M0930 Network Segmentation
Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Restrict network access to only required systems and services. In addition, prevent systems from other networks or business functions (e.g., enterprise) from accessing critical process control systems. For example, in IEC 62443, systems within the same secure level should be grouped into a zone, and access to that zone is restricted by a conduit, or mechanism to restrict data flows between zones by segmenting the network. 1 2
Item | Value |
---|---|
ID | M0930 |
Version | 1.0 |
Created | 10 June 2019 |
Last Modified | 30 March 2023 |
Navigation Layer | View In ATT&CK® Navigator |
Techniques Addressed by Mitigation
Domain | ID | Name | Use |
---|---|---|---|
ics | T0800 | Activate Firmware Update Mode | Segment operational network and systems to restrict access to critical system functions to predetermined management systems. 3 |
ics | T0830 | Adversary-in-the-Middle | Network segmentation can be used to isolate infrastructure components that do not require broad network access. This may mitigate, or at least alleviate, the scope of AiTM activity. |
ics | T0878 | Alarm Suppression | Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment. 4 5 3 6 |
ics | T0802 | Automated Collection | Prevent unauthorized systems from accessing control servers or field devices containing industrial information, especially services used for common automation protocols (e.g., DNP3, OPC). |
ics | T0805 | Block Serial COM | Restrict unauthorized devices from accessing serial comm ports. |
ics | T0806 | Brute Force I/O | Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment. 4 5 3 6 |
ics | T0858 | Change Operating Mode | Segment operational network and systems to restrict access to critical system functions to predetermined management systems. 3 |
ics | T0885 | Commonly Used Port | Configure internal and external firewalls to block traffic using common ports that associate to network protocols that may be unnecessary for that particular network segment. |
ics | T0868 | Detect Operating Mode | Segment operational network and systems to restrict access to critical system functions to predetermined management systems. 3 |
ics | T0816 | Device Restart/Shutdown | Segment operational network and systems to restrict access to critical system functions to predetermined management systems. 3 |
ics | T0819 | Exploit Public-Facing Application | Segment externally facing servers and services from the rest of the network with a DMZ or on separate hosting infrastructure. |
ics | T0866 | Exploitation of Remote Services | Segment networks and systems appropriately to reduce access to critical system and services communications. |
ics | T0822 | External Remote Services | Deny direct remote access to internal systems through the use of network proxies, gateways, and firewalls. Consider a jump server or host into the DMZ for greater access control. Leverage this DMZ or corporate resources for vendor access. 5 |
ics | T0883 | Internet Accessible Device | Deny direct remote access to internal systems through the use of network proxies, gateways, and firewalls. Steps should be taken to periodically inventory internet accessible devices to determine if it differs from the expected. |
ics | T0838 | Modify Alarm Settings | Segment operational network and systems to restrict access to critical system functions to predetermined management systems. 3 8 |
ics | T0839 | Module Firmware | Segment operational network and systems to restrict access to critical system functions to predetermined management systems. 3 |
ics | T0842 | Network Sniffing | Segment networks and systems appropriately to reduce access to critical system and services communications. |
ics | T0861 | Point & Tag Identification | Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment. 4 5 3 6 |
ics | T0843 | Program Download | Segment operational network and systems to restrict access to critical system functions to predetermined management systems. 3 |
ics | T0845 | Program Upload | Segment operational network and systems to restrict access to critical system functions to predetermined management systems. 3 |
ics | T0886 | Remote Services | Segment and control software movement between business and OT environments by way of one directional DMZs. Web access should be restricted from the OT environment. Engineering workstations, including transient cyber assets (TCAs) should have minimal connectivity to external networks, including Internet and email, further limit the extent to which these devices are dual-homed to multiple networks. 7 |
ics | T0848 | Rogue Master | Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment. 4 5 3 6 |
ics | T0881 | Service Stop | Segment operational network and systems to restrict access to critical system functions to predetermined management systems. 3 |
ics | T0856 | Spoof Reporting Message | Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment. 4 5 3 6 |
ics | T0869 | Standard Application Layer Protocol | Ensure proper network segmentation between higher level corporate resources and the control process environment. |
ics | T0857 | System Firmware | Segment operational network and systems to restrict access to critical system functions to predetermined management systems. 3 |
ics | T0864 | Transient Cyber Asset | Segment and control software movement between business and OT environments by way of one directional DMZs. Web access should be restricted from the OT environment. Engineering workstations, including transient cyber assets (TCAs) should have minimal connectivity to external networks, including Internet and email, further limit the extent to which these devices are dual-homed to multiple networks. 7 |
ics | T0855 | Unauthorized Command Message | Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment. 4 5 3 6 |
References
-
IEC 2019, February Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components Retrieved. 2020/09/25 ↩
-
IEC 2013, August Industrial communication networks - Network and system security - Part 3-3: System security requirements and security levels Retrieved. 2020/09/25 ↩
-
Department of Homeland Security 2016, September Retrieved. 2020/09/25 ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Karen Scarfone; Paul Hoffman 2009, September Guidelines on Firewalls and Firewall Policy Retrieved. 2020/09/25 ↩↩↩↩↩↩
-
Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ↩↩↩↩↩↩↩
-
Dwight Anderson 2014 Protect Critical Infrastructure Systems With Whitelisting Retrieved. 2020/09/25 ↩↩↩↩↩↩
-
North America Transmission Forum 2019, December NATF Transient Cyber Asset Guidance Retrieved. 2020/09/25 ↩↩
-
N/A Department of Homeland Security 2016, September Retrieved. 2020/09/25 Alarm Management for Process Control Retrieved. 2020/09/25 ↩