Skip to content

M0801 Access Management

Access Management technologies can be used to enforce authorization polices and decisions, especially when existing field devices do not provided sufficient capabilities to support user identification and authentication. 1 These technologies typically utilize an in-line network device or gateway system to prevent access to unauthenticated users, while also integrating with an authentication service to first verify user credentials. 2

Item Value
ID M0801
Version 1.0
Created 11 September 2020
Last Modified 30 March 2023
Navigation Layer View In ATT&CK® Navigator

Techniques Addressed by Mitigation

Domain ID Name Use
ics T0800 Activate Firmware Update Mode All devices or systems changes, including all administrative functions, should require authentication. Consider using access management technologies to enforce authorization on all management interface access attempts, especially when the device does not inherently provide strong authentication and authorization functions.
ics T0858 Change Operating Mode Authenticate all access to field controllers before authorizing access to, or modification of, a device’s state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS.
ics T0812 Default Credentials Ensure embedded controls and network devices are protected through access management, as these devices often have unknown default accounts which could be used to gain unauthorized access.
ics T0868 Detect Operating Mode Authenticate all access to field controllers before authorizing access to, or modification of, a device’s state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS.
ics T0816 Device Restart/Shutdown All devices or systems changes, including all administrative functions, should require authentication. Consider using access management technologies to enforce authorization on all management interface access attempts, especially when the device does not inherently provide strong authentication and authorization functions.
ics T0871 Execution through API Access Management technologies can be used to enforce authorization policies and decisions, especially when existing field devices do not provide capabilities to support user identification and authentication. 1 These technologies typically utilize an in-line network device or gateway system to prevent access to unauthenticated users, while also integrating with an authentication service to first verify user credentials.
ics T0891 Hardcoded Credentials Ensure embedded controls and network devices are protected through access management, as these devices often have unknown hardcoded accounts which could be used to gain unauthorized access.
ics T0838 Modify Alarm Settings All devices or systems changes, including all administrative functions, should require authentication. Consider using access management technologies to enforce authorization on all management interface access attempts, especially when the device does not inherently provide strong authentication and authorization functions.
ics T0839 Module Firmware All devices or systems changes, including all administrative functions, should require authentication. Consider using access management technologies to enforce authorization on all management interface access attempts, especially when the device does not inherently provide strong authentication and authorization functions.
ics T0861 Point & Tag Identification Authenticate all access to field controllers before authorizing access to, or modification of, a device’s state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS.
ics T0843 Program Download Authenticate all access to field controllers before authorizing access to, or modification of, a device’s state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS.
ics T0845 Program Upload Authenticate all access to field controllers before authorizing access to, or modification of, a device’s state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS.
ics T0886 Remote Services Access Management technologies can help enforce authentication on critical remote service, examples include, but are not limited to, device management services (e.g., telnet, SSH), data access servers (e.g., HTTP, Historians), and HMI sessions (e.g., RDP, VNC).
ics T0857 System Firmware All devices or systems changes, including all administrative functions, should require authentication. Consider using access management technologies to enforce authorization on all management interface access attempts, especially when the device does not inherently provide strong authentication and authorization functions.
ics T0859 Valid Accounts Authenticate all access to field controllers before authorizing access to, or modification of, a device’s state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS.

References