forked from MISP/misp-galaxy
/
mitre-ics-techniques.json
2038 lines (2038 loc) · 193 KB
/
mitre-ics-techniques.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
{
"authors": [
"MITRE"
],
"category": "attack-pattern",
"description": "A list of Techniques in ATT&CK for ICS.",
"name": "Techniques",
"source": "https://collaborate.mitre.org/attackics/index.php/All_Techniques",
"type": "mitre-ics-techniques",
"uuid": "633e91db-adf8-458e-a09e-7ee0eb588bf3",
"values": [
{
"description": "Adversaries may activate firmware update mode on devices to prevent expected response functions from engaging in reaction to an emergency or process malfunction. For example, devices such as protection relays may have an operation mode designed for firmware installation. This mode may halt process monitoring and related functions to allow new firmware to be loaded. A device left in update mode may be placed in an inactive holding state if no firmware is provided to it. By entering and leaving a device in this mode, the adversary may deny its usual functionalities.",
"meta": {
"Procedure Examples": [
"The Industroyer SPIROTEC DoS module places the victim device into firmware update mode. This is a legitimate use case under normal circumstances, but in this case is used the adversary to prevent the SPIROTEC from performing its designed protective functions. As a result the normal safeguards are disabled, leaving an unprotected link in the electric transmission",
"The Industroyer SIPROTEC DoS module exploits the CVE-2015-5374 vulnerability in order to render a Siemens SIPROTEC device unresponsive. Once this vulnerability is successfully exploited, the target device stops responding to any commands until it is rebooted manually. Once the tool is executed it sends specifically crafted packets to port 50,000 of the target IP addresses using UDP. The UDP packet contains the following 18 byte payload: 0x11 49 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 9E"
],
"Tactic": [
"Inhibit Response Function"
],
"Technique ID": [
"T800"
],
"refs": [
"https://dragos.com/wp-content/uploads/CRASHOVERRIDE.pdf",
"https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf"
]
},
"uuid": "d07be12d-39a2-448c-8e92-f40a46ed9865",
"value": "Activate Firmware Update Mode"
},
{
"description": "Adversaries may target protection function alarms to prevent them from notifying operators of critical conditions. Alarm messages may be a part of an overall reporting system and of particular interest for adversaries. Disruption of the alarm system does not imply the disruption of the reporting system as a whole. In the Maroochy Attack, the adversary suppressed alarm reporting to the central computer. A Secura presentation on targeting OT notes a dual fold goal for adversaries attempting alarm suppression: prevent outgoing alarms from being raised and prevent incoming alarms from being responded to. The method of suppression may greatly depend on the type of alarm in question: An alarm raised by a protocol message. An alarm signaled with I/O. An alarm bit set in a flag and read In ICS environments, the adversary may have to suppress or contend with multiple alarms and/or alarm propagation to achieve a specific goal to evade detection or prevent intended responses from occurring.2 Methods of suppression may involve tampering or altering device displays and logs, modifying in memory code to fixed values, or even tampering with assembly level instruction code.",
"meta": {
"Tactic": [
"Inhibit Response Function"
],
"Technique ID": [
"T878"
],
"refs": [
"https://www.mitre.org/sites/default/files/pdf/08_1145.pdf",
"https://troopers.de/downloads/troopers19/TROOPERS19_NGI_IoT_diet_poisoned_fruit.pdf"
]
},
"uuid": "f35e36fd-1a4a-4fc5-a881-9db30b51b43f",
"value": "Alarm Suppression"
},
{
"description": "Adversaries may automate collection of industrial environment information using tools or scripts. This automated collection may leverage native control protocols and tools available in the control systems environment. For example, the OPC protocol may be used to enumerate and gather information. Access to a system or interface with these native protocols may allow collection and enumeration of other attached, communicating servers and devices.",
"meta": {
"Procedure Examples": [
"Using OPC, a component of Backdoor.Oldrea gathers any details about connected devices and sends them back to the C2 for the attackers to analyze.",
"Industroyer automatically collects protocol object data to learn about control devices in the environment."
],
"Tactic": [
"Collection"
],
"Technique ID": [
"T802"
],
"refs": [
"https://www.f-secure.com/weblog/archives/00002718.html",
"https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf"
]
},
"uuid": "cd10178b-3af2-4169-9d19-73194c379fa0",
"value": "Automated Collection"
},
{
"description": "Adversaries may block a command message from reaching its intended target to prevent command execution. In OT networks, command messages are sent to provide instructions to control system devices. A blocked command message can inhibit response functions from correcting a disruption or unsafe condition. In the 2015 attack on the Ukranian power grid, malicious firmware was used to render communication devices inoperable and effectively prevent them from receiving remote command messages.",
"meta": {
"Mitigations": [
"Implement Virtual Local Area Networks (VLANs) to divide physical networks into smaller, logical ones with isolated traffic from each other. This limits both broadcast traffic and unnecessary flooding.",
"Secure the environment to minimize wires susceptible to interference and limit access points to cables. Keep the ICS and IT networks separate.",
"Monitor the network for expected outcomes and to detect unexpected states.",
"Implement antivirus and malware detection tools to protect against threats, such as code enabling improper network access."
],
"Procedure Examples": [
"In Industroyer the first COM port from the configuration file is used for the actual communication and the two other COM ports are just opened to prevent other processes accessing them. Thus, the IEC 101 payload component is able to take over and maintain control of the RTU device."
],
"Tactic": [
"Inhibit Response Function"
],
"Technique ID": [
"T803"
],
"refs": [
"http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258",
"https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf",
"https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf",
"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf"
]
},
"uuid": "bc454d80-054b-48bf-8848-289ec9d8277d",
"value": "Block Command Message"
},
{
"description": "Adversaries may block or prevent a reporting message from reaching its intended target. Reporting messages relay the status of control system devices, which can include event log data and I/O values of the associated device. By blocking these reporting messages, an adversary can potentially hide their actions from an operator. Blocking reporting messages in control systems that manage physical processes may contribute to system impact, causing inhibition of a response function. A control system may not be able to respond in a proper or timely manner to an event, such as a dangerous fault, if its corresponding reporting message is blocked. In the 2015 attack on the Ukranian power grid, malicious firmware was used to render communication devices inoperable and effectively block messages from being reported.",
"meta": {
"Mitigations": [
"Implement Virtual Local Area Networks (VLANs) to divide physical networks into smaller, logical ones with isolated traffic from each other.",
"Secure the environment to minimize wires susceptible to interference and limit access points to cables. Keep the ICS and IT networks separate.",
"Monitor the network for expected outcomes and to detect unexpected states. For instance, an expected report does not occur may indicate reason for concern.",
"Implement antivirus and malware detection tools to protect against threats, such as code enabling improper network access.",
"Authenticate wireless users’ access with a secure IEEE 802.1x authentication protocol, that authenticates users via user certificates or a Remote Authentication Dial In User Service (RADIUS) server."
],
"Procedure Examples": [
"Industroyer uses the first COM port from the configuration file for the communication and the other two COM ports are opened to prevent other processes accessing them. This may block processes or operators from getting reporting messages from a device."
