1. Home
  2. Techniques
  3. ICS
  4. Loss of View

Loss of View

Adversaries may cause a sustained or permanent loss of view where the ICS equipment will require local, hands-on operator intervention; for instance, a restart or manual operation. By causing a sustained reporting or visibility loss, the adversary can effectively hide the present state of operations. This loss of view can occur without affecting the physical processes themselves. [1] [2] [3]

ID: T0829
Sub-techniques:  No sub-techniques
Tactic: Impact
Platforms: None
Version: 1.0
Created: 21 May 2020
Last Modified: 13 October 2023
Version Permalink

Procedure Examples

ID Name Description
S0604 Industroyer

Industroyer's data wiper component removes the registry image path throughout the system and overwrites all files, rendering the system unusable. [4]
S0607 KillDisk

KillDisk erases the master boot record (MBR) and system logs, leaving the system unusable. [5]
S0372 LockerGoga

Some of Norsk Hydro's production systems were impacted by a LockerGoga infection. This resulted in a loss of view which forced the company to switch to manual operations. [6] [7]

Mitigations

ID Mitigation Description
M0953 Data Backup

Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans [8], including the management of gold-copy back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.
M0810 Out-of-Band Communications Channel

Provide operators with redundant, out-of-band communication to support monitoring and control of the operational processes, especially when recovering from a network outage [9]. Out-of-band communication should utilize diverse systems and technologies to minimize common failure modes and vulnerabilities within the communications infrastructure. For example, wireless networks (e.g., 3G, 4G) can be used to provide diverse and redundant delivery of data.
M0811 Redundancy of Service

Hot-standbys in diverse locations can ensure continued operations if the primarily system are compromised or unavailable. At the network layer, protocols such as the Parallel Redundancy Protocol can be used to simultaneously use redundant and diverse communication over a local network. [10]

References

  1. Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04
  2. Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04
  3. Tyson Macaulay Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 RIoT Control: Understanding and Managing Risks and the Internet of Things Retrieved. 2019/11/04
  4. Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15
  5. Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22
  1. Kevin Beaumont How Lockergoga took down Hydro ransomware used in targeted attacks aimed at big business Retrieved. 2019/10/16
  2. Hydro Kevin Beaumont How Lockergoga took down Hydro ransomware used in targeted attacks aimed at big business Retrieved. 2019/10/16 Retrieved. 2019/10/16
  3. Department of Homeland Security 2009, October Developing an Industrial Control Systems Cybersecurity Incident Response Capability Retrieved. 2020/09/17
  4. National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17
  5. M. Rentschler and H. Heine The Parallel Redundancy Protocol for industrial IP networks Retrieved. 2020/09/25