Serial Connection Enumeration

From attackics
Jump to navigation Jump to search
Serial Connection Enumeration
Technique
ID T854
Tactic Discovery
Data Sources Network protocol analysis, Packet capture
Asset Input/Output Server, Field Controller/RTU/PLC/IED

Description

Adversaries may perform serial connection enumeration to gather situational awareness after gaining access to devices in the OT network. Control systems devices often communicate to each other via various types of serial communication mediums. These serial communications are used to facilitate informational communication, as well as commands. Serial Connection Enumeration differs from I/O Module Discovery, as I/O modules are auxiliary systems to the main system, and devices that are connected via serial connection are normally discrete systems.

While IT and OT networks may work in tandem, the exact structure of the OT network may not be discernible from the IT network alone. After gaining access to a device on the OT network, an adversary may be able to enumerate the serial connections. From this perspective, the adversary can see the specific physical devices to which the compromised device is connected to. This gives the adversary greater situational awareness and can influence the actions that the adversary can take in an attack.


Procedure Examples

  • Industroyer contains modules for IEC 101 and IEC 104 communications.1 IEC 101 uses serial for the physical connection and IEC 104 uses Ethernet. Analysis of the malware by Dragos states that both of the modules have equivalent functionality.2 The IEC 104 module uses Network Connection Enumeration to determine the Ethernet adapters on the device. Since functionality between the two modules are equivalent, this implies that the IEC 101 module is able to detect serial interfaces on the device.1

Mitigation

  • Restrict access to control room(s), portable devices, and removable media, which should be locked down and physically secured. Unauthorized and suspicious media should be avoided and kept away from systems and the network.3
  • Keep documentation and portable assets secured and stowed away when not in use.3
  • Limit communications to and from devices wherever possible, such as enforcing whitelist policies for network-based communications.3