Block Command Message

Adversaries may block a command message from reaching its intended target to prevent command execution. In OT networks, command messages are sent to provide instructions to control system devices. A blocked command message can inhibit response functions from correcting a disruption or unsafe condition. [1] [2]

ID: T0803
Sub-techniques:  No sub-techniques
Platforms: Device Configuration/Parameters, Field Controller/RTU/PLC/IED
Version: 1.0
Created: 21 May 2020
Last Modified: 06 May 2022

Procedure Examples

ID Name Description
S0604 Industroyer

In Industroyer the first COM port from the configuration file is used for the actual communication and the two other COM ports are just opened to prevent other processes accessing them. Thus, the IEC 101 payload component is able to take over and maintain control of the RTU device. [3]

G0034 Sandworm Team

In the Ukraine 2015 Incident, Sandworm Team blocked command messages by using malicious firmware to render communication devices inoperable. [2]


ID Mitigation Description
M0807 Network Allowlists

Utilize network allowlists to restrict unnecessary connections to network devices (e.g., comm servers, serial to ethernet converters) and services, especially in cases when devices have limits on the number of simultaneous sessions they support.

M0810 Out-of-Band Communications Channel

Provide an alternative method for sending critical commands message to outstations, this could include using radio/cell communication to send messages to a field technician that physically performs the control function.

M0814 Static Network Configuration

Unauthorized connections can be prevented by statically defining the hosts and ports used for automation protocol connections.


ID Data Source Data Component
DS0015 Application Log Application Log Content
DS0029 Network Traffic Network Connection Creation
Network Traffic Flow
DS0040 Operational Databases Process History/Live Data
Process/Event Alarm
DS0009 Process Process Termination