],
"Tactic": [
"Inhibit Response Function"
],
"Technique ID": [
"T804"
],
"refs": [
"http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258",
"https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf",
"https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf",
"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf"
]
},
"uuid": "c70c3328-e180-4947-badd-8088686aec7f",
"value": "Block Reporting Message"
},
{
"description": "Adversaries may block access to serial COM to prevent instructions or configurations from reaching target devices. Serial Communication ports (COM) allow communication with control system devices. Devices can receive command and configuration messages over such serial COM. Devices also use serial COM to send command and reporting messages. Blocking device serial COM may also block command messages and block reporting messages. A serial to Ethernet converter is often connected to a serial COM to facilitate communication between serial and Ethernet devices. One approach to blocking a serial COM would be to create and hold open a TCP session with the Ethernet side of the converter. A serial to Ethernet converter may have a few ports open to facilitate multiple communications. For example, if there are three serial COM available -- 1, 2 and 3 --, the converter might be listening on the corresponding ports 20001, 20002, and 20003. If a TCP/IP connection is opened with one of these ports and held open, then the port will be unavailable for use by another party. One way the adversary could achieve this would be to initiate a TCP session with the serial to Ethernet converter at 10.0.0.1 via Telnet on serial port 1 with the following command: telnet 10.0.0.1 20001.",
"meta": {
"Mitigations": [
"In ICS environments with dial-up modems, disconnect the modems when not in use or automate their disconnection after being active for a given amount of time, if feasible.",
"Restrict access to both physical control and network environments with strong passwords. Consider forms of multi-factor authentication, such introducing as biometrics, smart cards, or tokens, to supplement traditional passwords.",
"Lock down and secure portable devices and removable media. Portable ICS assets should not be used outside of the ICS network.",
"Use only authorized media in the physical environment and be aware of anomalies. Take care to keep backups and stored data in secure, protected locations.",
"Implement antivirus and malware detection tools to detect improper access to serial COM by malicious or unexpected programs. Maintain environmental awareness to help detect instances when a serial COM may be blocked, resulting in commands or reports not being carried out."
],
"Procedure Examples": [
"In Industroyer the first COM port from the configuration file is used for the actual communication and the two other COM ports are just opened to prevent other processes accessing them. Thus, the IEC 101 payload component is able to take over and maintain control of the RTU device."
],
"Tactic": [
"Inhibit Response Function"
],
"Technique ID": [
"T805"
],
"refs": [
"https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf",
"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf"
]
},
"uuid": "6def9c26-dbd6-4410-a363-02bd2e235c22",
"value": "Block Serial COM"
},
{
"description": "Adversaries may brute force I/O addresses on a device and attempt to exhaustively perform an action. By enumerating the full range of I/O addresses, an adversary may manipulate a process function without having to target specific I/O interfaces. More than one process function manipulation and enumeration pass may occur on the targeted I/O range in a brute force attempt.",
"meta": {
"Procedure Examples": [
"The Industroyer IEC 104 module has 3 modes available to perform its attack. These modes are range, shift, and sequence. The range mode operates in 2 stages. The first stage of range mode gathers Information Object Addresses (IOA) and sends select and execute packets to switch the state. The second stage of range mode has an infinite loop where it will switch the state of all of the previously discovered IOAs. Shift mode is similar to range mode, but instead of staying within the same range, it will add a shift value to the default range values."
],
"Tactic": [
"Impair Process Control"
],
"Technique ID": [
"T806"
],
"refs": [
"https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf"
]
},
"uuid": "f5b5b616-1b96-485e-8b7b-620e94145bea",
"value": "Brute Force I/O"
},
{
"description": "Adversaries may attempt to change the state of the current program on a control device. Program state changes may be used to allow for another program to take over control or be loaded onto the device.",
"meta": {
"Procedure Examples": [
"After PLC-Blaster is transferred to a PLC, the PLC begins execution of PLC-Blaster.",
"Stuxnet halts the original PLC code and the malicious PLC code begins sending frames of data based on the recorded values during the DP_RECV monitor phase.",
"Triton has the ability to halt or run a program through the TriStation protocol. TsHi.py contains instances of halt and run functions being executed."
],
"Tactic": [
"Execution Impair Process Control"
],
"Technique ID": [
"T875"
],
"refs": [
"https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf",
"https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf",
"https://github.com/MDudek-ICS/TRISIS-TRITON-HATMAN/tree/master/decompiled_code/library"
]
},
"uuid": "1f846cbc-ed70-429c-b489-eaf1f0f99ca6",
"value": "Change Program State"
},
{
"description": "Adversaries may utilize command-line interfaces (CLIs) to interact with systems and execute commands. CLIs provide a means of interacting with computer systems and are a common feature across many types of platforms and devices within control systems environments. Adversaries may also use CLIs to install and run new software, including malicious tools that may be installed over the course of an operation. CLIs are typically accessed locally, but can also be exposed via services, such as SSH, Telnet, and RDP. Commands that are executed in the CLI execute with the current permissions level of the process running the terminal emulator, unless the command specifies a change in permissions context. Many controllers have CLI interfaces for management purposes.",
"meta": {
"Mitigations": [
"Restrict access to control room(s), portable devices, and removable media, which should be locked down and physically secured.",
"Authentication of accounts should be enforced, and when applicable, account permissions and privileges should be limited to an as-needed basis.",
"In ICS environments with dial-up modems, disconnect the modems when not in use or automate their disconnection after being active for a given amount of time, if feasible.",
"In general, reduce and restrict access to both physical resources and the network, wherever CLIs might be exposed."
],
"Procedure Examples": [
"The name of the Industroyer payload DLL is supplied by the attackers via a command line parameter supplied in one of the main backdoor’s “execute a shell command” commands."
],
"Tactic": [
"Execution"
],
"Technique ID": [
"T807"
],
"refs": [
"https://attack.mitre.org/wiki/Technique/T1059",
"https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf",
"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf"
]
},
"uuid": "1e6829cd-e6f3-4ff9-b56d-c6f0a2bb88ae",
"value": "Command-Line Interface"
},
{
"description": "Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend in with normal network activity, to avoid more detailed inspection. They may use the protocol associated with the port, or a completely different protocol. They may use commonly open ports, such as the examples as follows TCP:80 (HTTP), TCP:443 (HTTPS), TCP/UDP:53 (DNS), TCP:1024-4999 (OPC on XP/Win2k3), TCP:49152-65535 (OPC on Vista and later), TCP:23 (TELNET), UDP:161 (SNMP), TCP:502 (MODBUS), TCP:102 (S7comm/ISO-TSAP), TCP:20000 (DNP3), TCP:44818 (Ethernet/IP)",
"meta": {
"Mitigations": [
"Access to device configuration settings should be restricted. Be wary of improper modifications before, during, and after system implementation",
"Settings should be in the most restrictive mode, consistent with ICS operational requirements 4, including the limitation of open ports to those that are necessary.",
"Leverage access control capabilities, such as whitelists, to limit communications to and from permitted, known entities.",
"Assess and secure new device acquisitions as they enter the environment to detect and prevent the introduction of tampered with components.",
"VPNs can be used to provide secure access from an untrusted network to the ICS control network and restrict access to and from host computers.",
"Intrusion detection can be put in place to monitor traffic and logs. Unexpected or a high amount of traffic involving even commonly used ports can be suspicious when it deviates from the often consistent state of the ICS environment."
],
"Procedure Examples": [
"Dragonfly communicated with command and control over TCP ports 445 and 139 or UDP 137 or 138.",
"Stuxnet attempts to contact command and control servers on port 80 to send basic information about the computer it has compromised.",
"Triton framework can communicate with the implant utilizing the TriStation 'get main processor diagnostic data' command and looks for a specifically crafted packet body from which it extracts a command value and its arguments."
],
"Tactic": [
"Command and Control"
],
"Technique ID": [
"T885"
],
"refs": [
"https://www.us-cert.gov/ncas/alerts/TA17-293A",
"https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf",
"https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware",
"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf"
]
},
"uuid": "6f53940b-f5ee-4fcc-8752-2c9bdb16381c",
"value": "Commonly Used Port"
},
{
"description": "Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications. The definition of a proxy can also be expanded to encompass trust relationships between networks in peer-to-peer, mesh, or trusted connections between networks consisting of hosts or systems that regularly communicate with each other. The network may be within a single organization or across multiple organizations with trust relationships. Adversaries could use these types of relationships to manage command and control communications, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion.",
"meta": {
"Mitigations": [
"Implement Virtual Local Area Networks (VLANs) to divide physical networks into smaller, logical ones with isolated traffic from each other.",
"VPNs can be used to provide secure access from an untrusted network to the ICS control network and restrict access to and from host computers.",
"Where applicable, further restrict network traffic by enforcing whitelisting of known, trusted devices. Limit access and editing privileges to such lists.",
"Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific C2 protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools."
