Operational databases contain information about the status of the operational process and associated devices, including any measurements, events, history, or alarms that have occurred
This includes alarms associated with unexpected device functions, such as shutdowns, restarts, failures, or configuration changes
This includes alarms associated with unexpected device functions, such as shutdowns, restarts, failures, or configuration changes
Domain | ID | Name | Detects | |
---|---|---|---|---|
ICS | T0800 | Activate Firmware Update Mode |
Monitor device alarms that indicate the devices has been placed into Firmware Update Mode, although not all devices produce such alarms. |
|
ICS | T0878 | Alarm Suppression |
Monitor for loss of expected device alarms which could indicate alarms are being suppressed. As noted in the technique description, there may be multiple sources of alarms in an ICS environment. Discrepancies between alarms may indicate the adversary is suppressing some but not all the alarms in the environment. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections. |
|
ICS | T0892 | Change Credential |
Monitor for device alarms produced when device management passwords are changed, although not all devices will produce such alarms. |
|
ICS | T0858 | Change Operating Mode |
Monitor alarms for information about when an operating mode is changed, although not all devices produce such logs. |
|
ICS | T0816 | Device Restart/Shutdown |
Devices may produce alarms about restarts or shutdowns. Monitor for unexpected device restarts or shutdowns. |
|
ICS | T0821 | Modify Controller Tasking |
Monitor device alarms that indicate controller task parameters have changed, although not all devices produce such alarms. Program Download may be used to enable this technique. Monitor for program downloads which may be noticeable via operational alarms. Asset management systems should be consulted to understand expected program versions. |
|
ICS | T0836 | Modify Parameter |
Monitor for device alarms produced when parameters are changed, although not all devices will produce such alarms. |
|
ICS | T0889 | Modify Program |
Monitor device alarms that indicate the program has changed, although not all devices produce such alarms. |
|
ICS | T0839 | Module Firmware |
Monitor for firmware changes which may be observable via operational alarms from devices. |
|
ICS | T0843 | Program Download |
Monitor device alarms for program downloads, although not all devices produce such alarms. |
|
ICS | T0848 | Rogue Master |
Monitor for new master devices communicating with outstations, which may be visible in alarms within the ICS environment. |
|
ICS | T0856 | Spoof Reporting Message |
Monitor asset logs for alarms or other information the adversary is unable to directly suppress. Relevant alarms include those from a loss of communications due to Adversary-in-the-Middle activity. |
|
ICS | T0857 | System Firmware |
Monitor for firmware changes which may be observable via operational alarms from devices. |
This includes any data stores that maintain historical or real-time events and telemetry recorded from various sensors or devices
This includes any data stores that maintain historical or real-time events and telemetry recorded from various sensors or devices
Domain | ID | Name | Detects | |
---|---|---|---|---|
ICS | T0878 | Alarm Suppression |
Monitor for loss of operational process data which could indicate alarms are being suppressed. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections. |
|
ICS | T0803 | Block Command Message |
Monitor for lack of operational process data which may help identify a loss of communications. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections. |
|
ICS | T0804 | Block Reporting Message |
Monitor for lack of operational process data which may help identify a loss of communications. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections. |
|
ICS | T0805 | Block Serial COM |
Monitor for lack of operational process data which may help identify a loss of communications. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections. |
|
ICS | T0806 | Brute Force I/O |
Monitor operational process data for write commands for an excessive number of I/O points or manipulating a single value an excessive number of times. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections. |
|
ICS | T0814 | Denial of Service |
Monitor operational data for indicators of temporary data loss which may indicate a Denial of Service. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections. |
|
ICS | T0838 | Modify Alarm Settings |
Data about the industrial process may indicate it is operating outside of expected bounds and could help indicate that that an alarm setting has changed. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections. |
|
ICS | T0855 | Unauthorized Command Message |
Monitor industrial process history data for events that correspond with command message functions, such as setpoint modification or changes to system status for key devices. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections. |
This includes a list of any process alarms or alerts produced to indicate unusual or concerning activity within the operational process (e.g., increased temperature/pressure)
This includes a list of any process alarms or alerts produced to indicate unusual or concerning activity within the operational process (e.g., increased temperature/pressure)
Domain | ID | Name | Detects | |
---|---|---|---|---|
ICS | T0878 | Alarm Suppression |
Monitor for loss of expected operational process alarms which could indicate alarms are being suppressed. As noted in the technique description, there may be multiple sources of alarms in an ICS environment. Discrepancies between alarms may indicate the adversary is suppressing some but not all the alarms in the environment. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections. |
|
ICS | T0803 | Block Command Message |
Monitor asset alarms which may help identify a loss of communications. Consider correlating alarms with other data sources that indicate traffic has been blocked, such as network traffic. In cases where alternative methods of communicating with outstations exist alarms may still be visible even if command messages are blocked. |
|
ICS | T0804 | Block Reporting Message |
Monitor asset alarms which may help identify a loss of communications. Consider correlating alarms with other data sources that indicate traffic has been blocked, such as network traffic. In cases where alternative methods of communicating with outstations exist alarms may still be visible even if reporting messages are blocked. |
|
ICS | T0805 | Block Serial COM |
Monitor asset alarms which may help identify a loss of communications. Consider correlating alarms with other data sources that indicate traffic has been blocked, such as network traffic. In cases where alternative methods of communicating with outstations exist alarms may still be visible even if messages over serial COM ports are blocked. |
|
ICS | T0855 | Unauthorized Command Message |
Monitor for anomalous or unexpected commands that may result in changes to the process operation (e.g., discrete write, logic and device configuration, mode changes) observable via asset application logs. |