Alarm Suppression

Adversaries may target protection function alarms to prevent them from notifying operators of critical conditions. Alarm messages may be a part of an overall reporting system and of particular interest for adversaries. Disruption of the alarm system does not imply the disruption of the reporting system as a whole.

A Secura presentation on targeting OT notes a dual fold goal for adversaries attempting alarm suppression: prevent outgoing alarms from being raised and prevent incoming alarms from being responded to. [1] The method of suppression may greatly depend on the type of alarm in question:

  • An alarm raised by a protocol message
  • An alarm signaled with I/O
  • An alarm bit set in a flag (and read)

In ICS environments, the adversary may have to suppress or contend with multiple alarms and/or alarm propagation to achieve a specific goal to evade detection or prevent intended responses from occurring. [1] Methods of suppression may involve tampering or altering device displays and logs, modifying in memory code to fixed values, or even tampering with assembly level instruction code.

ID: T0878
Sub-techniques:  No sub-techniques
Platforms: None
Contributors: Jos Wetzels - Midnight Blue; Marina Krotofil
Version: 1.2
Created: 21 May 2020
Last Modified: 13 October 2023

Procedure Examples

ID Name Description
C0020 Maroochy Water Breach

In the Maroochy Water Breach, the adversary suppressed alarm reporting to the central computer.[2]

Targeted Assets

ID Asset
A0007 Control Server
A0009 Data Gateway
A0006 Data Historian
A0002 Human-Machine Interface (HMI)
A0005 Intelligent Electronic Device (IED)
A0003 Programmable Logic Controller (PLC)
A0004 Remote Terminal Unit (RTU)
A0010 Safety Controller

Mitigations

ID Mitigation Description
M0807 Network Allowlists

Utilize network allowlists to restrict unnecessary connections to network devices (e.g., comm servers, serial to ethernet converters) and services, especially in cases when devices have limits on the number of simultaneous sessions they support.

M0930 Network Segmentation

Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment. [3] [4] [5] [6]

M0810 Out-of-Band Communications Channel

Provide an alternative method for alarms to be reported in the event of a communication failure.

M0814 Static Network Configuration

Unauthorized connections can be prevented by statically defining the hosts and ports used for automation protocol connections.

Detection

ID Data Source Data Component Detects
DS0029 Network Traffic Network Traffic Flow

Monitor for loss of network traffic which could indicate alarms are being suppressed. A loss of expected communications associated with network protocols used to communicate alarm events or process data could indicate this technique is being used. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.

DS0040 Operational Databases Device Alarm

Monitor for loss of expected device alarms which could indicate alarms are being suppressed. As noted in the technique description, there may be multiple sources of alarms in an ICS environment. Discrepancies between alarms may indicate the adversary is suppressing some but not all the alarms in the environment. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.

Process History/Live Data

Monitor for loss of operational process data which could indicate alarms are being suppressed. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.

Process/Event Alarm

Monitor for loss of expected operational process alarms which could indicate alarms are being suppressed. As noted in the technique description, there may be multiple sources of alarms in an ICS environment. Discrepancies between alarms may indicate the adversary is suppressing some but not all the alarms in the environment. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.

References