Activate Firmware Update Mode

Adversaries may activate firmware update mode on devices to prevent expected response functions from engaging in reaction to an emergency or process malfunction. For example, devices such as protection relays may have an operation mode designed for firmware installation. This mode may halt process monitoring and related functions to allow new firmware to be loaded. A device left in update mode may be placed in an inactive holding state if no firmware is provided to it. By entering and leaving a device in this mode, the adversary may deny its usual functionalities.

ID: T0800
Sub-techniques:  No sub-techniques
Platforms: None
Contributors: Joe Slowik - Dragos
Version: 1.0
Created: 21 May 2020
Last Modified: 13 October 2023

Procedure Examples

ID Name Description
S0604 Industroyer

The Industroyer SIPROTEC DoS module places the victim device into firmware update mode. This is a legitimate use case under normal circumstances, but in this case is used the adversary to prevent the SIPROTEC from performing its designed protective functions. As a result the normal safeguards are disabled, leaving an unprotected link in the electric transmission. [1]

Targeted Assets

ID Asset
A0009 Data Gateway
A0013 Field I/O
A0002 Human-Machine Interface (HMI)
A0005 Intelligent Electronic Device (IED)
A0003 Programmable Logic Controller (PLC)
A0004 Remote Terminal Unit (RTU)
A0010 Safety Controller

Mitigations

ID Mitigation Description
M0801 Access Management

All devices or systems changes, including all administrative functions, should require authentication. Consider using access management technologies to enforce authorization on all management interface access attempts, especially when the device does not inherently provide strong authentication and authorization functions.

M0800 Authorization Enforcement

Restrict configurations changes and firmware updating abilities to only authorized individuals.

M0802 Communication Authenticity

Protocols used for device management should authenticate all network messages to prevent unauthorized system changes.

M0937 Filter Network Traffic

Filter for protocols and payloads associated with firmware activation or updating activity.

M0804 Human User Authentication

Devices that allow remote management of firmware should require authentication before allowing any changes. The authentication mechanisms should also support Account Use Policies, Password Policies, and User Account Management

M0807 Network Allowlists

Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. [2]

M0930 Network Segmentation

Segment operational network and systems to restrict access to critical system functions to predetermined management systems. [2]

M0813 Software Process and Device Authentication

Authenticate connections fromsoftware and devices to prevent unauthorized systems from accessing protected management functions.

Detection

ID Data Source Data Component Detects
DS0015 Application Log Application Log Content

Monitor asset log which may provide information that an asset has been placed into Firmware Update Mode. Some assets may log firmware updates themselves without logging that the device has been placed into update mode.

DS0029 Network Traffic Network Traffic Content

Monitor ICS automation network protocols for information that an asset has been placed into Firmware Update Mode.

DS0040 Operational Databases Device Alarm

Monitor device alarms that indicate the devices has been placed into Firmware Update Mode, although not all devices produce such alarms.

References