Adversaries may target protection function alarms to prevent them from notifying operators of critical conditions. Alarm messages may be a part of an overall reporting system and of particular interest for adversaries. Disruption of the alarm system does not imply the disruption of the reporting system as a whole.
A Secura presentation on targeting OT notes a dual fold goal for adversaries attempting alarm suppression: prevent outgoing alarms from being raised and prevent incoming alarms from being responded to. [1] The method of suppression may greatly depend on the type of alarm in question:
In ICS environments, the adversary may have to suppress or contend with multiple alarms and/or alarm propagation to achieve a specific goal to evade detection or prevent intended responses from occurring. [1] Methods of suppression may involve tampering or altering device displays and logs, modifying in memory code to fixed values, or even tampering with assembly level instruction code.
| ID | Name | Description |
|---|---|---|
| C0020 | Maroochy Water Breach |
In the Maroochy Water Breach, the adversary suppressed alarm reporting to the central computer.[2] |
| ID | Mitigation | Description |
|---|---|---|
| M0807 | Network Allowlists |
Utilize network allowlists to restrict unnecessary connections to network devices (e.g., comm servers, serial to ethernet converters) and services, especially in cases when devices have limits on the number of simultaneous sessions they support. |
| M0930 | Network Segmentation |
Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment. [3] [4] [5] [6] |
| M0810 | Out-of-Band Communications Channel |
Provide an alternative method for alarms to be reported in the event of a communication failure. |
| M0814 | Static Network Configuration |
Unauthorized connections can be prevented by statically defining the hosts and ports used for automation protocol connections. |
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0029 | Network Traffic | Network Traffic Flow |
Monitor for loss of network traffic which could indicate alarms are being suppressed. A loss of expected communications associated with network protocols used to communicate alarm events or process data could indicate this technique is being used. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections. |
| DS0040 | Operational Databases | Device Alarm |
Monitor for loss of expected device alarms which could indicate alarms are being suppressed. As noted in the technique description, there may be multiple sources of alarms in an ICS environment. Discrepancies between alarms may indicate the adversary is suppressing some but not all the alarms in the environment. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections. |
| Process History/Live Data |
Monitor for loss of operational process data which could indicate alarms are being suppressed. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections. |
||
| Process/Event Alarm |
Monitor for loss of expected operational process alarms which could indicate alarms are being suppressed. As noted in the technique description, there may be multiple sources of alarms in an ICS environment. Discrepancies between alarms may indicate the adversary is suppressing some but not all the alarms in the environment. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections. |