],
"Tactic": [
"Command and Control"
],
"Technique ID": [
"T884"
],
"refs": [
"https://attack.mitre.org/wiki/Technique/T1090",
"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf",
"https://www.cpni.gov.uk/Documents/Publications/2014/2014-04-23-c2-report-birmingham.pdf"
]
},
"uuid": "2c5bf128-129a-482f-b578-995b389c9e2e",
"value": "Connection Proxy"
},
{
"description": "Adversaries may cause damage and destruction of property to infrastructure, equipment, and the surrounding environment when attacking control systems. This technique may result in device and operational equipment breakdown, or represent tangential damage from other techniques used in an attack. Depending on the severity of physical damage and disruption caused to control processes and systems, this technique may result in Loss of Safety. Operations that result in Loss of Control may also cause damage to property, which may be directly or indirectly motivated by an adversary seeking to cause impact in the form of Loss of Productivity and Revenue. The German Federal Office for Information Security (BSI) reported a targeted attack on a steel mill under an incidents affecting business section of its 2014 IT Security Report. These targeted attacks affected industrial operations and resulted in breakdowns of control system components and even entire installations. As a result of these breakdowns, massive impact and damage resulted from the uncontrolled shutdown of a blast furnace. In the Maroochy Attack, Vitek Boden gained remote computer access to the control system and altered data so that whatever function should have occurred at affected pumping stations did not occur or occurred in a different way. This ultimately led to 800,000 liters of raw sewage being spilled out into the community. The raw sewage affected local parks, rivers, and even a local hotel. This resulted in harm to marine life and produced a sickening stench from the community's now blackened rivers. A Polish student used a remote controller device to interface with the Lodz city tram system in Poland.345 Using this remote, the student was able to capture and replay legitimate tram signals. This resulted in damage to impacted trams, people, and the surrounding property. Reportedly, four trams were derailed and were forced to make emergency stops.4 Commands issued by the student may have also resulted in tram collisions, causing harm to those on board and the environment outside.",
"meta": {
"Procedure Examples": [
"Stuxnet attacks were designed to over-pressure and damage centrifuge rotors by manipulating process pressure and rotor speeds over time. One focused on a routine to change centrifuge rotor speeds, while the other manipulated critical resonance speeds to over-pressure them."
],
"Tactic": [
"Impact"
],
"Technique ID": [
"T879"
],
"refs": [
"https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Securitysituation/IT-Security-Situation-in-Germany-2014.pdf?__blob=publicationFile&v=3",
"https://www.mitre.org/sites/default/files/pdf/08_1145.pdf",
"https://www.londonreconnections.com/2017/hacked-cyber-security-railways/",
"https://inhomelandsecurity.com/teen_hacker_in_poland_plays_tr/",
"https://www.schneier.com/blog/archives/2008/01/hacking_the_pol.html",
"https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf"
]
},
"uuid": "0f14bec1-cc6e-4c73-a0de-77b9cf3f525f",
"value": "Damage to Property"
},
{
"description": "Adversaries may perform data destruction over the course of an operation. The adversary may drop or create malware, tools, or other non-native files on a target system to accomplish this, potentially leaving behind traces of malicious activities. Such non-native files and other data may be removed over the course of an intrusion to maintain a small footprint or as a standard part of the post-intrusion cleanup process. Data destruction may also be used to render operator interfaces unable to respond and to disrupt response functions from occurring as expected. An adversary may also destroy data backups that are vital to recovery after an incident. Standard file deletion commands are available on most operating system and device interfaces to perform cleanup, but adversaries may use other tools as well. Two examples are Windows Sysinternals SDelete and Active@ Killdisk.",
"meta": {
"Mitigations": [
"Password authentication can be used as a barrier to Data Destruction, in addition to restricting user account file access according to the principle of least privilege. The default for newly created accounts should be minimal, to reduce adversary movement capabilities.",
"Best password practices, and the implementation of multi-factor authentication can also add security, particularly if data in the environment has a high risk of interception or may be sent in plaintext.",
"Restrict access to control room(s), portable devices, and removable media, which should be locked down and physically secured. Unauthorized and suspicious media should be avoided and kept away from systems and the network. Keep track of cables, to ensure that the ICS and IT environments remain separate and no interceptive, adversarial devices are installed.",
"Take note of suspicious files and run antivirus and malware detecting solutions to assist in catching malicious programs that can result in Data Destruction.",
"dentify unnecessary system utilities, third-party tools, or potentially malicious software that may be used to delete files, and audit and/or block them by using whitelisting5 tools like AppLocker or Software Restriction Policies where appropriate."
],
"Procedure Examples": [
"Industroyer has a destructive wiper that overwrites all ICS configuration files across the hard drives and all mapped network drives specifically targeting ABB PCM600 configuration files.",
"KillDisk is able to delete system files to make the system unbootable and targets 35 different types of files for deletion."
],
"Tactic": [
"Inhibit Response Function"
],
"Technique ID": [
"T809"
],
"refs": [
"https://attack.mitre.org/wiki/Technique/T1107",
"https://dragos.com/blog/crashoverride/CrashOverride-01.pdf",
"https://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/",
"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf",
"http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599",
"http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html",
"https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm",
"http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx",
"https://technet.microsoft.com/en-us/library/ee791851.aspx"
]
},
"uuid": "cc76d9dc-1e26-48a1-baa1-c42b2aa6d381",
"value": "Data Destruction"
},
{
"description": "Adversaries may compromise and gain control of a data historian to gain a foothold into the control system environment. Access to a data historian may be used to learn stored database archival and analysis information on the control system. A dual-homed data historian may provide adversaries an interface from the IT environment to the OT environment. Dragos has released an updated analysis on CrashOverride that outlines the attack from the ICS network breach to payload delivery and execution.1 The report summarized that CrashOverride represents a new application of malware, but relied on standard intrusion techniques. In particular, new artifacts include refs to a Microsoft Windows Server 2003 host, with a SQL Server. Within the ICS environment, such a database server can act as a data historian. Dragos noted a device with this role should be expected to have extensive connections within the ICS environment. Adversary activity leveraged database capabilities to perform reconnaissance, including directory queries and network connectivity checks. ",
"meta": {
"Procedure Examples": [
"In Industroyer, after pivoting into the ICS environment, the adversary gained Initial Access to devices involved with critical process operations through a Microsoft Windows Server 2003 running a SQL Server."
],
"Tactic": [
"Initial Access"
],
"Technique ID": [
"T810"
],
"refs": [
"https://dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf"
]
},
"uuid": "bb11d289-4661-444b-8923-e77ce630f487",
"value": "Data Historian Compromise"
},
{
"description": "Adversaries may target and collect data from information repositories. This can include sensitive data such as specifications, schematics, or diagrams of control system layouts, devices, and processes. Examples of target information repositories include reference databases and local machines on the process environment.",
"meta": {
"Procedure Examples": [
"ACAD/Medre.A collects information related to the AutoCAD application. The worm collects AutoCAD (*.dwg) files with drawings from information repositories.",
"Duqu downloads additional modules for the collection of data in information repositories. The modules are named: infostealer 1, infostealer 2 and reconnaissance.",
"Flame has built-in modules to gather information from compromised computers."
