Point & Tag Identification
|Point & Tag Identification|
|Data Sources||Network protocol analysis, Packet capture, Netflow/Enclave netflow|
|External Contributors||Jos Wetzels - Midnight Blue|
|Asset||Data Historian, Control Server, Human-Machine Interface|
Adversaries may collect point and tag values to gain a more comprehensive understanding of the process environment. Points may be values such as inputs, memory locations, outputs or other process specific variables.1 Tags are the identifiers given to points for operator convenience.
Collecting such tags provides valuable context to environmental points and enables an adversary to map inputs, outputs, and other values to their control processes. Understanding the points being collected may inform an adversary on which processes and values to keep track of over the course of an operation.
- Backdoor.Oldrea enumerates all OPC tags and queries for specific fields such as server state, tag name, type, access, and id.2