Role Identification

From attackics
Jump to navigation Jump to search
Role Identification
ID T850
Tactic Collection
Data Sources Network protocol analysis, Packet capture
Asset Human-Machine Interface, Control Server, Data Historian, Field Controller/RTU/PLC/IED


Adversaries may perform role identification of devices involved with physical processes of interest in a target control system. Control systems devices often work in concert to control a physical process. Each device can have one or more roles that it performs within that control process. By collecting this role-based data, an adversary can construct a more targeted attack.

For example, a power generation plant may have unique devices such as one that monitors power output of a generator and another that controls the speed of a turbine. Examining devices roles allows the adversary to observe how the two devices work together to monitor and control a physical process. Understanding the role of a target device can inform the adversary's decision on what action to take, in order to cause Impact and influence or disrupt the integrity of operations. Furthermore, an adversary may be able to capture control system protocol traffic. By studying this traffic, the adversary may be able to determine which devices are outstations, and which are masters. Understanding of master devices and their role within control processes can enable the use of Rogue Master Device.

Procedure Examples

  • The Backdoor.Oldrea payload gathers server information that includes CLSID, server name, Program ID, OPC version, vendor information, running state, group count, and server bandwidth. This information helps indicate the role the server has in the control process.12
  • The Industroyer IEC 61850 component enumerates the objects discovered in the previous step and sends the domain-specific getNameList requests with each object name. This enumerates named variables in a specific domain.3


  • Restrict user privileges with Role-Based Access Control (RBAC). Configure and assign “roles” based on the principle of least privilege. Levels of access can dictate several factors, including the ability to view, use, and alter specific ICS data or device functions.4
  • Encrypt and protect the integrity of wireless device communications. Encryption at OSI Layer 2 can be considered instead of at Layer 3, to reduce latency. Authenticate wireless users’ access with a secure IEEE 802.1x authentication protocol, that authenticates users via user certificates or a Remote Authentication Dial In User Service (RADIUS) server.4
  • Filter and limit communications to and from devices on the network. Implement relevant heuristics to detect adversarial probing and unexpected communications activity.4
  • Wireless access points and data servers for wireless worker devices should be located on an isolated network with minimal connections to the ICS network.4
  • Restrict access to control room(s), portable devices, and removable media, which should be locked down and physically secured. Unauthorized and suspicious media should be avoided and kept away from systems and the network.4
  • Ensure ICS and IT network cables are kept separate and that devices are locked up when possible, to reduce the likelihood they can be tampered with.4