T0804 Block Reporting Message
Adversaries may block or prevent a reporting message from reaching its intended target. In control systems, reporting messages contain telemetry data (e.g., I/O values) pertaining to the current state of equipment and the industrial process. By blocking these reporting messages, an adversary can potentially hide their actions from an operator.
Blocking reporting messages in control systems that manage physical processes may contribute to system impact, causing inhibition of a response function. A control system may not be able to respond in a proper or timely manner to an event, such as a dangerous fault, if its corresponding reporting message is blocked. 1 2
| Item | Value |
|---|---|
| ID | T0804 |
| Sub-techniques | |
| Tactics | TA0107 |
| Platforms | Device Configuration/Parameters, Field Controller/RTU/PLC/IED, Input/Output Server |
| Version | 1.0 |
| Created | 21 May 2020 |
| Last Modified | 19 September 2022 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0604 | Industroyer | Industroyer uses the first COM port from the configuration file for the communication and the other two COM ports are opened to prevent other processes accessing them. This may block processes or operators from getting reporting messages from a device. 3 |
| G0034 | Sandworm Team | In the Ukraine 2015 Incident, Sandworm Team blocked reporting messages by using malicious firmware to render communication devices inoperable. 2 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M0807 | Network Allowlists | Utilize network allowlists to restrict unnecessary connections to network devices (e.g., comm servers, serial to ethernet converters) and services, especially in cases when devices have limits on the number of simultaneous sessions they support. |
| M0810 | Out-of-Band Communications Channel | Provide an alternative method for sending critical report messages to operators, this could include using radio/cell communication to obtain messages from field technicians that can locally obtain telemetry and status data. |
| M0814 | Static Network Configuration | Unauthorized connections can be prevented by statically defining the hosts and ports used for automation protocol connections. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0015 | Application Log | Application Log Content |
| DS0029 | Network Traffic | Network Traffic Flow |
| DS0040 | Operational Databases | Process History/Live Data |
| DS0009 | Process | Process Termination |
References
-
Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011 A Taxonomy of Cyber Attacks on SCADA Systems Retrieved. 2018/01/12 ↩
-
Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems 2016, March 18 Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case Retrieved. 2018/03/27 ↩↩
-
Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ↩