Change Program State

From attackics
(Redirected from Change Program State)
Jump to navigation Jump to search
Change Program State
Technique
ID T0875
Tactic Execution, Impair Process Control
Data Sources Alarm history, Sequential event recorder, Network protocol analysis, Packet capture
Asset Field Controller/RTU/PLC/IED

Description

Adversaries may attempt to change the state of the current program on a control device. Program state changes may be used to allow for another program to take over control or be loaded onto the device.


Procedure Examples

  • After PLC-Blaster is transferred to a PLC, the PLC begins execution of PLC-Blaster.1
  • Stuxnet halts the original PLC code and the malicious PLC code begins sending frames of data based on the recorded values during the DP_RECV monitor phase.2
  • Triton has the ability to halt or run a program through the TriStation protocol. TsHi.py contains instances of halt and run functions being executed.3

Mitigations

  • Authorization Enforcement - All field controllers should restrict program state changes to required authenticated users (e.g., engineers, field technicians) only, preferably through implementing a role-based access mechanism.
  • Communication Authenticity - Protocols used for device management should authenticate all network messages to prevent unauthorized system changes.
  • Network Allowlists - Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations.4
  • Access Management - All devices or systems changes, including all administrative functions, should require authentication. Consider using access management technologies to enforce authorization on all management interface access attempts, especially when the device does not inherently provide strong authentication and authorization functions.
  • Network Segmentation - Segment operational network and systems to restrict access to critical system functions to predetermined management systems.4
  • Filter Network Traffic - Utilize allow/denylists to prevent any unauthorized network messages used to change program state, including any messages that may change the programs running on a device.


References

  1. ^  Spenneberg, Ralf, Maik Brüggemann, and Hendrik Schwartke. (2016, March 31). Plc-blaster: A worm living solely in the plc.. Retrieved September 19, 2017.
  2. ^  Nicolas Falliere, Liam O Murchu, Eric Chien. (2011, February). W32.Stuxnet Dossier (Version 1.4). Retrieved September 22, 2017.
  1. ^  MDudek-ICS. (n.d.). TRISIS-TRITON-HATMAN. Retrieved November 3, 2019.
  2. a b  Department of Homeland Security. (2016, September). Retrieved September 25, 2020.



v · d · e
Adversary Techniques
Initial Access
Execution
Persistence
Evasion
Discovery
Lateral Movement
Collection
Inhibit Response Function
Impair Process Control
Impact


Retrieved from "https://collaborate.mitre.org/attackics/index.php?title=Technique/T0875&oldid=8799"