1. Home
  2. Techniques
  3. ICS
  4. Block Communications

Block Communications

ID Name
T1695.001 Serial COM
T1695.002 Ethernet
T1695.003 Wi-Fi

Operational technology communications occur over serial COM, Ethernet, Wi-Fi, cellular (4G/5G), and satellite mediums. Adversaries may block communications to prevent reporting messages and command messages from reaching their intended target devices disrupting processes, operations, and causing cyber-physical impacts.[1]

Adversaries may block communications by either making modifications to software (System Firmware, Module Firmware, Hooking, and Rootkit) and services (Service Stop, Denial of Service) on systems and devices or by positioning themselves between systems and devices and intercepting and blocking the communications such as the case with an Adversary-in-the-Middle attack.

ID: T1695
Sub-techniques:  T1695.001, T1695.002, T1695.003
Version: 1.0
Created: 20 April 2026
Last Modified: 23 April 2026
Version Permalink

Targeted Assets

ID Asset
A0008 Application Server
A0007 Control Server
A0009 Data Gateway
A0006 Data Historian
A0017 Distributed Control System (DCS) Controller
A0013 Field I/O
A0016 Firewall
A0002 Human-Machine Interface (HMI)
A0005 Intelligent Electronic Device (IED)
A0012 Jump Host
A0018 Programmable Automation Controller (PAC)
A0003 Programmable Logic Controller (PLC)
A0004 Remote Terminal Unit (RTU)
A0014 Routers
A0010 Safety Controller
A0015 Switch
A0011 Virtual Private Network (VPN) Server
A0001 Workstation

Mitigations

ID Mitigation Description
M0807 Network Allowlists

Implement network allowlists to minimize network access to only authorized hosts.
M0930 Network Segmentation

Segment operational networks to isolate critical systems and devices that do not require broad network access.
M0810 Out-of-Band Communications Channel

Ensure systems and devices have an alternative method for communicating in the event that communication channels become unavailable.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0910 Detection of Block Communications AN2053

Monitor asset alarms which may help identify a loss of communications. Consider correlating alarms with other data sources that indicate traffic has been blocked, such as network traffic. In cases where alternative methods of communicating with outstations exist, alarms may still be visible even if messages are blocked.

Monitor for a loss of network communications, which may indicate this technique is being used.

Monitor for lack of operational process data which may help identify a loss of communications. This will not directly detect the technique’s execution but instead may provide additional evidence that the technique has been used and may complement other detections.

Monitor application logs for changes to settings and other events associated with network protocols that may be used to block communications.

Monitor for the termination of processes or services associated with ICS automation protocols and application software which could help detect blocked communications.

References

  1. Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011 A Taxonomy of Cyber Attacks on SCADA Systems Retrieved. 2018/01/12