Filter Network Traffic

Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic. Perform inline allow/denylisting of network messages based on the application layer (OSI Layer 7) protocol, especially for automation protocols. Application allowlists are beneficial when there are well-defined communication sequences, types, rates, or patterns needed during expected system operations. Application denylists may be needed if all acceptable communication sequences cannot be defined, but instead a set of known malicious uses can be denied (e.g., excessive communication attempts, shutdown messages, invalid commands). Devices performing these functions are often referred to as deep-packet inspection (DPI) firewalls, context-aware firewalls, or firewalls blocking specific automation/SCADA protocol aware firewalls. [1]

ID: M0937
Version: 1.0
Created: 11 June 2019
Last Modified: 24 October 2022

Techniques Addressed by Mitigation

Domain ID Name Use
ICS T0800 Activate Firmware Update Mode

Filter for protocols and payloads associated with firmware activation or updating activity.

ICS T0806 Brute Force I/O

Allow/denylists can be used to block access when excessive I/O connections are detected from a system or device during a specified time period.

ICS T0884 Connection Proxy

Traffic to known anonymity networks and C2 infrastructure can be blocked through the use of network allow and block lists. It should be noted that this kind of blocking may be circumvented by other techniques likeDomain Fronting.

ICS T0868 Detect Operating Mode

Perform inline allowlisting of automation protocol commands to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid messages.

ICS T0816 Device Restart/Shutdown

Application denylists can be used to block automation protocol functions used to initiate device shutdowns or restarts, such as DNP3's 0x0D function code, or vulnerabilities that can be used to trigger device shutdowns (e.g., CVE-2014-9195, CVE-2015-5374).

ICS T0839 Module Firmware

Filter for protocols and payloads associated with firmware activation or updating activity.

ICS T0861 Point & Tag Identification

Perform inline allowlisting of automation protocol commands to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid messages.

ICS T0843 Program Download

Filter for protocols and payloads associated with program download activity to prevent unauthorized device configurations.

ICS T0845 Program Upload

Filter for protocols and payloads associated with program upload activity to prevent unauthorized access to device configurations.

ICS T0886 Remote Services

Filter application-layer protocol messages for remote services to block any unauthorized activity.

ICS T0848 Rogue Master

Perform inline allowlisting of automation protocol commands to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid reporting messages.

ICS T0856 Spoof Reporting Message

Perform inline allowlisting of automation protocol commands to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid reporting messages.

ICS T0857 System Firmware

Filter for protocols and payloads associated with firmware activation or updating activity.

ICS T0855 Unauthorized Command Message

Perform inline allowlisting of automation protocol commands to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid messages.

ICS T0859 Valid Accounts

Consider using IP allowlisting along with user account management to ensure that data access is restricted not only to valid users but only from expected IP ranges to mitigate the use of stolen credentials to access data.

References