Rogue Master Device

From attackics
Jump to navigation Jump to search
Rogue Master Device
ID T848
Tactic Evasion, Impair Process Control
Data Sources Sequential event recorder, Asset management, Network protocol analysis, Packet capture
Asset Human-Machine Interface, Control Server, Engineering Workstation


Adversaries may setup a rogue master to leverage control server functions to communicate with slave devices. A rogue master device can be used to send legitimate control messages to other control system devices, affecting processes in unintended ways. It may also be used to disrupt network communications by capturing and receiving the network traffic meant for the actual master device. Impersonating a master device may also allow an adversary to avoid detection.

In the Maroochy Attack, Vitek Boden falsified network addresses in order to send false data and instructions to pumping stations.1


  • Implement Virtual Local Area Networks (VLANs) to divide physical networks into smaller, logical ones with isolated traffic from each other. This limits both broadcast traffic and unnecessary flooding.2
  • Encrypt and protect the integrity of wireless device communications, while taking care not to degrade end device performance. OSI Layer 2 encryption, rather than Layer 3, can reduce encryption-based latency. Hardware accelerator solutions for cryptographic functions may also be considered.2
  • Protect physical devices and restrict access to different locations with authentication to reduce the likelihood the adversary can introduce an outside device. Inventorying of devices and capabilities can assist in finding unknown entities.2
  • Check new acquisitions for unexpected features and tampering that could enable them to masquerade as another device.2
  • When creating security rules, avoid exclusions based on file name or file path. Require signed binaries. Use file system access controls to protect folders such as C:\Windows\System32. Use tools that restrict program execution via whitelisting by attributes other than file name.2
  • Identify potentially malicious software that may look like a legitimate program based on name and location, and audit and/or block it by using whitelisting3 tools like AppLocker45 or Software Restriction Policies6 where appropriate.7