Point & Tag Identification

Adversaries may collect point and tag values to gain a more comprehensive understanding of the process environment. Points may be values such as inputs, memory locations, outputs or other process specific variables. [1] Tags are the identifiers given to points for operator convenience.

Collecting such tags provides valuable context to environmental points and enables an adversary to map inputs, outputs, and other values to their control processes. Understanding the points being collected may inform an adversary on which processes and values to keep track of over the course of an operation.

ID: T0861
Sub-techniques:  No sub-techniques
Tactic: Collection
Platforms: None
Contributors: Jos Wetzels - Midnight Blue
Version: 1.1
Created: 21 May 2020
Last Modified: 13 October 2023

Procedure Examples

ID Name Description
S0093 Backdoor.Oldrea

The Backdoor.Oldrea payload has the capability of enumerating OPC tags, in addition to more generic OPC server information. The server data and tag names can provide information about the names and function of control devices. [2] [3]

S1045 INCONTROLLER

INCONTROLLER can remotely read the OCP UA structure from devices.[4]

Targeted Assets

ID Asset
A0007 Control Server
A0009 Data Gateway
A0006 Data Historian
A0002 Human-Machine Interface (HMI)
A0005 Intelligent Electronic Device (IED)
A0003 Programmable Logic Controller (PLC)
A0004 Remote Terminal Unit (RTU)
A0010 Safety Controller

Mitigations

ID Mitigation Description
M0801 Access Management

Authenticate all access to field controllers before authorizing access to, or modification of, a device's state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS.

M0800 Authorization Enforcement

Systems and devices should restrict access to any data with potential confidentiality concerns, including point and tag information.

M0802 Communication Authenticity

Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).

M0937 Filter Network Traffic

Perform inline allowlisting of automation protocol commands to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid messages.

M0804 Human User Authentication

All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support Account Use Policies, Password Policies, and User Account Management.

M0807 Network Allowlists

Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. [5]

M0930 Network Segmentation

Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment. [6] [7] [5] [8]

M0813 Software Process and Device Authentication

Devices should authenticate all messages between master and outstation assets.

Detection

ID Data Source Data Component Detects
DS0015 Application Log Application Log Content

Monitor asset application logs which may provide information about requests for points or tags. Look for anomalies related to reading point or tag data, such as new assets using these functions, changes in volume or timing, or unusual information being queried. Many devices provide multiple ways to achieve the same result (e.g., functions with/without an acknowledgment or functions that operate on a single point vs. multiple points). Monitor for changes in the functions used.

DS0029 Network Traffic Network Traffic Content

Monitor ICS automation protocols for anomalies related to reading point or tag data, such as new assets using these functions, changes in volume or timing, or unusual information being queried. Many protocols provide multiple ways to achieve the same result (e.g., functions with/without an acknowledgment or functions that operate on a single point vs. multiple points). Monitor for changes in the functions used.

References