Rogue Master

Adversaries may setup a rogue master to leverage control server functions to communicate with outstations. A rogue master can be used to send legitimate control messages to other control system devices, affecting processes in unintended ways. It may also be used to disrupt network communications by capturing and receiving the network traffic meant for the actual master. Impersonating a master may also allow an adversary to avoid detection.

In the case of the 2017 Dallas Siren incident, adversaries used a rogue master to send command messages to the 156 distributed sirens across the city, either through a single rogue transmitter with a strong signal, or using many distributed repeaters. [1] [2]

ID: T0848
Sub-techniques:  No sub-techniques
Tactic: Initial Access
Platforms: None
Version: 1.2
Created: 21 May 2020
Last Modified: 13 October 2023

Procedure Examples

ID Name Description
C0020 Maroochy Water Breach

In the Maroochy Water Breach, the adversary falsified network addresses in order to send false data and instructions to pumping stations.[3]

Targeted Assets

ID Asset
A0007 Control Server
A0009 Data Gateway
A0006 Data Historian
A0002 Human-Machine Interface (HMI)
A0005 Intelligent Electronic Device (IED)
A0003 Programmable Logic Controller (PLC)
A0004 Remote Terminal Unit (RTU)
A0010 Safety Controller

Mitigations

ID Mitigation Description
M0802 Communication Authenticity

Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).

M0937 Filter Network Traffic

Perform inline allowlisting of automation protocol commands to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid reporting messages.

M0807 Network Allowlists

Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. [4]

M0930 Network Segmentation

Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment. [5] [6] [4] [7]

M0813 Software Process and Device Authentication

Devices should authenticate all messages between master and outstation assets.

Detection

ID Data Source Data Component Detects
DS0015 Application Log Application Log Content

Monitor for new master devices communicating with outstation assets, which may be visible in asset application logs.

DS0039 Asset Asset Inventory

Consult asset management systems which may help with the detection of computer systems or network devices that should not exist on a network.

DS0029 Network Traffic Network Traffic Content

Monitor for unexpected ICS protocol functions from new and existing devices. Monitoring known devices requires ICS function level insight to determine if an unauthorized device is issuing commands (e.g., a historian).

Network Traffic Flow

Monitor for network traffic originating from unknown/unexpected devices or addresses. Local network traffic metadata could be used to identify unexpected connections, including unknown/unexpected source MAC addresses connecting to ports associated with operational protocols. Also, network management protocols such as DHCP and ARP may be helpful in identifying unexpected devices.

DS0040 Operational Databases Device Alarm

Monitor for new master devices communicating with outstations, which may be visible in alarms within the ICS environment.

References