],
"Tactic": [
"Collection"
],
"Technique ID": [
"T811"
],
"refs": [
"https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf",
"https://www.symantec.com/security-center/writeup/2012-052811-0308-99"
]
},
"uuid": "ec83fca8-a475-42fd-9ae5-db666ec6dd3d",
"value": "Data from Information Repositories"
},
{
"description": "Adversaries may leverage manufacturer or supplier set default credentials on control system devices. These default credentials may have administrative permissions and may be necessary for initial configuration of the device. It is general best practice to change the passwords for these accounts as soon as possible, but some manufacturers may have devices that have passwords or usernames that cannot be changed. Default credentials are normally documented in an instruction manual that is either packaged with the device, published online through official means, or published online through unofficial means. Adversaries may leverage default credentials that have not been properly modified or disabled. ",
"meta": {
"Mitigations": [
"Restrict user privileges with Role-Based Access Control (RBAC). Configure and assign “roles” based on the principle of least privilege. Levels of access can dictate several factors, including the ability to view, use, and alter specific ICS data or device functions.",
"Change default passwords to strong ones, when possible. In some instances, network traffic may be easily intercepted or sent in plaintext. In these instances, multi-factor authentication can act as both a barrier to the adversary and help alert the account owner of unauthorized access. Triple-factor authentication may also be considered.",
"Be aware of device patching and maintenance that would enable password changes or stronger passwords than currently used ones.",
"Authenticate wireless communications and access with a secure IEEE 802.1x authentication protocol.",
"Restrict access to control room(s), portable devices, and removable media, which should be locked down and physically secured.",
"In general, console user actions should be traceable, whether it may manually (e.g. control room sign in) or automatic (e.g. login at the application and/or OS layer).1 Protect and restrict access to the resulting logs.",
"Implementing Challenge/Response authentication eliminates the risk of discovery or replay that traditional password exchange has. Physical, token authentication can also be considered. It is also easier to notice if these have gotten lost or stolen, unlike traditional passwords. Smart cards another option to consider, and provide additional functionality over token authentication. Biometric authentication may also be good supplement to software-only password solutions. Secure and check new acquisitions for tampering and signs of malicious components.",
"VPNs can be used to provide secure access from an untrusted network to the ICS control network and restrict access to and from host computers.",
"In the event the adversary is already inside the network, an intrusion detection system can help detect and record unusual patterns of activity."
],
"Tactic": [
"Lateral Movement"
],
"Technique ID": [
"T811"
],
"refs": [
"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf"
]
},
"uuid": "c40fbcf3-5baf-4589-8f3a-e544790d2e37",
"value": "Default Credentials"
},
{
"description": "Adversaries may cause a denial of control to temporarily prevent operators and engineers from interacting with process controls. An adversary may attempt to deny process control access to cause a temporary loss of communication with the control device or to prevent operator adjustment of process controls. An affected process may still be operating during the period of control loss, but not necessarily in a desired state. In the Maroochy attack, the adversary was able to temporarily shut an investigator out of the network preventing them from issuing any controls. ",
"meta": {
"Procedure Examples": [
"Industroyer is able to block serial COM channels temporarily causing a denial of control."
],
"Tactic": [
"Impact"
],
"Technique ID": [
"T813"
],
"refs": [
"https://www.corero.com/resources/files/whitepapers/cns_whitepaper_ics.pdf",
"https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297",
"https://books.google.com/books?id=oXIYBAAAQBAJ&pg=PA249&lpg=PA249&dq=loss+denial+manipulation+of+view&source=bl&ots=dV1uQ8IUff&sig=ACfU3U2NIwGjhg051D_Ytw6npyEk9xcf4w&hl=en&sa=X&ved=2ahUKEwj2wJ7y4tDlAhVmplkKHSTaDnQQ6AEwAHoECAgQAQ#v=onepage&q=loss%20denial%20manipulation%20of%20view&f=false",
"https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf"
]
},
"uuid": "8d7682dc-e23b-4a53-bac7-ca92ad5d7772",
"value": "Denial of Control"
},
{
"description": "Adversaries may perform Denial-of-Service (DoS) attacks to disrupt expected device functionality. Examples of DoS attacks include overwhelming the target device with a high volume of requests in a short time period and sending the target device a request it does not know how to handle. Disrupting device state may temporarily render it unresponsive, possibly lasting until a reboot can occur. When placed in this state, devices may be unable to send and receive requests, and may not perform expected response functions in reaction to other events in the environment. Some ICS devices are particularly sensitive to DoS events, and may become unresponsive in reaction to even a simple ping sweep. Adversaries may also attempt to execute a Permanent Denial-of-Service (PDoS) against certain devices, such as in the case of the BrickerBot malware. Adversaries may exploit a software vulnerability to cause a denial of service by taking advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Vulnerabilities may exist in software that can be used to cause a or denial of service condition. Adversaries may have prior knowledge about industrial protocols or control devices used in the environment through Control Device Identification. There are examples of adversaries remotely causing a Device Restart/Shutdown by exploiting a vulnerability that induces uncontrolled resource consumption. In the Maroochy attack, the adversary was able to shut an investigator out of the network.",
"meta": {
"Procedure Examples": [
"The Backdoor.Oldrea payload has caused multiple common OPC platforms to intermittently crash. This could cause a denial of service effect on applications reliant on OPC communications.",
"The Industroyer SIPROTEC DoS module exploits the CVE-2015-5374 vulnerability in order to render a Siemens SIPROTEC device unresponsive. Once this vulnerability is successfully exploited, the target device stops responding to any commands until it is rebooted manually.7 Once the tool is executed it sends specifically crafted packets to port 50,000 of the target IP addresses using UDP. The UDP packet contains the following 18 byte payload: 0x11 49 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 9E",
"The execution on the PLC can be stopped by violating the cycle time limit. The PLC-Blaster implements an endless loop triggering an error condition within the PLC with the impact of a DoS."
],
"Tactic": [
"Inhibit Response Function"
],
"Technique ID": [
"T814"
],
"refs": [
"https://www.us-cert.gov/ics/alerts/ICS-ALERT-17-102-01A",
"https://ics-cert.us-cert.gov/advisories/ICSA-15-202-01",
"http://cwe.mitre.org/data/definitions/400.html",
"https://nvd.nist.gov/vuln/detail/CVE-2015-5374",
"https://www.mitre.org/sites/default/files/pdf/08_1145.pdf",
"https://ics-cert.us-cert.gov/advisories/ICSA-14-178-01",
"https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf",
"https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf"
]
},
"uuid": "5dc02bb0-3332-459b-a66e-148e152ee063",
"value": "Denial of Service"
},
{
"description": "Adversaries may cause a denial of view in attempt to disrupt and prevent operator oversight on the status of an ICS environment. This may manifest itself as a temporary communication failure between a device and its control source, where the interface recovers and becomes available once the interference ceases. An adversary may attempt to deny operator visibility by preventing them from receiving status and reporting messages. Denying this view may temporarily block and prevent operators from noticing a change in state or anomalous behavior. The environment's data and processes may still be operational, but functioning in an unintended or adversarial manner. In the Maroochy attack, the adversary was able to temporarily shut an investigator out of the network, preventing them from viewing the state of the system.",
"meta": {
"Procedure Examples": [
"Industroyer is able to block serial COM channels temporarily causing a denial of view."
],
"Tactic": [
"Impact"
],
"Technique ID": [
"T815"
],
"refs": [
"https://www.corero.com/resources/files/whitepapers/cns_whitepaper_ics.pdf",
"https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297",
"https://books.google.com/books?id=oXIYBAAAQBAJ&pg=PA249&lpg=PA249&dq=loss+denial+manipulation+of+view&source=bl&ots=dV1uQ8IUff&sig=ACfU3U2NIwGjhg051D_Ytw6npyEk9xcf4w&hl=en&sa=X&ved=2ahUKEwj2wJ7y4tDlAhVmplkKHSTaDnQQ6AEwAHoECAgQAQ#v=onepage&q=loss%20denial%20manipulation%20of%20view&f=false"
]
},
"uuid": "3840a392-0074-42ba-9303-d8bf18ce0048",
"value": "Denial of View"
},
{
"description": "Adversaries may gather information about the current operating state of a PLC. CPU operating modes are often controlled by a key switch on the PLC. Example states may be run, prog, stop, remote, and invalid. Knowledge of these states may be valuable to an adversary to determine if they are able to reprogram the PLC. ",
"meta": {
"Procedure Examples": [
"Triton contains a file named TS_cnames.py which contains default definitions for key state (TS_keystate). Key state is referenced in TsHi.py."
],
"Tactic": [
"Collection"
],
"Technique ID": [
"T868"
],
"refs": [
"Triton contains a file named TS_cnames.py which contains default definitions for key state (TS_keystate). Key state is referenced in TsHi.py."
]
},
"uuid": "b12d6ee9-db15-45de-a1d7-594803e53960",
"value": "Detect Operating Mode"
},
{
"description": "Adversaries may seek to gather information about the current state of a program on a PLC. State information reveals information about the program, including whether it's running, halted, stopped, or has generated an exception. This information may be leveraged as a verification of malicious program execution or to determine if a PLC is ready to download a new program. ",
"meta": {
"Procedure Examples": [
"Triton contains a file named TS_cnames.py which contains default definitions for program state (TS_progstate). Program state is referenced in TsHi.py."
