Monitor Process State

From attackics
Jump to navigation Jump to search
Monitor Process State
ID T801
Tactic Collection
Data Sources Controller program, Network device logs, Host network interfaces, Process monitoring, Netflow/Enclave netflow
Asset Human-Machine Interface, Control Server, Data Historian, Field Controller/RTU/PLC/IED, Safety Instrumented System/Protection Relay


Adversaries may gather information about the physical process state. This information may be used to gain more information about the process itself or used as a trigger for malicious actions. The sources of process state information may vary such as, OPC tags, historian data, specific PLC block information, or network traffic.

Procedure Examples

  • Stuxnet examines fields recorded by the DP_RECV monitor to determine if the target system is in a particular state of operation.1


  • When feasible, monitor and compare ICS device behavior and physical state to expected behavior and physical state. Contingency plans should be in place to handle and minimize impact from unexpected behavior.2 The physical layout and cable setup should be monitored to detect anomalies and to prevent crossover of ICS and IT environments.
  • Access to device configuration settings should be restricted. IT products should be secured, in the most restrictive mode, on par with ICS operational requirements. Maintenance of such devices and products should be performed, keeping in mind operational concerns.2
  • Restrict access to control room(s), portable devices, and removable media, which should be locked down and physically secured. Unauthorized and suspicious media should be avoided and kept away from systems and the network. Keeping a controlled and consistent asset inventory can assist with this.2
  • Special care should be taken to ensure backups and other data are restricted to authorized users and kept out of the adversary’s hands. Never use portable ICS environment assets outside of the ICS network.2