Monitor operational process data for write commands for an excessive number of I/O points or manipulating a single value an excessive number of times. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.
Some asset application logs may provide information on I/O points related to write commands. Monitor for write commands for an excessive number of I/O points or manipulating a single value an excessive number of times.
Monitor network traffic for ICS functions related to write commands for an excessive number of I/O points or manipulating a single value an excessive number of times.
| Data Component | Name | Channel |
|---|---|---|
| Process History/Live Data (DC0107) | Operational Databases | None |
| Application Log Content (DC0038) | Application Log | None |
| Network Traffic Content (DC0085) | Network Traffic | None |