Adversaries may attempt to upload a program from a PLC to gather information about an industrial process. Uploading a program may allow them to acquire and study the underlying logic. Methods of program upload include vendor software, which enables the user to upload and read a program running on a PLC. This software can be used to upload the target program to a workstation, jump box, or an interfacing device.
| ID | Name | Description |
|---|---|---|
| S1045 | INCONTROLLER |
INCONTROLLER can use the CODESYS protocol to upload programs from Schneider PLCs.[1][2] INCONTROLLER can obtain existing program logic from Omron PLCs by using either the program upload or backup functions available through the HTTP server.[1] |
| S1009 | Triton |
Triton calls the SafeAppendProgramMod to transfer its payloads to the Tricon. Part of this call includes preforming a program upload. [3] |
| ID | Asset |
|---|---|
| A0003 | Programmable Logic Controller (PLC) |
| A0010 | Safety Controller |
| ID | Mitigation | Description |
|---|---|---|
| M0801 | Access Management |
Authenticate all access to field controllers before authorizing access to, or modification of, a device's state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS. |
| M0800 | Authorization Enforcement |
All field controllers should restrict program uploads to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism. |
| M0802 | Communication Authenticity |
Protocols used for device management should authenticate all network messages to prevent unauthorized system changes. |
| M0937 | Filter Network Traffic |
Filter for protocols and payloads associated with program upload activity to prevent unauthorized access to device configurations. |
| M0804 | Human User Authentication |
All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support Account Use Policies, Password Policies, and User Account Management. |
| M0807 | Network Allowlists |
Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. [4] |
| M0930 | Network Segmentation |
Segment operational network and systems to restrict access to critical system functions to predetermined management systems. [4] |
| M0813 | Software Process and Device Authentication |
Authenticate connections from software and devices to prevent unauthorized systems from accessing protected management functions. |
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0015 | Application Log | Application Log Content |
Monitor for device alarms produced when program uploads occur, although not all devices will produce such alarms. |
| DS0029 | Network Traffic | Network Traffic Content |
Program uploads may be observable in ICS management protocols or file transfer protocols. Note when protocol functions related to program uploads occur. In cases where the ICS protocols is not well understood, one option is to examine network traffic for the program files themselves using signature-based tools. |
| Network Traffic Flow |
Monitor device communication patterns to identify irregular bulk transfers of data between the embedded ICS asset and other nodes within the network. Note these indicators are dependent on the profile of normal operations and the capabilities of the industrial automation protocols involved (e.g., partial program uploads). |