Change Program State
(Redirected from Change Program State)
Jump to navigation
Jump to search
Change Program State | |
---|---|
Technique | |
ID | T0875 |
Tactic | Execution, Impair Process Control |
Data Sources | Alarm history, Sequential event recorder, Network protocol analysis, Packet capture |
Asset | Field Controller/RTU/PLC/IED |
Description
Adversaries may attempt to change the state of the current program on a control device. Program state changes may be used to allow for another program to take over control or be loaded onto the device.
Procedure Examples
- After PLC-Blaster is transferred to a PLC, the PLC begins execution of PLC-Blaster.1
- Stuxnet halts the original PLC code and the malicious PLC code begins sending frames of data based on the recorded values during the DP_RECV monitor phase.2
- Triton has the ability to halt or run a program through the TriStation protocol. TsHi.py contains instances of halt and run functions being executed.3
Mitigations
- Authorization Enforcement - All field controllers should restrict program state changes to required authenticated users (e.g., engineers, field technicians) only, preferably through implementing a role-based access mechanism.
- Human User Authentication - All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support Account Use Policies, Password Policies, and User Account Management.
- Communication Authenticity - Protocols used for device management should authenticate all network messages to prevent unauthorized system changes.
- Network Allowlists - Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations.4
- Access Management - All devices or systems changes, including all administrative functions, should require authentication. Consider using access management technologies to enforce authorization on all management interface access attempts, especially when the device does not inherently provide strong authentication and authorization functions.
- Software Process and Device Authentication - Authenticate connections from software and devices to prevent unauthorized systems from accessing protected management functions.
- Network Segmentation - Segment operational network and systems to restrict access to critical system functions to predetermined management systems.4
- Filter Network Traffic - Utilize allow/denylists to prevent any unauthorized network messages used to change program state, including any messages that may change the programs running on a device.
References