],
"Tactic": [
"Collection"
],
"Technique ID": [
"T870"
],
"refs": [
"https://github.com/MDudek-ICS/TRISIS-TRITON-HATMAN/tree/master/decompiled_code/library"
]
},
"uuid": "2afa4852-71bc-41c9-b524-643cddb3e7fa",
"value": "Detect Program State"
},
{
"description": "Adversaries may forcibly restart or shutdown a device in the ICS environment to disrupt and potentially cause adverse effects on the physical processes it helps to control. Methods of device restart and shutdown exist as built-in, standard functionalities. This can include interactive device web interfaces, CLIs, and network protocol commands, among others. Device restart or shutdown may also occur as a consequence of changing a device into an alternative mode of operation for testing or firmware loading. Unexpected restart or shutdown of control system devices may contribute to impact, by preventing expected response functions from activating and being received in critical states. This can also be a sign of malicious device modification, as many updates require a shutdown in order to take affect. For example, DNP3's function code 0x0D can reset and reconfigure DNP3 outstations by forcing them to perform a complete power cycle. In the 2015 attack on the Ukranian power grid, the adversaries gained access to the control networks of three different energy companies. The adversaries scheduled disconnects for the uniterruptable power supply (UPS) systems so that when power was disconnected from the substations, the devices would shut down and service could not be recovered.",
"meta": {
"Mitigations": [
"Restrict user privileges with Role-Based Access Control (RBAC). Configure and assign “roles” based on the principle of least privilege. Levels of access can dictate several factors, including the ability to view, use, and alter specific ICS data or device functions.",
"In general, it is unlikely devices in an ICS environment should experience frequent shutdowns. Therefore, monitor physical devices for unexpected state changes and the network for suspicious, related activity",
"Whenever possible, intrusion detection systems, sensors, logs, and patch management should be done in real-time. These tools can provide tangible records of evidence and system integrity. Additionally, active log management utilities may actually flag an attack or event in progress and provide location and tracing information to help respond to the incident.",
"Applying best password policies and being multi-factor authentication enabled can add an additional barrier to device shutdown, in the situation only verified users have the shutdown capability.",
"Restrict access to control room(s), portable devices, and removable media, which should be locked down and physically secured. Keep track of cables, to ensure that the ICS and IT environments remain separate and no interceptive, adversarial devices are installed. Cable exposure should be as minimal as possible, to reduce likely hood of tampering.",
"Depending on security needs and risks, it might also be prudent to disable or physically protect power buttons to prevent unauthorized use."
],
"Procedure Examples": [
"The Industroyer SIPROTEC DoS module exploits the CVE-2015-5374 vulnerability in order to render a Siemens SIPROTEC device unresponsive. Once this vulnerability is successfully exploited, the target device stops responding to any commands until it is rebooted manually.3 Once the tool is executed it sends specifically crafted packets to port 50,000 of the target IP addresses using UDP. The UDP packet contains the following 18 byte payload: 0x11 49 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 9E."
],
"Tactic": [
"Inhibit Response Function"
],
"Technique ID": [
"T816"
],
"refs": [
"http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258",
"https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf",
"https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf",
"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf"
]
},
"uuid": "e3b4487b-d29f-4940-a02d-8c948374964b",
"value": "Device Restart/Shutdown"
},
{
"description": "Adversaries may gain access to a system during a drive-by compromise, when a user visits a website as part of a regular browsing session.With this technique, the user's web browser is targeted and exploited simply by visiting the compromised website. The adversary may target a specific community, such as trusted third party suppliers or other industry specific groups, which often visit the target website. This kind of targeted attack relies on a common interest, and is known as a strategic web compromise or watering hole attack. The National Cyber Awareness System (NCAS) has issued a Technical Alert (TA) regarding Russian government cyber activity targeting critical infrastructure sectors. Analysis by DHS and FBI has noted two distinct categories of victims in the Dragonfly campaign on the Western energy sector: staging and intended targets. The adversary targeted the less secure networks of staging targets, including trusted third-party suppliers and related peripheral organizations. Initial access to the intended targets used watering hole attacks to target process control, ICS, and critical infrastructure related trade publications and informational websites. ",
"meta": {
"Procedure Examples": [
"ALLANITE leverages watering hole attacks to gain access into electric utilities.",
"Dragonfly 2.0 utilized watering hole attacks to gather credentials, by compromising websites that energy sector organizations might access.",
"Dragonfly used intermediate targets for watering hole attacks on an intended target. A line of code is injected into the header.php file, this is used to redirect the visitors to an adversary controlled IP.",
"OilRig has been seen utilizing watering hole attacks to collect credentials which could be used to gain access into ICS networks",
"XENOTIME utilizes watering hole websites to target industrial employees.",
"Bad Rabbit ransomware spreads through drive-by attacks where insecure websites are compromised. While the target is visiting a legitimate website, a malware dropper is being downloaded from the threat actor’s infrastructure."
],
"Tactic": [
"Initial Access"
],
"Technique ID": [
"T817"
],
"refs": [
"https://www.us-cert.gov/ncas/alerts/TA18-074A",
"https://www.securityweek.com/allanite-group-targets-ics-networks-electric-utilities-us-uk",
"https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group",
"https://www.us-cert.gov/ncas/alerts/TA17-293A",
"https://www.cyberviser.com/2018/05/group-linked-to-shamoon-attacks-targeting-ics-networks-in-middle-east-and-uk/",
"https://www.cyberscoop.com/xenotime-ics-cyber-attacks-trisis-dragos/",
"https://securelist.com/bad-rabbit-ransomware/82851/"
]
},
"uuid": "3eb64b2b-2710-446e-a30d-d49728d17350",
"value": "Drive-by Compromise"
},
{
"description": "Adversaries may compromise and gain control of an engineering workstation as an Initial Access technique into the control system environment. Access to an engineering workstation may occur as a result of remote access or by physical means, such as a person with privileged access or infection by removable media. A dual-homed engineering workstation may allow the adversary access into multiple networks. For example, unsegregated process control, safety system, or information system networks. An Engineering Workstation is designed as a reliable computing platform that configures, maintains, and diagnoses control system equipment and applications. Compromise of an engineering workstation may provide access to and control of other control system applications and equipment. In the Maroochy attack, the adversary utilized a computer, possibly stolen, with proprietary engineering software to communicate with a wastewater system. ",
"meta": {
"Procedure Examples": [
"Stuxnet utilized an engineering workstation as the initial access point for PLC devices.",
"The Triton malware gained remote access to an SIS engineering workstation."
