T0816 Device Restart/Shutdown
Adversaries may forcibly restart or shutdown a device in an ICS environment to disrupt and potentially negatively impact physical processes. Methods of device restart and shutdown exist in some devices as built-in, standard functionalities. These functionalities can be executed using interactive device web interfaces, CLIs, and network protocol commands.
Unexpected restart or shutdown of control system devices may prevent expected response functions happening during critical states.
A device restart can also be a sign of malicious device modifications, as many updates require a shutdown in order to take effect.
| Item | Value |
|---|---|
| ID | T0816 |
| Sub-techniques | |
| Tactics | TA0107 |
| Platforms | Field Controller/RTU/PLC/IED |
| Version | 1.1 |
| Created | 21 May 2020 |
| Last Modified | 26 September 2022 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0604 | Industroyer | The Industroyer SIPROTEC DoS module exploits the CVE-2015-5374 vulnerability in order to render a Siemens SIPROTEC device unresponsive. While the vulnerability does not directly cause the restart or shutdown of the device, the device must be restarted manually before it can resume operations. 2 |
| G0034 | Sandworm Team | In the 2015 attack on the Ukrainian power grid, the Sandworm Team scheduled disconnects of uninterruptable power supply (UPS) systems so that when power was disconnected from the substations, the devices would shut down and service could not be recovered. 3 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M0801 | Access Management | All devices or systems changes, including all administrative functions, should require authentication. Consider using access management technologies to enforce authorization on all management interface access attempts, especially when the device does not inherently provide strong authentication and authorization functions. |
| M0800 | Authorization Enforcement | All field controllers should restrict the modification of programs to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism. |
| M0802 | Communication Authenticity | Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs). |
| M0942 | Disable or Remove Feature or Program | Ensure remote commands that enable device shutdown are disabled if they are not necessary. Examples include DNP3’s 0x0D function code or unnecessary device management functions. |
| M0937 | Filter Network Traffic | Application denylists can be used to block automation protocol functions used to initiate device shutdowns or restarts, such as DNP3’s 0x0D function code, or vulnerabilities that can be used to trigger device shutdowns (e.g., CVE-2014-9195, CVE-2015-5374). |
| M0804 | Human User Authentication | All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support Account Use Policies, Password Policies, and User Account Management. |
| M0807 | Network Allowlists | Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. 1 |
| M0930 | Network Segmentation | Segment operational network and systems to restrict access to critical system functions to predetermined management systems. 1 |
| M0813 | Software Process and Device Authentication | Authenticate connections from software and devices to prevent unauthorized systems from accessing protected management functions. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0015 | Application Log | Application Log Content |
| DS0029 | Network Traffic | Network Traffic Content |
| DS0040 | Operational Databases | Device Alarm |
References
-
Department of Homeland Security 2016, September Retrieved. 2020/09/25 ↩↩
-
Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ↩
-
Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems 2016, March 18 Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case Retrieved. 2018/03/27 ↩