Unauthorized Command Message

From attackics
Jump to navigation Jump to search
Unauthorized Command Message
ID T855
Tactic Impair Process Control
Data Sources Alarm history, Sequential event recorder, Netflow/Enclave netflow, Network protocol analysis, Packet capture
Asset Field Controller/RTU/PLC/IED


Adversaries may send unauthorized command messages to instruct control systems devices to perform actions outside their expected functionality for process control. Command messages are used in ICS networks to give direct instructions to control systems devices. If an adversary can send an unauthorized command message to a control system, then it can instruct the control systems device to perform an action outside the normal bounds of the device's actions. An adversary could potentially instruct a control systems device to perform an action that will cause an Impact.1

In the Maroochy Attack, the adversary used a dedicated analog two-way radio system to send false data and instructions to pumping stations and the central computer.2

In the 2015 attack on the Ukranian power grid, the adversaries gained access to the control networks of three different energy companies. The adversaries used valid credentials to seize control of operator workstations and access a distribution management system (DMS) client application via a VPN. The adversaries used these tools to issue unauthorized commands to breakers at substations which caused a loss of power to over 225,000 customers over various areas.3

Procedure Examples

  • The Industroyer IEC 101 module has the capability to communicate with devices (likely RTUs) via the IEC 101 protocol. The module will attempt to find all Information Object Addresses (IOAs) for the device and attempt to change their state in the following sequence: OFF, ON, OFF.4
  • In states 3 and 4 Stuxnet sends two network bursts (done through the DP_SEND primitive). The data in the frames are instructions for the frequency converter drives.5
  • Using Triton, an adversary can manipulate the process into an unsafe state from the DCS while preventing the SIS from functioning appropriately.6


  • Implement Virtual Local Area Networks (VLANs) to divide physical networks into smaller, logical ones with isolated traffic from each other. This limits both broadcast traffic and unnecessary flooding.7
  • In ICS environments with dial-up modems, disconnect the modems when not in use or automate their disconnection after being active for a given amount of time, if reasonable.7
  • When feasible, monitor and compare ICS device behavior and physical state to expected behavior and physical state. Contingency plans should be in place to handle and minimize impact from unexpected behavior.7
  • Restrict access to control room(s), portable devices, and removable media, which should be locked down and physically secured. Unauthorized and suspicious media should be avoided and kept away from systems and the network. Keep track of cables, to ensure that the ICS and IT environments remain separate and no interceptive, adversarial devices are installed.7
  • Encrypt and protect the integrity of wireless device communications, while taking care not to degrade end device performance. OSI Layer 2 encryption, rather than Layer 3, can reduce encryption-based latency. Hardware accelerator solutions for cryptographic functions may also be considered.7
  • Antivirus and malicious code detection tools can assist with detecting and preventing impact of malware. Secure Windows, Unix, and Linux, etc.-based systems like traditional IT equipment. Follow vendor recommendations for other computers and services with time-dependent code and changes differentiating them from standard devices.7
  • Leverage Intrusion Detection Systems (IDS) capabilities for event monitoring, such as looking for unusual activity and traffic patterns and detecting abnormal changes to functionality. If timestamps or methods of authentication are associated with commands, these may be useful metrics to determine spoofed sources. For instance, a spoofed message sent with unusual timing or an extra command sent, coinciding with a legitimate source.7