This site has been deprecated in favor of https://attack.mitre.org and will remain in place until 11/1/22.

Manipulation of View

From attackics
Jump to navigation Jump to search

To visit this technique’s new page please go to and update your links to https://attack.mitre.org/techniques/T0832

Manipulation of View
Technique
ID T0832
Tactic Impact
Asset Engineering Workstation, Human-Machine Interface, Field Controller/RTU/PLC/IED

Description

Adversaries may attempt to manipulate the information reported back to operators or controllers. This manipulation may be short term or sustained. During this time the process itself could be in a much different state than what is reported.123

Operators may be fooled into doing something that is harmful to the system in a loss of view situation. With a manipulated view into the systems, operators may issue inappropriate control sequences that introduce faults or catastrophic failures into the system. Business analysis systems can also be provided with inaccurate data leading to bad management decisions.


Procedure Examples

  • Industroyer's OPC module can brute force values and will send out a 0x01 status which for the target systems equates to a “Primary Variable Out of Limits” misdirecting operators from understanding protective relay status.4
  • Stuxnet manipulates the view of operators replaying process input and manipulating the I/O image to evade detection and inhibit protection functions.56

Mitigations

  • Communication Authenticity - Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).
  • Data Backup - Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans 7, including the management of "gold-copy" back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.


References

  1. ^  Corero. (n.d.). Industrial Control System (ICS) Security. Retrieved November 4, 2019.
  2. ^  Michael J. Assante and Robert M. Lee. (n.d.). The Industrial Control System Cyber Kill Chain. Retrieved November 4, 2019.
  3. ^  Tyson Macaulay. (n.d.). RIoT Control: Understanding and Managing Risks and the Internet of Things. Retrieved November 4, 2019.
  4. ^  Anton Cherepanov, ESET. (2017, June 12). Win32/Industroyer: A new threat for industrial control systems. Retrieved September 15, 2017.
  1. ^  Ralph Langner. (2013, November). To Kill a Centrifuge: A Technical Analysis of What Stuxnet's Creators Tried to Achieve. Retrieved March 27, 2018.
  2. ^  Nicolas Falliere, Liam O Murchu, Eric Chien. (2011, February). W32.Stuxnet Dossier (Version 1.4). Retrieved September 22, 2017.
  3. ^  Department of Homeland Security. (2009, October). Developing an Industrial Control Systems Cybersecurity Incident Response Capability. Retrieved September 17, 2020.



v · d · e
Adversary Techniques
Initial Access
Execution
Persistence
Evasion
Discovery
Lateral Movement
Collection
Inhibit Response Function
Impair Process Control
Impact


Retrieved from "https://collaborate.mitre.org/attackics/index.php?title=Technique/T0832&oldid=9235"