T0832 Manipulation of View
Adversaries may attempt to manipulate the information reported back to operators or controllers. This manipulation may be short term or sustained. During this time the process itself could be in a much different state than what is reported. 1 2 3
Operators may be fooled into doing something that is harmful to the system in a loss of view situation. With a manipulated view into the systems, operators may issue inappropriate control sequences that introduce faults or catastrophic failures into the system. Business analysis systems can also be provided with inaccurate data leading to bad management decisions.
| Item | Value |
|---|---|
| ID | T0832 |
| Sub-techniques | |
| Tactics | TA0105 |
| Platforms | Engineering Workstation, Field Controller/RTU/PLC/IED, Human-Machine Interface |
| Version | 1.0 |
| Created | 21 May 2020 |
| Last Modified | 09 March 2023 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0604 | Industroyer | Industroyer‘s OPC module can brute force values and will send out a 0x01 status which for the target systems equates to a Primary Variable Out of Limits misdirecting operators from understanding protective relay status. 5 |
| S0603 | Stuxnet | Stuxnet manipulates the view of operators replaying process input and manipulating the I/O image to evade detection and inhibit protection functions. 7 6 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M0802 | Communication Authenticity | Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs). |
| M0953 | Data Backup | Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans 4, including the management of gold-copy back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability. |
| M0810 | Out-of-Band Communications Channel | Utilize out-of-band communication to validate the integrity of data from the primary channel. |
References
-
Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 ↩
-
Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 ↩
-
Tyson Macaulay Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 RIoT Control: Understanding and Managing Risks and the Internet of Things Retrieved. 2019/11/04 ↩
-
Department of Homeland Security 2009, October Developing an Industrial Control Systems Cybersecurity Incident Response Capability Retrieved. 2020/09/17 ↩
-
Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ↩
-
Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ↩
-
Ralph Langner. (2013, November). To Kill a Centrifuge: A Technical Analysis of What Stuxnet’s Creators Tried to Achieve. Retrieved December 7, 2020. ↩