Data sources with information about the set of devices found within the network, along with their current software and configurations
This includes sources of current and expected devices on the network, including the manufacturer, model, and necessary identifiers (e.g., IP and hardware addresses)
This includes sources of current and expected devices on the network, including the manufacturer, model, and necessary identifiers (e.g., IP and hardware addresses)
| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| ICS | T0838 | Modify Alarm Settings |
Consult asset management systems to understand expected alarm settings. |
|
| ICS | T0836 | Modify Parameter |
Monitor asset management systems for device configuration changes which can be used to understand expected parameter settings. |
|
| ICS | T0843 | Program Download |
Consult asset management systems to understand expected program versions. |
|
| ICS | T0848 | Rogue Master |
Consult asset management systems which may help with the detection of computer systems or network devices that should not exist on a network. |
|
This includes sources of current and expected software or application programs deployed to a device, along with information on the version and patch level for vendor products, full source code for any application programs, and unique identifiers (e.g., hashes, signatures).
This includes sources of current and expected software or application programs deployed to a device, along with information on the version and patch level for vendor products, full source code for any application programs, and unique identifiers (e.g., hashes, signatures).
| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| ICS | T0877 | I/O Image |
Collecting information from the I/O image requires analyzing the application program running on the PLC for specific data block reads. Detecting this requires obtaining and analyzing a PLC’s application program, either directly from the device or from asset management platforms. |
|
| ICS | T0835 | Manipulate I/O Image |
A manipulated I/O image requires analyzing the application program running on the PLC for specific data block writes. Detecting this requires obtaining and analyzing a PLC’s application program, either directly from the device or from asset management platforms. |
|
| ICS | T0821 | Modify Controller Tasking |
Engineering and asset management software will often maintain a copy of the expected program loaded on a controller and may also record any changes made to controller programs and tasks. Data from these platforms can be used to identify modified controller tasking. |
|
| ICS | T0889 | Modify Program |
Engineering and asset management software will often maintain a copy of the expected program loaded on a controller and may also record any changes made to controller programs. Data from these platforms can be used to identify modified controller programs. |
|