Skip to content

T0814 Denial of Service

Adversaries may perform Denial-of-Service (DoS) attacks to disrupt expected device functionality. Examples of DoS attacks include overwhelming the target device with a high volume of requests in a short time period and sending the target device a request it does not know how to handle. Disrupting device state may temporarily render it unresponsive, possibly lasting until a reboot can occur. When placed in this state, devices may be unable to send and receive requests, and may not perform expected response functions in reaction to other events in the environment.

Some ICS devices are particularly sensitive to DoS events, and may become unresponsive in reaction to even a simple ping sweep. Adversaries may also attempt to execute a Permanent Denial-of-Service (PDoS) against certain devices, such as in the case of the BrickerBot malware. 2

Adversaries may exploit a software vulnerability to cause a denial of service by taking advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Vulnerabilities may exist in software that can be used to cause a denial of service condition.

Adversaries may have prior knowledge about industrial protocols or control devices used in the environment through Remote System Information Discovery. There are examples of adversaries remotely causing a Device Restart/Shutdown by exploiting a vulnerability that induces uncontrolled resource consumption. 3 1 4

Item Value
ID T0814
Sub-techniques
Tactics TA0107
Platforms None
Version 1.1
Created 21 May 2020
Last Modified 15 April 2025

Procedure Examples

ID Name Description
C0028 2015 Ukraine Electric Power Attack During the 2015 Ukraine Electric Power Attack, power company phone line operators were hit with a denial of service attack so that they couldn’t field customers’ calls about outages. Operators were also denied service to their downstream devices when their serial-to-ethernet converters had their firmware overwritten, which bricked the devices. 13
S0093 Backdoor.Oldrea The Backdoor.Oldrea payload has caused multiple common OPC platforms to intermittently crash. This could cause a denial of service effect on applications reliant on OPC communications. 3
S1157 Fuxnet Fuxnet shut down remote access services such as SSH, HTTP, telnet, and SNMP to a device along with deleting the routing table for routing devices to inhibit system accessibility and communication.7
S0604 Industroyer The Industroyer SIPROTEC DoS module exploits the CVE-2015-5374 vulnerability in order to render a Siemens SIPROTEC device unresponsive. Once this vulnerability is successfully exploited, the target device stops responding to any commands until it is rebooted manually. 5 Once the tool is executed it sends specifically crafted packets to port 50,000 of the target IP addresses using UDP. The UDP packet contains the following 18 byte payload: 0x11 49 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 9E. 5
S1006 PLC-Blaster The execution on the PLC can be stopped by violating the cycle time limit. The PLC-Blaster implements an endless loop triggering an error condition within the PLC with the impact of a DoS. 6
C0031 Unitronics Defacement Campaign During the Unitronics Defacement Campaign, the CyberAv3ngers defaced controllers’ Human-Machine Interface (HMI), which prevented multiple entities from being able to operate their devices normally.891110 Additionally, the CyberAv3ngers caused a communications failure in a remote pumping station.12

Mitigations

ID Mitigation Description
M0815 Watchdog Timers System and process restarts should be performed when a timeout condition occurs.

References

  1. Common Weakness Enumeration 2019, January 03 CWE-400: Uncontrolled Resource Consumption Retrieved. 2019/03/14  

  2. ICS-CERT 2017, April 18 CS Alert (ICS-ALERT-17-102-01A) BrickerBot Permanent Denial-of-Service Attack Retrieved. 2019/10/24  

  3. ICS-CERT 2018, August 27 Advisory (ICSA-15-202-01) - Siemens SIPROTEC Denial-of-Service Vulnerability Retrieved. 2019/03/14  

  4. MITRE 2018, March 22 CVE-2015-5374 Retrieved. 2019/03/14  

  5. Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15  

  6. Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke 2016, March 31 Plc-blaster: A worm living solely in the plc. Retrieved. 2017/09/19  

  7. Team82. (2024, April 12). Unpacking the Blackjack Group’s Fuxnet Malware. Retrieved September 11, 2024. 

  8. DHS/CISA. (2023, December 1). IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including U.S. Water and Wastewater Systems Facilities. Retrieved March 25, 2024. 

  9. DHS/CISA. (2023, November 28). Exploitation of Unitronics PLCs used in Water and Wastewater Systems. Retrieved March 25, 2024. 

  10. Frank Bajak and Marc Levy. (2023, December 2). Breaches by Iran-affiliated hackers spanned multiple U.S. states, federal agencies say. Retrieved March 25, 2024. 

  11. Jamie Tarabay and Katrina Manson. (2023, December 22). Iranian-Linked Hacks Expose Failure to Safeguard US Water System. Retrieved March 25, 2024. 

  12. WPXI. (2023, November 27). Officials investigating cyberattack on Municipal Water Authority of Aliquippa. Retrieved March 25, 2024. 

  13. Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018.