T0815 Denial of View
Adversaries may cause a denial of view in attempt to disrupt and prevent operator oversight on the status of an ICS environment. This may manifest itself as a temporary communication failure between a device and its control source, where the interface recovers and becomes available once the interference ceases. 1 2 3
An adversary may attempt to deny operator visibility by preventing them from receiving status and reporting messages. Denying this view may temporarily block and prevent operators from noticing a change in state or anomalous behavior. The environment’s data and processes may still be operational, but functioning in an unintended or adversarial manner.
| Item | Value |
|---|---|
| ID | T0815 |
| Sub-techniques | |
| Tactics | TA0105 |
| Platforms | None |
| Version | 1.1 |
| Created | 21 May 2020 |
| Last Modified | 30 March 2023 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0604 | Industroyer | Industroyer is able to block serial COM channels temporarily causing a denial of view. 7 |
| C0020 | Maroochy Water Breach | In the Maroochy Water Breach, the adversary temporarily shut an investigator out of the network, preventing them from viewing the state of the system.8 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M0953 | Data Backup | Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans 4, including the management of gold-copy back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability. |
| M0810 | Out-of-Band Communications Channel | Provide operators with redundant, out-of-band communication to support monitoring and control of the operational processes, especially when recovering from a network outage 6. Out-of-band communication should utilize diverse systems and technologies to minimize common failure modes and vulnerabilities within the communications infrastructure. For example, wireless networks (e.g., 3G, 4G) can be used to provide diverse and redundant delivery of data. |
| M0811 | Redundancy of Service | Hot-standbys in diverse locations can ensure continued operations if the primarily system are compromised or unavailable. At the network layer, protocols such as the Parallel Redundancy Protocol can be used to simultaneously use redundant and diverse communication over a local network. 5 |
References
-
Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 ↩
-
Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 ↩
-
Tyson Macaulay Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 RIoT Control: Understanding and Managing Risks and the Internet of Things Retrieved. 2019/11/04 ↩
-
Department of Homeland Security 2009, October Developing an Industrial Control Systems Cybersecurity Incident Response Capability Retrieved. 2020/09/17 ↩
-
M. Rentschler and H. Heine The Parallel Redundancy Protocol for industrial IP networks Retrieved. 2020/09/25 ↩
-
National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ↩
-
Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ↩
-
Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ↩