1. Home
  2. Techniques
  3. ICS
  4. Manipulation of Control

Manipulation of Control

Adversaries may manipulate physical process control within the industrial environment. Methods of manipulating control can include changes to set point values, tags, or other parameters. Adversaries may manipulate control systems devices or possibly leverage their own, to communicate with and command physical control processes. The duration of manipulation may be temporary or longer sustained, depending on operator detection.

Methods of Manipulation of Control include:

  • Man-in-the-middle
  • Spoof command message
  • Changing setpoints

A Polish student used a remote controller device to interface with the Lodz city tram system in Poland. [1] [2] [3] Using this remote, the student was able to capture and replay legitimate tram signals. As a consequence, four trams were derailed and twelve people injured due to resulting emergency stops. [2] The track controlling commands issued may have also resulted in tram collisions, a further risk to those on board and nearby the areas of impact. [3]

ID: T0831
Sub-techniques:  No sub-techniques
Tactic: Impact
Platforms: None
Version: 1.0
Created: 21 May 2020
Last Modified: 13 October 2023
Version Permalink

Procedure Examples

ID Name Description
C0028 2015 Ukraine Electric Power Attack

During the 2015 Ukraine Electric Power Attack, Sandworm Team opened live breakers via remote commands to the HMI, causing blackouts. [4]
S0604 Industroyer

Industroyer toggles breakers to the open state utilizing unauthorized command messages. [5]
S0603 Stuxnet

Stuxnet can reprogram a PLC and change critical parameters in such a way that legitimate commands can be overridden or intercepted. In addition, Stuxnet can apply inappropriate command sequences or parameters to cause damage to property. [6]

Mitigations

ID Mitigation Description
M0802 Communication Authenticity

Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).
M0953 Data Backup

Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans [7], including the management of gold-copy back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.
M0810 Out-of-Band Communications Channel

Utilize out-of-band communication to validate the integrity of data from the primary channel.

References

  1. John Bill 2017, May 12 Hacked Cyber Security Railways Retrieved. 2019/10/17
  2. Shelley Smith 2008, February 12 Teen Hacker in Poland Plays Trains and Derails City Tram System Retrieved. 2019/10/17
  3. Bruce Schneier 2008, January 17 Hacking Polish Trams Retrieved. 2019/10/17
  4. Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018.
  1. Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15
  2. Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22
  3. Department of Homeland Security 2009, October Developing an Industrial Control Systems Cybersecurity Incident Response Capability Retrieved. 2020/09/17