| ID | Name |
|---|---|
| T0843.001 | Download All |
| T0843.002 | Online Edit |
| T0843.003 | Program Append |
Adversaries may execute an online edit of a PLC to update parts of an existing program. It does not require stopping the PLC which allows it to continue running during transfer and reconfiguration without interruption to process control. Adversaries may leverage this approach to minimize downtime and evade detection.
The ability to perform an online edit to the PLC typically relies on access to a workstation with the vendor-specific PLC programming software installed.
| ID | Asset |
|---|---|
| A0017 | Distributed Control System (DCS) Controller |
| A0018 | Programmable Automation Controller (PAC) |
| A0003 | Programmable Logic Controller (PLC) |
| A0010 | Safety Controller |
| ID | Mitigation | Description |
|---|---|---|
| M0801 | Access Management |
Authenticate all access to field controllers before authorizing access to, or modification of, a device's state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS. |
| M0947 | Audit |
Provide the ability to verify the integrity of programs downloaded on a controller. While techniques like CRCs and checksums are commonly used, they are not cryptographically secure and can be vulnerable to collisions. Preferably cryptographic hash functions (e.g., SHA-2, SHA-3) should be used.[1] |
| M0800 | Authorization Enforcement |
ll field controllers should restrict the download of programs, including online edits and program appends, to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism. |
| M0945 | Code Signing |
Utilize code signatures to verify the integrity and authenticity of programs downloaded to the device. |
| M0802 | Communication Authenticity |
Protocols used for device management should authenticate all network messages to prevent unauthorized system changes. |
| M0937 | Filter Network Traffic |
Filter for protocols and payloads associated with program download activity to prevent unauthorized device configurations. |
| M0804 | Human User Authentication |
All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support Account Use Policies, Password Policies, and User Account Management. |
| M0807 | Network Allowlists |
Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations.[2] |
| M0930 | Network Segmentation |
Segment operational network and systems to restrict access to critical system functions to predetermined management systems.[2] |
| M0813 | Software Process and Device Authentication |
Authenticate connections from software and devices to prevent unauthorized systems from accessing protected management functions. |
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0915 | Detection of Online Edit | AN2058 |
Monitor device alarms for program downloads, although not all devices produce such alarms. Monitor for protocol functions related to program download or modification. Program downloads may be observable in ICS automation protocols and remote management protocols. Consult asset management systems to understand expected program versions. Monitor devices configuration logs which may contain alerts that indicate whether a program download has occurred. Devices may maintain application logs that indicate whether a full program download, online edit, or program append function has occurred. |