Program Upload

From attackics
Revision as of 16:35, 12 April 2021 by Jsteele (talk | contribs) (Text replacement - "Mitigation=Mitigation/M10" to "Mitigation=Mitigation/M09")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
Program Upload
Technique
ID T0845
Tactic Collection
Data Sources Sequential event recorder, Controller program, Network protocol analysis, Packet capture
Asset Safety Instrumented System/Protection Relay, Field Controller/RTU/PLC/IED

Description

Adversaries may attempt to upload a program from a PLC to gather information about an industrial process. Uploading a program may allow them to acquire and study the underlying logic. Methods of program upload include vendor software, which enables the user to upload and read a program running on a PLC. This software can be used to upload the target program to a workstation, jump box, or an interfacing device.


Procedure Examples

  • Triton calls the SafeAppendProgramMod to transfer it's payloads to the Tricon. Part of this call includes preforming a program upload.1

Mitigations

  • Authorization Enforcement - All field controllers should restrict program uploads to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism.
  • Communication Authenticity - Protocols used for device management should authenticate all network messages to prevent unauthorized system changes.
  • Network Allowlists - Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations.2
  • Access Management - Authenticate all access to field controllers before authorizing access to, or modification of, a device's state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS.
  • Network Segmentation - Segment operational network and systems to restrict access to critical system functions to predetermined management systems.2
  • Filter Network Traffic - Filter for protocols and payloads associated with program upload activity to prevent unauthorized access to device configurations.