Utilize/Change Operating Mode

From attackics
Jump to navigation Jump to search
Utilize/Change Operating Mode
ID T858
Tactic Evasion, Inhibit Response Function
Data Sources Alarm history, Sequential event recorder, Network protocol analysis, Packet capture
Asset Safety Instrumented System/Protection Relay, Field Controller/RTU/PLC/IED


Adversaries may place controllers into an alternate mode of operation to enable configuration setting changes for evasive code execution or to inhibit device functionality. Programmable controllers typically have several modes of operation. These modes can be broken down into three main categories: program run, program edit, and program write. Each of these modes puts the device in a state in which certain functions are available. For instance, the program edit mode allows alterations to be made to the user program while the device is still online.

By driving a device into an alternate mode of operation, an adversary has the ability to change configuration settings in such a way to cause a Impact to equipment and/or industrial process associated with the targeted device. An adversary may also use this alternate mode to execute arbitrary code which could be used to evade defenses.

Procedure Examples

  • Triton is able to modify code if the Triconex SIS Controller is configured with the physical keyswitch in ‘program mode’ during operation. If the controller is placed in Run mode (program changes not permitted), arbitrary changes in logic are not possible substantially reducing the likelihood of manipulation. Once the Triton implant is installed on the SIS it is able to conduct any operation regardless of any future position of the keyswitch.1.


  • Restrict user privileges with Role-Based Access Control (RBAC). Configure and assign “roles” based on the principle of least privilege. Levels of access can dictate several factors, including the ability to view, use, and alter specific ICS data or device functions.2
  • Supplement restricted privileges and environment access with strong passwords. Consider forms of multi-factor authentication, such as introducing biometrics, smart cards, or tokens, to supplement traditional passwords.2
  • Implementing Challenge/Response authentication eliminates the risk of discovery or replay that traditional password exchange has.2
  • Network services in ICS often transmit in plaintext, making third-party eavesdropping easy. Always use different passwords, especially if credentials may be transmitted across both encrypted and non-encrypted protocols.2
  • Restrict device configuration settings access. Be wary of improper modifications before, during, and after system implementation. IT products should be secured as restrictively as possible, in accordance with ICS operational requirements.2
  • Protect and restrict physical access to locations, devices, and systems. Lockdown and secure portable devices and removable media. Portable ICS assets should not be used outside of the ICS network.2
  • When possible, real-time monitoring and management of ICS devices and the network can help detect anomalous behavior. Always check new device acquisitions for the presence of backdoors and malicious tampering.2