Block Command Message

From attackics
Revision as of 13:21, 18 November 2019 by (username removed)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
Block Command Message
ID T803
Tactic Inhibit Response Function
Data Sources Alarm History, Network protocol analysis, Packet capture
Asset Field Controller/RTU/PLC/IED


Adversaries may block a command message from reaching its intended target to prevent command execution. In OT networks, command messages are sent to provide instructions to control system devices. A blocked command message can inhibit response functions from correcting a disruption or unsafe condition.1

In the 2015 attack on the Ukranian power grid, malicious firmware was used to render communication devices inoperable and effectively prevent them from receiving remote command messages.2

Procedure Examples

  • In Industroyer the first COM port from the configuration file is used for the actual communication and the two other COM ports are just opened to prevent other processes accessing them. Thus, the IEC 101 payload component is able to take over and maintain control of the RTU device.3


  • Implement Virtual Local Area Networks (VLANs) to divide physical networks into smaller, logical ones with isolated traffic from each other. This limits both broadcast traffic and unnecessary flooding.4
  • Secure the environment to minimize wires susceptible to interference and limit access points to cables. Keep the ICS and IT networks separate.4
  • Monitor the network for expected outcomes and to detect unexpected states.4
  • Implement antivirus and malware detection tools to protect against threats, such as code enabling improper network access.4