| ID | Name |
|---|---|
| T0843.001 | Download All |
| T0843.002 | Online Edit |
| T0843.003 | Program Append |
Adversaries may execute a full program download to a PLC to overwrite the entire PLC program and configuration to deploy a new project or make major changes. This typically requires stopping the PLC and adversely impacting control processes.
The ability to perform a full program download to the PLC typically relies on access to a workstation with the vendor-specific PLC programming software installed.
| ID | Name | Description |
|---|---|---|
| S1045 | INCONTROLLER |
INCONTROLLER can modified program logic on Omron PLCs using either the program download or backup transfer functions available through the HTTP server.[1] |
| ID | Asset |
|---|---|
| A0017 | Distributed Control System (DCS) Controller |
| A0018 | Programmable Automation Controller (PAC) |
| A0003 | Programmable Logic Controller (PLC) |
| A0010 | Safety Controller |
| ID | Mitigation | Description |
|---|---|---|
| M0801 | Access Management |
Authenticate all access to field controllers before authorizing access to, or modification of, a device's state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS. |
| M0947 | Audit |
Provide the ability to verify the integrity of programs downloaded on a controller. While techniques like CRCs and checksums are commonly used, they are not cryptographically secure and can be vulnerable to collisions. Preferably cryptographic hash functions (e.g., SHA-2, SHA-3) should be used.[2] |
| M0800 | Authorization Enforcement |
ll field controllers should restrict the download of programs, including online edits and program appends, to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism. |
| M0945 | Code Signing |
Utilize code signatures to verify the integrity and authenticity of programs downloaded to the device. |
| M0802 | Communication Authenticity |
Protocols used for device management should authenticate all network messages to prevent unauthorized system changes. |
| M0937 | Filter Network Traffic |
Filter for protocols and payloads associated with program download activity to prevent unauthorized device configurations. |
| M0804 | Human User Authentication |
All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support Account Use Policies, Password Policies, and User Account Management. |
| M0807 | Network Allowlists |
Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations.[3] |
| M0930 | Network Segmentation |
Segment operational network and systems to restrict access to critical system functions to predetermined management systems.[3] |
| M0813 | Software Process and Device Authentication |
Authenticate connections from software and devices to prevent unauthorized systems from accessing protected management functions. |
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0913 | Detection of Program Download All | AN2056 |
Monitor device alarms for program downloads, although not all devices produce such alarms. Monitor for protocol functions related to program download or modification. Program downloads may be observable in ICS automation protocols and remote management protocols. Consult asset management systems to understand expected program versions. Monitor devices configuration logs which may contain alerts that indicate whether a program download has occurred. Devices may maintain application logs that indicate whether a full program download, online edit, or program append function has occurred. |