T0801 Monitor Process State
Adversaries may gather information about the physical process state. This information may be used to gain more information about the process itself or used as a trigger for malicious actions. The sources of process state information may vary such as, OPC tags, historian data, specific PLC block information, or network traffic.
| Item | Value |
|---|---|
| ID | T0801 |
| Sub-techniques | |
| Tactics | TA0100 |
| Platforms | Control Server, Data Historian, Field Controller/RTU/PLC/IED, Human-Machine Interface, Safety Instrumented System/Protection Relay |
| Version | 1.0 |
| Created | 21 May 2020 |
| Last Modified | 09 March 2023 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0604 | Industroyer | Industroyer‘s OPC and IEC 61850 protocol modules include the ability to send stVal requests to read the status of operational variables. 1 |
| S1072 | Industroyer2 | Industroyer2 uses a General Interrogation command to monitor the device’s Information Object Addresses (IOAs) and their IO state values.2 |
| S0603 | Stuxnet | Stuxnet examines fields recorded by the DP_RECV monitor to determine if the target system is in a particular state of operation. 3 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M0816 | Mitigation Limited or Not Effective | This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0015 | Application Log | Application Log Content |
| DS0029 | Network Traffic | Network Traffic Content |
References
-
Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ↩
-
Forescout. (2022, July 14). Industroyer2 and INCONTROLLER In-depth Technical Analysis of the Most Recent ICS-specific Malware. Retrieved March 30, 2023. ↩
-
Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ↩