T0806 Brute Force I/O
Adversaries may repetitively or successively change I/O point values to perform an action. Brute Force I/O may be achieved by changing either a range of I/O point values or a single point value repeatedly to manipulate a process function. The adversary’s goal and the information they have about the target environment will influence which of the options they choose. In the case of brute forcing a range of point values, the adversary may be able to achieve an impact without targeting a specific point. In the case where a single point is targeted, the adversary may be able to generate instability on the process function associated with that particular point.
Adversaries may use Brute Force I/O to cause failures within various industrial processes. These failures could be the result of wear on equipment or damage to downstream equipment.
| Item | Value |
|---|---|
| ID | T0806 |
| Sub-techniques | |
| Tactics | TA0106 |
| Platforms | Control Server, Field Controller/RTU/PLC/IED |
| Version | 1.1 |
| Created | 21 May 2020 |
| Last Modified | 29 March 2023 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0604 | Industroyer | The Industroyer IEC 104 module has 3 modes available to perform its attack. These modes are range, shift, and sequence. The range mode operates in 2 stages. The first stage of range mode gathers Information Object Addresses (IOA) and sends select and execute packets to switch the state. The second stage of range mode has an infinite loop where it will switch the state of all of the previously discovered IOAs. Shift mode is similar to range mode, but instead of staying within the same range, it will add a shift value to the default range values. 5 |
| S1072 | Industroyer2 | Industroyer2 can iterate across a device’s IOAs to modify the ON/OFF value of a given IO state.67 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M0937 | Filter Network Traffic | Allow/denylists can be used to block access when excessive I/O connections are detected from a system or device during a specified time period. |
| M0807 | Network Allowlists | Utilize network allowlists to restrict unnecessary connections to network devices (e.g., comm servers, serial to ethernet converters) and services, especially in cases when devices have limits on the number of simultaneous sessions they support. |
| M0930 | Network Segmentation | Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment. 1 2 3 4 |
| M0813 | Software Process and Device Authentication | Devices should authenticate all messages between master and outstation assets. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0015 | Application Log | Application Log Content |
| DS0029 | Network Traffic | Network Traffic Content |
| DS0040 | Operational Databases | Process History/Live Data |
References
-
Karen Scarfone; Paul Hoffman 2009, September Guidelines on Firewalls and Firewall Policy Retrieved. 2020/09/25 ↩
-
Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ↩
-
Department of Homeland Security 2016, September Retrieved. 2020/09/25 ↩
-
Dwight Anderson 2014 Protect Critical Infrastructure Systems With Whitelisting Retrieved. 2020/09/25 ↩
-
Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ↩
-
Daniel Kapellmann Zafra, Raymond Leong, Chris Sistrunk, Ken Proska, Corey Hildebrandt, Keith Lunden, Nathan Brubaker. (2022, April 25). INDUSTROYER.V2: Old Malware Learns New Tricks. Retrieved March 30, 2023. ↩
-
Forescout. (2022, July 14). Industroyer2 and INCONTROLLER In-depth Technical Analysis of the Most Recent ICS-specific Malware. Retrieved March 30, 2023. ↩