Maroochy Water Services, Australia. Retrieved March 27, 2018.
- Keith Stouffer. (2015, May). Guide to Industrial Control Systems (ICS) Security. Retrieved March 28, 2018.
- Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.
- Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.
- NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.
- Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.
- Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.