Brute Force I/O

Adversaries may repetitively or successively change I/O point values to perform an action. Brute Force I/O may be achieved by changing either a range of I/O point values or a single point value repeatedly to manipulate a process function. The adversary's goal and the information they have about the target environment will influence which of the options they choose. In the case of brute forcing a range of point values, the adversary may be able to achieve an impact without targeting a specific point. In the case where a single point is targeted, the adversary may be able to generate instability on the process function associated with that particular point.

Adversaries may use Brute Force I/O to cause failures within various industrial processes. These failures could be the result of wear on equipment or damage to downstream equipment.

ID: T0806
Sub-techniques:  No sub-techniques
Platforms: None
Version: 1.1
Created: 21 May 2020
Last Modified: 13 October 2023

Procedure Examples

ID Name Description
S0604 Industroyer

The Industroyer IEC 104 module has 3 modes available to perform its attack. These modes are range, shift, and sequence. The range mode operates in 2 stages. The first stage of range mode gathers Information Object Addresses (IOA) and sends select and execute packets to switch the state. The second stage of range mode has an infinite loop where it will switch the state of all of the previously discovered IOAs. Shift mode is similar to range mode, but instead of staying within the same range, it will add a shift value to the default range values. [1]

S1072 Industroyer2

Industroyer2 can iterate across a device’s IOAs to modify the ON/OFF value of a given IO state.[2][3]

Targeted Assets

ID Asset
A0007 Control Server
A0002 Human-Machine Interface (HMI)
A0005 Intelligent Electronic Device (IED)
A0003 Programmable Logic Controller (PLC)
A0004 Remote Terminal Unit (RTU)
A0010 Safety Controller

Mitigations

ID Mitigation Description
M0937 Filter Network Traffic

Allow/denylists can be used to block access when excessive I/O connections are detected from a system or device during a specified time period.

M0807 Network Allowlists

Utilize network allowlists to restrict unnecessary connections to network devices (e.g., comm servers, serial to ethernet converters) and services, especially in cases when devices have limits on the number of simultaneous sessions they support.

M0930 Network Segmentation

Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment. [4] [5] [6] [7]

M0813 Software Process and Device Authentication

Devices should authenticate all messages between master and outstation assets.

Detection

ID Data Source Data Component Detects
DS0015 Application Log Application Log Content

Some asset application logs may provide information on I/O points related to write commands. Monitor for write commands for an excessive number of I/O points or manipulating a single value an excessive number of times.

DS0029 Network Traffic Network Traffic Content

Monitor network traffic for ICS functions related to write commands for an excessive number of I/O points or manipulating a single value an excessive number of times.

DS0040 Operational Databases Process History/Live Data

Monitor operational process data for write commands for an excessive number of I/O points or manipulating a single value an excessive number of times. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.

References