Adversaries may block messages between systems and devices in an OT/ICS environment to disrupt processes. Messages typically fall into two categories: (1) reporting messages that contain telemetry data about the current state of systems, devices, and processes and (2) command messages that contain instructions to control systems, devices, and processes. Both types of messages are critical for the proper functioning of industrial control processes and failure of the messages to reach their intended destinations could inhibit response functions or create an unsafe condition that could have physical impacts.[1][2]
Adversaries may block communications by either making modifications to software (System Firmware, Module Firmware, Hooking, and Rootkit) and services (Service Stop, Denial of Service) on systems and devices or by positioning themselves between systems and devices and intercepting and blocking the communications such as the case with an Adversary-in-the-Middle attack.
| ID | Mitigation | Description |
|---|---|---|
| M0807 | Network Allowlists |
Utilize network allowlists to restrict unnecessary connections to network devices (e.g., comm servers, serial to ethernet converters) and services, especially in cases when devices have limits on the number of simultaneous sessions they support. |
| M0810 | Out-of-Band Communications Channel |
Provide an alternative method for sending critical commands message to outstations, this could include using radio/cell communication to send messages to a field technician that physically performs the control function. |
| M0814 | Static Network Configuration |
Unauthorized connections can be prevented by statically defining the hosts and ports used for automation protocol connections. |
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0903 | Detection of Block Operational Technology Message | AN2046 |
Monitor for the termination of processes or services associated with ICS automation protocols and application software which could help detect blocked communications. Monitor for lack of operational process data which may help identify a loss of communications. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections. Monitor application logs for changes to settings and other events associated with network protocols that may be used to block communications. Monitor for a loss of network communications, which may indicate this technique is being used. Monitor asset alarms which may help identify a loss of communications. Consider correlating alarms with other data sources that indicate traffic has been blocked, such as network traffic. In cases where alternative methods of communicating with outstations exist alarms may still be visible even if messages are blocked. |