Adversaries may automate collection of industrial environment information using tools or scripts. This automated collection may leverage native control protocols and tools available in the control systems environment. For example, the OPC protocol may be used to enumerate and gather information. Access to a system or interface with these native protocols may allow collection and enumeration of other attached, communicating servers and devices.
| ID | Name | Description |
|---|---|---|
| S0093 | Backdoor.Oldrea |
Using OPC, a component of Backdoor.Oldrea gathers any details about connected devices and sends them back to the C2 for the attackers to analyze. [1] |
| S0604 | Industroyer |
Industroyer automatically collects protocol object data to learn about control devices in the environment. [2] |
| S1072 | Industroyer2 |
Industroyer2 leverages a hardcoded list of remote-station IP addresses to iteratively initiate communications and collect information across multiple priority IEC-104 priority levels.[3] |
| ID | Asset |
|---|---|
| A0007 | Control Server |
| A0006 | Data Historian |
| A0003 | Programmable Logic Controller (PLC) |
| ID | Mitigation | Description |
|---|---|---|
| M0807 | Network Allowlists |
Utilize network allowlists to restrict unnecessary connections to network devices (e.g., comm servers, serial to ethernet converters) and services, especially in cases when devices have limits on the number of simultaneous sessions they support. |
| M0930 | Network Segmentation |
Prevent unauthorized systems from accessing control servers or field devices containing industrial information, especially services used for common automation protocols (e.g., DNP3, OPC). |
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0017 | Command | Command Execution |
Monitor executed commands and arguments for actions that could be taken to collect internal data. |
| DS0022 | File | File Access |
Monitor for unexpected files (e.g., .pdf, .docx, .jpg) viewed for collecting internal data. |
| DS0029 | Network Traffic | Network Traffic Content |
Monitor for information collection on assets that may indicate deviations from standard operational tools. Examples include unexpected industrial automation protocol functions, new high volume communication sessions, or broad collection across many hosts within the network. |
| DS0012 | Script | Script Execution |
Monitor for any suspicious attempts to enable script execution on a system. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible, to determine their actions and intent. |