],
"Tactic": [
"Initial Access"
],
"Technique ID": [
"T818"
],
"refs": [
"https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf",
"https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html"
]
},
"uuid": "56fc2528-7ad9-4ff4-8a65-b7641822074e",
"value": "Engineering Workstation Compromise"
},
{
"description": "Adversaries may attempt to leverage Application Program Interfaces (APIs) used for communication between control software and the hardware. Specific functionality is often coded into APIs which can be called by software to engage specific functions on a device or other software, such as Change Program State of a program on a PLC. ",
"meta": {
"Procedure Examples": [
"PLC-Blaster utilizes the PLC communication and management API to load executable Program Organization Units.",
"Stuxnet utilizes the PLC communication and management API to load executable Program Organization Units.",
"Triton leverages a reconstructed TriStation protocol within its framework to trigger APIs related to program download, program allocation, and program changes"
],
"Tactic": [
"Execution"
],
"Technique ID": [
"T871"
],
"refs": [
"https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf",
"https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf",
"https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware"
]
},
"uuid": "66ff7ce5-3daf-4651-9157-b6df2009e1b6",
"value": "Execution through API"
},
{
"description": "Adversaries may attempt to exploit public-facing applications to leverage weaknesses on Internet-facing computer systems, programs, or assets in order to cause unintended or unexpected behavior. These public-facing applications may include user interfaces, software, data, or commands. In particular, a public-facing application in the IT environment may provide adversaries an interface into the OT environment. ICS-CERT analysis has identified the probable initial infection vector for systems running GE’s Cimplicity HMI with a direct connection to the Internet.",
"meta": {
"Tactic": [
"Initial Access"
],
"Technique ID": [
"T819"
],
"refs": [
"https://www.us-cert.gov/ics/alerts/ICS-ALERT-14-281-01B"
]
},
"uuid": "fce2a3b6-4bf0-4f98-9287-8849f0ed08d0",
"value": "Exploit Public-Facing Application"
},
{
"description": "Adversaries may exploit a software vulnerability to take advantage of a programming error in a program, service, or within the operating system software or kernel itself to evade detection. Vulnerabilities may exist in software that can be used to disable or circumvent security features. Adversaries may have prior knowledge through Control Device Identification about security features implemented on control devices. These device security features will likely be targeted directly for exploitation. There are examples of firmware RAM/ROM consistency checks on control devices being targeted by adversaries to enable the installation of malicious System Firmware. ",
"meta": {
"Procedure Examples": [
"Triton disables a firmware RAM/ROM consistency check, injects a payload (imain.bin) into the firmware memory region, and changes a jumptable entry to point to the added code. In Schneider Electric Triconex Tricon MP model 3008 firmware versions 10.0-10.4, system calls read directly from memory addresses within the control program area without any verification. Manipulating this data could allow adversary data to be copied anywhere within memory.45 Triconex systems include continuous means of detection including checksums for firmware and program integrity, memory and memory reference integrity, and configuration "
],
"Tactic": [
"Evasion"
],
"Technique ID": [
"T820"
],
"refs": [
"https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf",
"https://ics-cert.us-cert.gov/advisories/ICSA-18-107-02",
"https://www.youtube.com/watch?v=f09E75bWvkk&index=3&list=PL8OWO1qWXF4qYG19p7An4Vw3N2YZ86aRS&t=0s",
"https://nvd.nist.gov/vuln/detail/CVE-2018-8872",
"https://cwe.mitre.org/data/definitions/119.html",
"https://www.nrc.gov/docs/ML1209/ML120900890.pdf"
]
},
"uuid": "8b5ed78d-5902-4656-99a8-05f8733f56bd",
"value": "Exploitation for Evasion"
},
{
"description": "Adversaries may exploit a software vulnerability to take advantage of a programming error in a program, service, or within the operating system software or kernel itself to enable remote service abuse. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system. ICS asset owners and operators have been affected by ransomware (or disruptive malware masquerading as ransomware) migrating from enterprise IT to ICS environments: WannaCry, NotPetya, and BadRabbit. In each of these cases, self-propagating (“wormable”) malware initially infected IT networks, but through exploit (particularly the SMBv1-targeting MS17-010 vulnerability) spread to industrial networks, producing significant impacts.",
"meta": {
"Procedure Examples": [
"Bad Rabbit initially infected IT networks, but by means of an exploit (particularly the SMBv1-targeting MS17-010 vulnerability) spread to industrial networks.",
"NotPetya initially infected IT networks, but by means of an exploit (particularly the SMBv1-targeting MS17-010 vulnerability) spread to industrial networks.",
"WannaCry initially infected IT networks, but by means of an exploit (particularly the SMBv1-targeting MS17-010 vulnerability) spread to industrial networks."
],
"Tactic": [
"Lateral Movement"
],
"Technique ID": [
"T866"
],
"refs": [
"https://attack.mitre.org/techniques/T1210/",
"https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/"
]
},
"uuid": "c9324642-1af8-45d5-8b99-a8227e541f9d",
"value": "Exploitation of Remote Services"
},
{
"description": "Adversaries may leverage external remote services as a point of initial access into your network. These services allow users to connect to internal network resources from external locations. Examples are VPNs, Citrix, and other access mechanisms. Remote service gateways often manage connections and credential authentication for these services. External remote services allow administration of a control system from outside the system. Often, vendors and internal engineering groups have access to external remote services to control system networks via the corporate network. In some cases, this access is enabled directly from the internet. While remote access enables ease of maintenance when a control system is in a remote area, compromise of remote access solutions is a liability. The adversary may use these services to gain access to and execute attacks against a control system network. Access to valid accounts is often a requirement. As they look for an entry point into the control system network, adversaries may begin searching for existing point?to?point VPN implementations at trusted third party networks or through remote support employee connections where split tunneling is enabled. In the Maroochy Attack, the adversary was able to gain remote computer access to the system over radio. The 2015 attack on the Ukranian power grid showed the use of existing remote access tools within the environment to access the control system network. The adversary harvested worker credentials, some of them for VPNs the grid workers used to remotely log into the control system networks.3245 The VPNs into these networks appear to have lacked two?factor authentication.",
"meta": {
"Mitigations": [
"Restrict user privileges with Role-Based Access Control (RBAC). Configure and assign “roles” based on the principle of least privilege. Levels of access can dictate several factors, including the ability to view, use, and alter specific ICS data or device functions.",
"Configure remote control software to use unique user names and passwords, strong authentication, encryption if determined appropriate, and audit logs. Use of this software by remote users should be monitored on an almost real-time frequency.",
"Enable console user actions to be traceable, either manually (e.g., control room sign in) or automatically (e.g. ,login at the application and/or OS layer).8 Protect and restrict access to the resulting logs.",
"In environments with a high risk of interception or intrusion, consider supplementing password authentication with other forms of authentication such as multi-factor authentication using biometric or physical tokens.",
"Secure and restrict access to the control room(s), which could be leveraged to set up an external remote service. Ensure VPNs, which are commonly used to provide secure access to ICS environments from untrusted networks, are properly configured.",
"Maintain awareness and observe use of External Remote Services with intrusion detection systems and solutions. Timely patch maintenance will assist with reducing the likelihood of Exploitation of Vulnerability for External Remote Service."
],
"Procedure Examples": [
"XENOTIME utilized remote desktop protocol (RDP) jump boxes to move into the ICS environment.",
"Bad Rabbit can utilize exposed SMB services to access industrial networks.",
"NotPetya can utilize exposed SMB services to access industrial networks.",
"WannaCry can utilize exposed SMB services to access industrial networks"
],
"Tactic": [
"Lateral Movement, Initial Access"
],
"Technique ID": [
"T822"
],
"refs": [
"https://attack.mitre.org/wiki/Technique/T1133",
"https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf",
"https://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/",
"https://ics-cert.us-cert.gov/alerts/IR-ALERT-H-16-056-01",
"https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html",
"https://dragos.com/blog/trisis/TRISIS-01.pdf",
"https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/",
"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf"
]
},
"uuid": "51aa0e11-3141-4c65-a6bf-2a434ff62e11",
"value": "External Remote Services"
},
{
"description": "Adversaries may attempt to gain access to a machine via a Graphical User Interface (GUI) to enhance execution capabilities. Access to a GUI allows a user to interact with a computer in a more visual manner than a CLI. A GUI allows users to move a cursor and click on interface objects, with a mouse and keyboard as the main input devices, as opposed to just using the keyboard. If physical access is not an option, then access might be possible via protocols such as VNC on Linux-based and Unix-based operating systems, and RDP on Windows operating systems. An adversary can use this access to execute programs and applications on the target machine. In the 2015 attack on the Ukrainian power grid, the adversary utilized the GUI of HMIs in the SCADA environment to open breakers.",
"meta": {
"Mitigations": [
"Restrict access to control room(s), portable devices, and removable media, which should be locked down and physically secured. Physical control room or control systems access often implies also gaining logical access.",
"Unauthorized and suspicious media should be avoided and kept away from systems and the network.",
"Authentication and strong passwords should be used to protect access to GUIs. Associated accounts and GUI sessions should be restricted to appropriate capabilities and actions.",
"Prevent adversaries from gaining access to credentials through Credential Access that can be used to log into remote desktop sessions on systems.",
"Identify unnecessary system utilities, third-party tools, or potentially malicious software that may be used to log into remote interactive sessions, and audit and/or block them by using whitelisting tools, like AppLocker and Software Restriction Policies where appropriate."
