M0800 Authorization Enforcement
The device or system should restrict read, manipulate, or execute privileges to only authenticated users who require access based on approved security policies. Role-based Access Control (RBAC) schemes can help reduce the overhead of assigning permissions to the large number of devices within an ICS. For example, IEC 62351 provides examples of roles used to support common system operations within the electric power sector 1, while IEEE 1686 defines standard permissions for users of IEDs. 2
| Item | Value |
|---|---|
| ID | M0800 |
| Version | 1.0 |
| Created | 11 September 2020 |
| Last Modified | 30 March 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Addressed by Mitigation
| Domain | ID | Name | Use |
|---|---|---|---|
| ics | T0800 | Activate Firmware Update Mode | Restrict configurations changes and firmware updating abilities to only authorized individuals. |
| ics | T0858 | Change Operating Mode | All field controllers should restrict operating mode changes to only required authenticated users (e.g., engineers, field technicians), preferably through implementing a role-based access mechanism. Further, physical mechanisms (e.g., keys) can also be used to limit unauthorized operating mode changes. |
| ics | T0868 | Detect Operating Mode | All field controllers should restrict the modification of programs to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism. |
| ics | T0816 | Device Restart/Shutdown | All field controllers should restrict the modification of programs to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism. |
| ics | T0871 | Execution through API | All APIs used to perform execution, especially those hosted on embedded controllers (e.g., PLCs), should provide adequate authorization enforcement of user access. Minimize user’s access to only required API calls. 3 |
| ics | T0838 | Modify Alarm Settings | Only authorized personnel should be able to change settings for alarms. |
| ics | T0836 | Modify Parameter | All field controllers should restrict the modification of programs to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism. |
| ics | T0861 | Point & Tag Identification | Systems and devices should restrict access to any data with potential confidentiality concerns, including point and tag information. |
| ics | T0843 | Program Download | All field controllers should restrict the modification of programs to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism. |
| ics | T0845 | Program Upload | All field controllers should restrict program uploads to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism. |
| ics | T0886 | Remote Services | Provide privileges corresponding to the restriction of a GUI session to control system operations (examples include HMI read-only vs. read-write modes). Ensure local users, such as operators and engineers, are giving prioritization over remote sessions and have the authority to regain control over a remote session if needed. Prevent remote access sessions (e.g., RDP, VNC) from taking over local sessions, especially those used for ICS control, especially HMIs. |
References
-
International Electrotechnical Commission 2020, July 17 IEC 62351 - Power systems management and associated information exchange - Data and communications security Retrieved. 2020/09/17 ↩
-
Institute of Electrical and Electronics Engineers 2014, January 1686-2013 - IEEE Standard for Intelligent Electronic Devices Cyber Security Capabilities Retrieved. 2020/09/17 ↩
-
MITRE 2020, June CWE CATEGORY: 7PK - API Abuse Retrieved. 2020/09/25 ↩