Spoof Reporting Message

From attackics
Jump to navigation Jump to search
Spoof Reporting Message
Technique
ID T856
Tactic Evasion, Impair Process Control
Data Sources Alarm History, Network protocol analysis, Packet capture
Asset Control Server

Description

Adversaries may spoof reporting messages in control systems environments to achieve evasion and assist with impairment of process controls. Reporting messages are used in control systems so that operators and network defenders can understand the status of the network. Reporting messages show the status of devices and any important events that the devices control.

If an adversary has the ability to Spoof Reporting Messages, then they can impact the network in many ways. The adversary can Spoof Reporting Messages that state that the device is in normal working condition, as a form of evasion. The adversary could also Spoof Reporting Messages to make the defenders and operators think that other errors were occurring, to distract them from the actual source of the problem.1

In the Maroochy Attack, the adversary used a dedicated analog two-way radio system to send false data and instructions to pumping stations and the central computer.2


Mitigation

  • Implement Virtual Local Area Networks (VLANs) to divide physical networks into smaller, logical ones with isolated traffic from each other. This limits both broadcast traffic and unnecessary flooding.3
  • When feasible, monitor and compare ICS device behavior and physical state to expected behavior and physical state. Be aware of discrepancies between operator-interface report messages and system states.3
  • Leverage Intrusion Detection Systems (IDS) capabilities for event monitoring, such as looking for unusual activity and traffic patterns and detecting abnormal changes to functionality.3
  • Encrypt and protect the integrity of wireless device communications, while taking care not to degrade end device performance. OSI Layer 2 encryption, rather than Layer 3, can reduce encryption-based latency. Hardware accelerator solutions for cryptographic functions may also be considered.3
  • Secure and restrict authorization to the control room and the physical environment. Ensure ICS and IT network cables are kept separate and that devices are locked up when possible.3