],
"Tactic": [
"Execution"
],
"Technique ID": [
"T823"
],
"refs": [
"https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf",
"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf",
"http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599",
"http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html",
"https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm",
"http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx",
"https://technet.microsoft.com/en-us/library/ee791851.aspx"
]
},
"uuid": "fe7af615-363e-4d57-89f3-b513e3d2ea30",
"value": "Graphical User Interface"
},
{
"description": "Adversaries may hook into application programming interface (API) functions used by processes to redirect calls for persistent means. Windows processes often leverage these API functions to perform tasks that require reusable system resources. Windows API functions are typically stored in dynamic-link libraries (DLLs) as exported functions. One type of hooking seen in ICS involves redirecting calls to these functions via import address table (IAT) hooking. IAT hooking uses modifications to a process’s IAT, where pointers to imported API functions are stored.",
"meta": {
"Procedure Examples": [
"Stuxnet modifies the Import Address Tables DLLs to hook specific APIs that are used to open project files."
],
"Tactic": [
"Persistence"
],
"Technique ID": [
"T874"
],
"refs": [
"https://attack.mitre.org/techniques/T1179/",
"https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf"
]
},
"uuid": "eb51ef09-1119-42e5-a54a-bae8da791160",
"value": "Hooking"
},
{
"description": "Adversaries may seek to capture process image values related to the inputs and outputs of a PLC. Within a PLC all input and output states are stored into an I/O image. This image is used by the user program instead of directly interacting with physical I/O.",
"meta": {
"Procedure Examples": [
"Stuxnet copies the input area of an I/O image into data blocks with a one second interval between copies, forming a 21 second recording of the input area. The input area contains information being passed to the PLC from a peripheral. For example, the current state of a valve or the temperature of a device."
],
"Tactic": [
"Collection"
],
"Technique ID": [
"T877"
],
"refs": [
"https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC.pdf",
"https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf"
]
},
"uuid": "a721f6e3-0b80-4eca-bbd1-43a6891ac8cd",
"value": "I/O Image"
},
{
"description": "Adversaries may use input/output (I/O) module discovery to gather key information about a control system device. An I/O module is a device that allows the control system device to either receive or send signals to other devices. These signals can be analog or digital, and may support a number of different protocols. Devices are often able to use attachable I/O modules to increase the number of inputs and outputs that it can utilize. An adversary with access to a device can use native device functions to enumerate I/O modules that are connected to the device. Information regarding the I/O modules can aid the adversary in understanding related control processes. ",
"meta": {
"Mitigations": [
"Restrict access to control room(s), portable devices, and removable media, which should be locked down and physically secured. *Ensure ICS and IT network cables are kept separate and that devices are locked up when possible. *Consider multi-factor authentication solutions, such as biometric or card-based tokens, to supplement traditional password-protection to access physical rooms."
],
"Procedure Examples": [
"Stuxnet enumerates and parses the System Data Blocks (SDB). Stuxnet must find an SDB with the DWORD at offset 50h equal to 0100CB2Ch. This specifies that the system uses the Profibus communications processor module CP 342-5. In addition, specific values are searched for and counted: 7050h and 9500h. 7050h is assigned to part number KFC750V3 which appears to be a frequency converter drive (also known as variable frequency drive) manufactured by Fararo Paya in Teheran, Iran. 9500h is assigned to Vacon NX frequency converter drives manufactured by Vacon based in Finland."
],
"Tactic": [
"Discovery"
],
"Technique ID": [
"T824"
],
"refs": [
"https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf",
"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf"
]
},
"uuid": "10ea82ba-9f19-476a-8ec5-c653e0add46c",
"value": "I/O Module Discovery"
},
{
"description": "Adversaries may attempt to remove indicators of their presence on a system in an effort to cover their tracks. In cases where an adversary may feel detection is imminent, they may try to overwrite, delete, or cover up changes they have made to the device. ",
"meta": {
"Procedure Examples": [
"KillDisk deletes application, security, setup, and system event logs from Windows systems.",
"Triton would reset the controller to the previous state over TriStation and if this failed it would write a dummy program to memory in what was likely an attempt at anti-forensics."
],
"Tactic": [
"Evasion"
],
"Technique ID": [
"T872"
],
"refs": [
"https://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/",
"https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware"
]
},
"uuid": "54e8db05-d233-48f4-9467-702f60bd53c0",
"value": "Indicator Removal on Host"
},
{
"description": "Adversaries may gain access into industrial environments directly through systems exposed to the internet for remote access rather than through External Remote Services. Minimal protections provided by these devices such as password authentication may be targeted and compromised. In the case of the Bowman dam incident, adversaries leveraged access to the dam control network through a cellular modem. Access to the device was protected by password authentication, although the application was vulnerable to brute forcing.",
"meta": {
"Procedure Examples": [
"Sandworm actors exploited vulnerabilities in GE's Cimplicity HMI and Advantech/Broadwin WebAccess HMI software which had been directly exposed to the internet."
],
"Tactic": [
"Initial Access"
],
"Technique ID": [
"T833"
],
"refs": [
"https://www.us-cert.gov/sites/default/files/Monitors/ICS-CERT_Monitor_Jan-April2014.pdf",
"https://www.wsj.com/articles/iranian-hackers-infiltrated-new-york-dam-in-2013-1450662559",
"https://time.com/4270728/iran-cyber-attack-dam-fbi/",
"https://www.us-cert.gov/ics/alerts/ICS-ALERT-14-281-01B",
"https://www.us-cert.gov/ics/advisories/ICSA-11-094-02B"
]
},
"uuid": "a9251e7f-921e-40f3-9ad7-8ab3f38e3136",
"value": "Internet Accessible Device"
},
{
"description": "Adversaries may perform location identification using device data to inform operations and targeted impact for attacks. Location identification data can come in a number of forms, including geographic location, location relative to other control system devices, time zone, and current time. An adversary may use an embedded global positioning system (GPS) module in a device to figure out the physical coordinates of a device. NIST SP800-82 recommends that devices utilize GPS or another location determining mechanism to attach appropriate timestamps to log entries1. While this assists in logging and event tracking, an adversary could use the underlying positioning mechanism to determine the general location of a device. An adversary can also infer the physical location of serially connected devices by using serial connection enumeration. An adversary attempt to attack and cause Impact could potentially affect other control system devices in close proximity. Device local-time and time-zone settings can also provide adversaries a rough indicator of device location, when specific geographic identifiers cannot be determined from the system.",
"meta": {
"Mitigations": [
"Prior to wireless network installation, survey the area to determine the antenna location and strength that minimizes exposure of the network. An adversary is capable of extending the effective range of a wireless LAN with powerful directional antennas.",
"Restrict access to control room(s), portable devices, and removable media, which should be locked down and physically secured. Physical control room or control systems access often implies also gaining logical access",
"Unauthorized and suspicious media should be avoided and kept away from systems and the network.",
"Ensure ICS and IT network cables are kept separate and that devices are locked up when possible. Protecting and securing cables reduces potential collateral damage and the likelihood of being tampered with.",
"Whenever possible, protect location information from outside eyes. Limit viewing of any stored data to those with the need to know and try to restrict data sending to encrypted channels."
],
"Procedure Examples": [
"The Backdoor.Oldrea payload has the capability of enumerating OPC tags, in addition to more generic OPC server information. The tag names, depending on the naming convention, can provide information about facilities and locations."
],
"Tactic": [
"Collection"
],
"Technique ID": [
"T825"
],
"refs": [
"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf",
"https://ics-cert.us-cert.gov/advisories/ICSA-14-178-01",
"https://www.f-secure.com/weblog/archives/00002718.html"
]
},
"uuid": "48aed709-3fcf-4d51-8316-c4dc6b90114f",
"value": "Location Identification"
},
{
"description": "Adversaries may attempt to disrupt essential components or systems to prevent owner and operator from delivering products or services. Adversaries may leverage malware to delete or encrypt critical data on HMIs, workstations, or databases. ",
"meta": {
"Procedure Examples": [
"A Conficker infection at a nuclear power plant forced the facility to temporarily shutdown."
