1. Home
  2. Mitigations
  3. Static Network Configuration

Static Network Configuration

Configure hosts and devices to use static network configurations when possible, protocols that require dynamic discovery/addressing (e.g., ARP, DHCP, DNS) can be used to manipulate network message forwarding and enable various AiTM attacks. This mitigation may not always be usable due to limited device features or challenges introduced with different network configurations.

ID: M0814
Security Controls: IEC 62443-3-3:2013 - SR 7.7, IEC 62443-4-2:2019 - CR 7.7, NIST SP 800-53 Rev. 5 - CM-7
Version: 1.1
Created: 06 June 2019
Last Modified: 20 September 2023
Version Permalink
ICS Layer
download view

Techniques Addressed by Mitigation

Domain ID Name Use
ICS T0830 Adversary-in-the-Middle

Statically defined ARP entries can prevent manipulation and sniffing of switched network traffic, as some AiTM techniques depend on sending spoofed ARP messages to manipulate network host's dynamic ARP tables.
ICS T0878 Alarm Suppression

Unauthorized connections can be prevented by statically defining the hosts and ports used for automation protocol connections.
ICS T0803 Block Command Message

Unauthorized connections can be prevented by statically defining the hosts and ports used for automation protocol connections.
ICS T0804 Block Reporting Message

Unauthorized connections can be prevented by statically defining the hosts and ports used for automation protocol connections.
ICS T0842 Network Sniffing

Statically defined ARP entries can prevent manipulation and sniffing of switched network traffic, as some AiTM techniques depend on sending spoofed ARP messages to manipulate network host's dynamic ARP tables.
ICS T0846 Remote System Discovery

ICS environments typically have more statically defined devices, therefore minimize the use of both IT discovery protocols (e.g., DHCP, LLDP) and discovery functions in automation protocols. [1] [2] Examples of automation protocols with discovery capabilities include OPC UA Device Discovery [3], BACnet [4], and Ethernet/IP. [5]
ICS T0888 Remote System Information Discovery

ICS environments typically have more statically defined devices, therefore minimize the use of both IT discovery protocols (e.g., DHCP, LLDP) and discovery functions in automation protocols. [1] [2] Examples of automation protocols with discovery capabilities include OPC UA Device Discovery [3], BACnet [4], and Ethernet/IP. [5]

References

  1. D. Parsons and D. Wylie 2019, September Practical Industrial Control System (ICS) Cybersecurity: IT and OT Have Converged Discover and Defend Your Assets Retrieved. 2020/09/25
  2. Colin Gray D. Parsons and D. Wylie 2019, September Practical Industrial Control System (ICS) Cybersecurity: IT and OT Have Converged Discover and Defend Your Assets Retrieved. 2020/09/25 How SDN Can Improve Cybersecurity in OT Networks Retrieved. 2020/09/25
  3. Josh Rinaldi 2016, April Still a Thrill: OPC UA Device Discovery Retrieved. 2020/09/25
  1. Aditya K Sood 2019, July Discovering and fingerprinting BACnet devices Retrieved. 2020/09/25
  2. Langner 2018, November Why Ethernet/IP changes the OT asset discovery game Retrieved. 2020/09/25