Modify Alarm Settings

Adversaries may modify alarm settings to prevent alerts that may inform operators of their presence or to prevent responses to dangerous and unintended scenarios. Reporting messages are a standard part of data acquisition in control systems. Reporting messages are used as a way to transmit system state information and acknowledgements that specific actions have occurred. These messages provide vital information for the management of a physical process, and keep operators, engineers, and administrators aware of the state of system devices and physical processes.

If an adversary is able to change the reporting settings, certain events could be prevented from being reported. This type of modification can also prevent operators or devices from performing actions to keep the system in a safe state. If critical reporting messages cannot trigger these actions then a Impact could occur.

In ICS environments, the adversary may have to use Alarm Suppression or contend with multiple alarms and/or alarm propagation to achieve a specific goal to evade detection or prevent intended responses from occurring. [1] Methods of suppression often rely on modification of alarm settings, such as modifying in memory code to fixed values or tampering with assembly level instruction code.

ID: T0838
Sub-techniques:  No sub-techniques
Platforms: None
Version: 1.2
Created: 21 May 2020
Last Modified: 13 October 2023

Procedure Examples

ID Name Description
C0020 Maroochy Water Breach

In the Maroochy Water Breach, the adversary disabled alarms at four pumping stations, preventing notifications to the central computer.[2]

Targeted Assets

ID Asset
A0009 Data Gateway
A0002 Human-Machine Interface (HMI)
A0005 Intelligent Electronic Device (IED)
A0003 Programmable Logic Controller (PLC)
A0004 Remote Terminal Unit (RTU)
A0010 Safety Controller

Mitigations

ID Mitigation Description
M0801 Access Management

All devices or systems changes, including all administrative functions, should require authentication. Consider using access management technologies to enforce authorization on all management interface access attempts, especially when the device does not inherently provide strong authentication and authorization functions.

M0800 Authorization Enforcement

Only authorized personnel should be able to change settings for alarms.

M0804 Human User Authentication

All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support Account Use Policies, Password Policies, and User Account Management.

M0807 Network Allowlists

Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. [3]

M0930 Network Segmentation

Segment operational network and systems to restrict access to critical system functions to predetermined management systems. [3] [4]

M0813 Software Process and Device Authentication

Authenticate connections fromsoftware and devices to prevent unauthorized systems from accessing protected management functions.

M0918 User Account Management

Limit privileges of user accounts and groups so that only designated administrators or engineers can interact with alarm management and alarm configuration thresholds.

Detection

ID Data Source Data Component Detects
DS0015 Application Log Application Log Content

Monitor ICS asset application logs that indicate alarm settings have changed, although not all assets will produce such logs.

DS0039 Asset Asset Inventory

Consult asset management systems to understand expected alarm settings.

DS0029 Network Traffic Network Traffic Content

Monitor for alarm setting changes observable in automation or management network protocols.

DS0040 Operational Databases Process History/Live Data

Data about the industrial process may indicate it is operating outside of expected bounds and could help indicate that that an alarm setting has changed. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.

References