],
"Tactic": [
"Impact"
],
"Technique ID": [
"T826"
],
"refs": [
"https://www.corero.com/resources/files/whitepapers/cns_whitepaper_ics.pdf",
"https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297",
"https://books.google.com/books?id=oXIYBAAAQBAJ&pg=PA249&lpg=PA249&dq=loss+denial+manipulation+of+view&source=bl&ots=dV1uQ8IUff&sig=ACfU3U2NIwGjhg051D_Ytw6npyEk9xcf4w&hl=en&sa=X&ved=2ahUKEwj2wJ7y4tDlAhVmplkKHSTaDnQQ6AEwAHoECAgQAQ#v=onepage&q=loss%20denial%20manipulation%20of%20view&f=false",
"https://news.softpedia.com/news/on-chernobyl-s-30th-anniversary-malware-shuts-down-german-nuclear-power-plant-503429.shtml"
]
},
"uuid": "b997f861-a587-48d5-9070-a358b1b67ac6",
"value": "Loss of Availability"
},
{
"description": "Adversaries may seek to achieve a sustained loss of control or a runaway condition in which operators cannot issue any commands even if the malicious interference has subsided.",
"meta": {
"Procedure Examples": [
"Industroyer's data wiper component removes the registry image path throughout the system and overwrites all files, rendering the system unusable.",
"Some of Norsk Hydro's production systems were impacted by a LockerGoga infection. This resulted in a loss of control which forced the company to switch to manual operations."
],
"Tactic": [
"Impact"
],
"Technique ID": [
"T827"
],
"refs": [
"https://www.corero.com/resources/files/whitepapers/cns_whitepaper_ics.pdf",
"https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297",
"https://books.google.com/books?id=oXIYBAAAQBAJ&pg=PA249&lpg=PA249&dq=loss+denial+manipulation+of+view&source=bl&ots=dV1uQ8IUff&sig=ACfU3U2NIwGjhg051D_Ytw6npyEk9xcf4w&hl=en&sa=X&ved=2ahUKEwj2wJ7y4tDlAhVmplkKHSTaDnQQ6AEwAHoECAgQAQ#v=onepage&q=loss%20denial%20manipulation%20of%20view&f=false",
"https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf",
"https://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880",
"https://www.hydro.com/en/media/on-the-agenda/cyber-attack/"
]
},
"uuid": "0d1979d5-d62c-4836-b14a-46f5a6d68bca",
"value": "Loss of Control"
},
{
"description": "Adversaries may cause loss of productivity and revenue through disruption and even damage to the availability and integrity of control system operations, devices, and related processes. This technique may manifest as a direct effect of an ICS-targeting attack or tangentially, due to an IT-targeting attack against non-segregated environments. In some cases, this may result from the postponement and disruption of ICS operations and production as part of a remediation effort. Operations may be brought to a halt and effectively stopped in an effort to contain and properly remove malware or due to the Loss of Safety. ",
"meta": {
"Procedure Examples": [
"Several transportation organizations in Ukraine have suffered from being infected by Bad Rabbit, resulting in some computers becoming encrypted, according to media reports.",
"A Conficker infection at a nuclear power plant forced the facility to shutdown and go through security procedures involved with such events, with its staff scanning computer systems and going through all the regular checks and motions before putting the plant back into production.",
"While Norsk Hydro attempted to recover from a LockerGoga infection, most of its 160 manufacturing locations switched to manual (non-IT driven) operations. Manual operations can result in a loss of productivity",
"NotPetya disrupted manufacturing facilities supplying vaccines, resulting in a halt of production and the inability to meet demand for specific vaccines.",
"An enterprise resource planning (ERP) manufacturing server was lost to the Ryuk attack. The manufacturing process had to rely on paper and existing orders to keep the shop floor open."
],
"Tactic": [
"Impact"
],
"Technique ID": [
"T828"
],
"refs": [
"https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/",
"https://news.softpedia.com/news/on-chernobyl-s-30th-anniversary-malware-shuts-down-german-nuclear-power-plant-503429.shtml",
"https://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880",
"https://www.hydro.com/en/media/on-the-agenda/cyber-attack/",
"https://www.bloomberg.com/news/features/2019-12-03/merck-cyberattack-s-1-3-billion-question-was-it-an-act-of-war",
"https://www.darkreading.com/attacks-breaches/how-a-manufacturing-firm-recovered-from-a-devastating-ransomware-attack/d/d-id/1334760"
]
},
"uuid": "f2905196-e419-4740-bca9-0fc3af846bc0",
"value": "Loss of Productivity and Revenue"
},
{
"description": "Adversaries may cause loss of safety whether on purpose or as a consequence of actions taken to accomplish an operation. The loss of safety can describe a physical impact and threat, or the potential for unsafe conditions and activity in terms of control systems environments, devices, or processes. For instance, an adversary may issue commands or influence and possibly inhibit safety mechanisms that allow the injury of and possible loss of life. This can also encompass scenarios resulting in the failure of a safety mechanism or control, that may lead to unsafe and dangerous execution and outcomes of physical processes and related systems. The German Federal Office for Information Security (BSI) reported a targeted attack on a steel mill in its 2014 IT Security Report. These targeted attacks affected industrial operations and resulted in breakdowns of control system components and even entire installations. As a result of these breakdowns, massive impact resulted in damage and unsafe conditions from the uncontrolled shutdown of a blast furnace. A Polish student used a remote controller device to interface with the Lodz city tram system in Poland.567 Using this remote, the student was able to capture and replay legitimate tram signals. As a consequence, four trams were derailed and twelve people injured due to resulting emergency stops. The track controlling commands issued may have also resulted in tram collisions, a further risk to those on board and nearby the areas of impact.",
"meta": {
"Procedure Examples": [
"Industroyer contained a module which leveraged a vulnerability in the Siemens SIPROTEC relays (CVE-2015-5374) to create a Denial of Service against automated protective relays.",
"Triton has the capability to reprogram the SIS logic to allow unsafe conditions to persist or reprogram the SIS to allow an unsafe state – while using the DCS to create an unsafe state or hazard."
],
"Tactic": [
"Impact"
],
"Technique ID": [
"T880"
],
"refs": [
"https://www.corero.com/resources/files/whitepapers/cns_whitepaper_ics.pdf",
"https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297",
"https://books.google.com/books?id=oXIYBAAAQBAJ&pg=PA249&lpg=PA249&dq=loss+denial+manipulation+of+view&source=bl&ots=dV1uQ8IUff&sig=ACfU3U2NIwGjhg051D_Ytw6npyEk9xcf4w&hl=en&sa=X&ved=2ahUKEwj2wJ7y4tDlAhVmplkKHSTaDnQQ6AEwAHoECAgQAQ#v=onepage&q=loss%20denial%20manipulation%20of%20view&f=false",
"https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Securitysituation/IT-Security-Situation-in-Germany-2014.pdf?__blob=publicationFile&v=3",
"https://www.londonreconnections.com/2017/hacked-cyber-security-railways/",
"https://inhomelandsecurity.com/teen_hacker_in_poland_plays_tr/",
"https://www.schneier.com/blog/archives/2008/01/hacking_the_pol.html",
"https://dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf",
"https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html"
]
},
"uuid": "4f46d0e0-91ee-4ab2-a5b7-168ee099b715",
"value": "Loss of Safety"
},
{
"description": "Adversaries may cause a sustained or permanent loss of view where the ICS equipment will require local, hands-on operator intervention; for instance, a restart or manual operation. By causing a sustained reporting or visibility loss, the adversary can effectively hide the present state of operations. This loss of view can occur without affecting the physical processes themselves.",
"meta": {
"Procedure Examples": [
"Industroyer's data wiper component removes the registry image path throughout the system and overwrites all files, rendering the system unusable. KillDisk erases the master boot record (MBR) and system logs, leaving the system unusable.",
"Some of Norsk Hydro's production systems were impacted by a LockerGoga infection. This resulted in a loss of view which forced the company to switch to manual operations."
],
"Tactic": [
"Impact"
],
"Technique ID": [
"T829"
],
"refs": [
"https://www.corero.com/resources/files/whitepapers/cns_whitepaper_ics.pdf",