Monitor Process State
|Monitor Process State|
|Data Sources||Controller program, Network device logs, Host network interfaces, Process monitoring, Netflow/Enclave netflow|
|Asset||Human-Machine Interface, Control Server, Data Historian, Field Controller/RTU/PLC/IED, Safety Instrumented System/Protection Relay|
Adversaries may gather information about the physical process state. This information may be used to gain more information about the process itself or used as a trigger for malicious actions. The sources of process state information may vary such as, OPC tags, historian data, specific PLC block information, or network traffic.
- Industroyer's OPC and IEC 61850 protocol modules include the ability to send "stVal" requests to read the status of operational variables.1
- Stuxnet examines fields recorded by the DP_RECV monitor to determine if the target system is in a particular state of operation.2
- Mitigation Limited or Not Effective - This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.