Data Historian Compromise

From attackics
Jump to navigation Jump to search
Data Historian Compromise
ID T0810
Tactic Initial Access
External Contributors Joe Slowik - Dragos
Asset Data Historian


Adversaries may compromise and gain control of a data historian to gain a foothold into the control system environment. Access to a data historian may be used to learn stored database archival and analysis information on the control system. A dual-homed data historian may provide adversaries an interface from the IT environment to the OT environment.

Dragos has released an updated analysis on CrashOverride that outlines the attack from the ICS network breach to payload delivery and execution.1 The report summarized that CrashOverride represents a new application of malware, but relied on standard intrusion techniques. In particular, new artifacts include references to a Microsoft Windows Server 2003 host, with a SQL Server. Within the ICS environment, such a database server can act as a data historian. Dragos noted a device with this role should be "expected to have extensive connections" within the ICS environment. Adversary activity leveraged database capabilities to perform reconnaissance, including directory queries and network connectivity checks.

Procedure Examples

  • In Industroyer, after pivoting into the ICS environment, the adversary gained Initial Access to devices involved with critical process operations through a Microsoft Windows Server 2003 running a SQL Server.1


  • Authorization Enforcement - All remotely accessible services should implement access control mechanisms to restrict the information or services accessible to users.
  • Network Allowlists - Network allowlists can be implemented through either host-based files or system host files to specify what external connections (e.g., IP address, MAC address, port, protocol) can be made from a device. Allowlist techniques that operate at the application layer (e.g., DNP3, Modbus, HTTP) are addressed in the Filter Network Traffic mitigation.
  • Network Segmentation - Consider placing the historian into a demilitarized zone (DMZ) to allow access from enterprise networks, while protecting the control system network23.
  • Software Configuration - Consider the principle of least functionality when configuring ICS software to limit host or network-based capabilities within the control environment.
  • Filter Network Traffic - Filter network traffic to data historians to ensure only authorized data flows are allowed, especially across network boundaries.