| ID | Name |
|---|---|
| T0846.001 | Port Scan |
| T0846.002 | Broadcast Discovery |
| T0846.003 | Multicast Discovery |
Adversaries may perform broadcast discovery requests to enumerate systems and devices on a network. Broadcast discovery works by one system or device sending messages to all systems and devices on a network (or subnet) and then waiting for a response. If a response is received that means the system or device that responded is live and can communicate over that protocol. Adversaries may leverage different protocols supported on the network for sending broadcast messages.
Some common OT protocols that have broadcast discovery mechanisms are Building Automation and Control Network (BACNet) Who-Is requests, Common Industrial Protocol (CIP) List Identity User Datagram Protocol (UDP) broadcast requests, and Siemens S7 broadcast identification requests.[1][2]
| ID | Name | Description |
|---|---|---|
| C0063 | 2025 Poland Wiper Attacks |
During the 2025 Poland Wiper Attacks, the adversaries used |
| S1009 | Triton |
Triton uses a Python script that is capable of detecting Triconex controllers on the network by sending a specific UDP broadcast packet over port 1502. [4] |
| ID | Mitigation | Description |
|---|---|---|
| M0930 | Network Segmentation |
Ensure proper network segmentation is followed to protect critical systems and devices. |
| M0814 | Static Network Configuration |
ICS environments typically have more statically defined devices, therefore minimize the use of both IT discovery protocols (e.g., DHCP, LLDP) and discovery functions in automation protocols.[5][6] Examples of automation protocols with discovery capabilities include OPC UA Device Discovery[7], BACnet[8], and Ethernet/IP.[9] |
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0908 | Detection of Broadcast Discovery | AN2051 |
Monitor for anomalies related to discovery related ICS functions, including devices that have not previously used these functions or for functions being sent to many outstations. |