1. Home
  2. Techniques
  3. ICS
  4. Internet Accessible Device

Internet Accessible Device

Adversaries may gain access into industrial environments through systems exposed directly to the internet for remote access rather than through External Remote Services. Internet Accessible Devices are exposed to the internet unintentionally or intentionally without adequate protections. This may allow for adversaries to move directly into the control system network. Access onto these devices is accomplished without the use of exploits, these would be represented within the Exploit Public-Facing Application technique.

Adversaries may leverage built in functions for remote access which may not be protected or utilize minimal legacy protections that may be targeted. [1] These services may be discoverable through the use of online scanning tools.

In the case of the Bowman dam incident, adversaries leveraged access to the dam control network through a cellular modem. Access to the device was protected by password authentication, although the application was vulnerable to brute forcing. [1] [2] [3]

In Trend Micros manufacturing deception operations adversaries were detected leveraging direct internet access to an ICS environment through the exposure of operational protocols such as Siemens S7, Omron FINS, and EtherNet/IP, in addition to misconfigured VNC access. [4]

ID: T0883
Sub-techniques:  No sub-techniques
Tactic: Initial Access
Platforms: None
Version: 1.0
Created: 21 May 2020
Last Modified: 13 October 2023
Version Permalink

Procedure Examples

ID Name Description
S1157 Fuxnet

Fuxnet execution relied upon accessing Internet-accessible devices for initial access and deployment.[5]
C0031 Unitronics Defacement Campaign

During the Unitronics Defacement Campaign, the CyberAv3ngers exploited devices connected to the public internet, such as internet connected Unitronics Programmable Logic Controller (PLC) with Human-Machine Interface (HMI) and networking equipment such as cellular modems found in OT environments.[6][7]

Targeted Assets

ID Asset
A0008 Application Server
A0011 Virtual Private Network (VPN) Server
A0001 Workstation

Mitigations

ID Mitigation Description
M0930 Network Segmentation

Deny direct remote access to internal systems through the use of network proxies, gateways, and firewalls. Steps should be taken to periodically inventory internet accessible devices to determine if it differs from the expected.

Detection

ID Data Source Data Component Detects
DS0028 Logon Session Logon Session Metadata

Monitor logon activity for unexpected or unusual access to devices from the Internet.
DS0029 Network Traffic Network Traffic Content

Monitor for unusual logins to Internet connected devices or unexpected protocols to/from the Internet. Network traffic content will provide valuable context and details about the content of network flows.
Network Traffic Flow

Monitor for unexpected protocols to/from the Internet. While network traffic content and logon session metadata may directly identify a login event, new Internet-based network flows may also be a reliable indicator of this technique.

References

  1. NCCIC 2014, January 1 Internet Accessible Control Systems At Risk Retrieved. 2019/11/07
  2. Danny Yadron 2015, December 20 Iranian Hackers Infiltrated New York Dam in 2013 Retrieved. 2019/11/07
  3. Mark Thompson 2016, March 24 Iranian Cyber Attack on New York Dam Shows Future of War Retrieved. 2019/11/07
  4. Stephen Hilt, Federico Maggi, Charles Perine, Lord Remorin, Martin Rsler, and Rainer Vosseler Mark Thompson 2016, March 24 Iranian Cyber Attack on New York Dam Shows Future of War Retrieved. 2019/11/07 Caught in the Act: Running a Realistic Factory Honeypot to Capture Real Threats Retrieved. 2021/04/12
  1. Team82. (2024, April 12). Unpacking the Blackjack Group's Fuxnet Malware. Retrieved September 11, 2024.
  2. DHS/CISA. (2023, December 1). IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including U.S. Water and Wastewater Systems Facilities. Retrieved March 25, 2024.
  3. Lisa Zahner. (2023, December 15). Hackers in Iran attack computer at Vero Utilities. Retrieved March 25, 2024.