Monitor industrial process history data for events that correspond with command message functions, such as setpoint modification or changes to system status for key devices. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.
Monitor for anomalous or unexpected commands that may result in changes to the process operation (e.g., discrete write, logic and device configuration, mode changes) observable via asset application logs.
Monitor for new or unexpected connections to controllers, which could indicate an Unauthorized Command Message being sent via Rogue Master.
Monitor for anomalous or unexpected commands that may result in changes to the process operation (e.g., discrete write, logic and device configuration, mode changes) observable via asset application logs.
Monitor for unexpected ICS protocol command functions to controllers from existing master devices (including from new processes) or from new devices. The latter is like detection for Rogue Master but requires ICS function level insight to determine if an unauthorized device is issuing commands (e.g., a historian).
Monitoring for unexpected or problematic values below the function level will provide better insights into potentially malicious activity but at the cost of additional false positives depending on the underlying operational process.
| Data Component | Name | Channel |
|---|---|---|
| Process History/Live Data (DC0107) | Operational Databases | None |
| Application Log Content (DC0038) | Application Log | None |
| Network Traffic Flow (DC0078) | Network Traffic | None |
| Process/Event Alarm (DC0109) | Operational Databases | None |
| Network Traffic Content (DC0085) | Network Traffic | None |