Filter Network Traffic
Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic. Perform inline allow/denylisting of network messages based on the application layer (OSI Layer 7) protocol, especially for automation protocols. Application allowlists are beneficial when there are well-defined communication sequences, types, rates, or patterns needed during expected system operations. Application denylists may be needed if all acceptable communication sequences cannot be defined, but instead a set of known malicious uses can be denied (e.g., excessive communication attempts, shutdown messages, invalid commands). Devices performing these functions are often referred to as deep-packet inspection (DPI) firewalls, context-aware firewalls, or firewalls blocking specific automation/SCADA protocol aware firewalls. [1]
Techniques Addressed by Mitigation
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| ICS | T0800 | Activate Firmware Update Mode |
Filter for protocols and payloads associated with firmware activation or updating activity. |
|
| ICS | T0806 | Brute Force I/O |
Allow/denylists can be used to block access when excessive I/O connections are detected from a system or device during a specified time period. |
|
| ICS | T0884 | Connection Proxy |
Traffic to known anonymity networks and C2 infrastructure can be blocked through the use of network allow and block lists. It should be noted that this kind of blocking may be circumvented by other techniques likeDomain Fronting. |
|
| ICS | T0868 | Detect Operating Mode |
Perform inline allowlisting of automation protocol commands to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid messages. |
|
| ICS | T0816 | Device Restart/Shutdown |
Application denylists can be used to block automation protocol functions used to initiate device shutdowns or restarts, such as DNP3's 0x0D function code, or vulnerabilities that can be used to trigger device shutdowns (e.g., CVE-2014-9195, CVE-2015-5374). |
|
| ICS | T0839 | Module Firmware |
Filter for protocols and payloads associated with firmware activation or updating activity. |
|
| ICS | T0861 | Point & Tag Identification |
Perform inline allowlisting of automation protocol commands to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid messages. |
|
| ICS | T0843 | Program Download |
Filter for protocols and payloads associated with program download activity to prevent unauthorized device configurations. |
|
| ICS | T0845 | Program Upload |
Filter for protocols and payloads associated with program upload activity to prevent unauthorized access to device configurations. |
|
| ICS | T0886 | Remote Services |
Filter application-layer protocol messages for remote services to block any unauthorized activity. |
|
| ICS | T0848 | Rogue Master |
Perform inline allowlisting of automation protocol commands to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid reporting messages. |
|
| ICS | T0856 | Spoof Reporting Message |
Perform inline allowlisting of automation protocol commands to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid reporting messages. |
|
| ICS | T0857 | System Firmware |
Filter for protocols and payloads associated with firmware activation or updating activity. |
|
| ICS | T0855 | Unauthorized Command Message |
Perform inline allowlisting of automation protocol commands to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid messages. |
|
| ICS | T0859 | Valid Accounts |
Consider using IP allowlisting along with user account management to ensure that data access is restricted not only to valid users but only from expected IP ranges to mitigate the use of stolen credentials to access data. |
|