Static Network Configuration

Configure hosts and devices to use static network configurations when possible, protocols that require dynamic discovery/addressing (e.g., ARP, DHCP, DNS) can be used to manipulate network message forwarding and enable various AiTM attacks. This mitigation may not always be usable due to limited device features or challenges introduced with different network configurations.

ID: M0814
Security Controls: IEC 62443-3-3:2013 - SR 7.7, IEC 62443-4-2:2019 - CR 7.7, NIST SP 800-53 Rev. 5 - CM-7
Version: 1.1
Created: 06 June 2019
Last Modified: 20 September 2023

Techniques Addressed by Mitigation

Domain ID Name Use
ICS T0830 Adversary-in-the-Middle

Statically defined ARP entries can prevent manipulation and sniffing of switched network traffic, as some AiTM techniques depend on sending spoofed ARP messages to manipulate network host's dynamic ARP tables.

ICS T0878 Alarm Suppression

Unauthorized connections can be prevented by statically defining the hosts and ports used for automation protocol connections.

ICS T0803 Block Command Message

Unauthorized connections can be prevented by statically defining the hosts and ports used for automation protocol connections.

ICS T0804 Block Reporting Message

Unauthorized connections can be prevented by statically defining the hosts and ports used for automation protocol connections.

ICS T0842 Network Sniffing

Statically defined ARP entries can prevent manipulation and sniffing of switched network traffic, as some AiTM techniques depend on sending spoofed ARP messages to manipulate network host's dynamic ARP tables.

ICS T0846 Remote System Discovery

ICS environments typically have more statically defined devices, therefore minimize the use of both IT discovery protocols (e.g., DHCP, LLDP) and discovery functions in automation protocols. [1] [2] Examples of automation protocols with discovery capabilities include OPC UA Device Discovery [3], BACnet [4], and Ethernet/IP. [5]

ICS T0888 Remote System Information Discovery

ICS environments typically have more statically defined devices, therefore minimize the use of both IT discovery protocols (e.g., DHCP, LLDP) and discovery functions in automation protocols. [1] [2] Examples of automation protocols with discovery capabilities include OPC UA Device Discovery [3], BACnet [4], and Ethernet/IP. [5]

References