T0836 Modify Parameter
Adversaries may modify parameters used to instruct industrial control system devices. These devices operate via programs that dictate how and when to perform actions based on such parameters. Such parameters can determine the extent to which an action is performed and may specify additional options. For example, a program on a control system device dictating motor processes may take a parameter defining the total number of seconds to run that motor.
An adversary can potentially modify these parameters to produce an outcome outside of what was intended by the operators. By modifying system and process critical parameters, the adversary may cause Impact to equipment and/or control processes. Modified parameters may be turned into dangerous, out-of-bounds, or unexpected values from typical operations. For example, specifying that a process run for more or less time than it should, or dictating an unusually high, low, or invalid value as a parameter.
| Item | Value |
|---|---|
| ID | T0836 |
| Sub-techniques | |
| Tactics | TA0106 |
| Platforms | None |
| Version | 1.3 |
| Created | 21 May 2020 |
| Last Modified | 16 April 2025 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S1165 | FrostyGoop | FrostyGoop allows for the modification of system settings by reading and writing to registers via Modbus commands.23 |
| C0041 | FrostyGoop Incident | In FrostyGoop Incident, the adversary caused the victim controllers to report incorrect measurements by modifying parameters.2 |
| S1045 | INCONTROLLER | INCONTROLLER can use the HTTP CGI scripts on Omron PLCs to modify parameters on EtherCat connected servo drives.4 |
| S1072 | Industroyer2 | Industroyer2 modifies specified Information Object Addresses (IOAs) for specified Application Service Data Unit (ASDU) addresses to either the ON or OFF state.67 |
| C0020 | Maroochy Water Breach | In the Maroochy Water Breach, the adversary gained remote computer access to the control system and altered data so that whatever function should have occurred at affected pumping stations did not occur or occurred in a different way. The software program installed in the laptop was one developed for changing configurations in the PDS computers. This ultimately led to 800,000 liters of raw sewage being spilled out into the community.8 |
| S0603 | Stuxnet | In states 3 and 4 Stuxnet sends two network bursts (done through the DP_SEND primitive). The data in the frames are instructions for the frequency converter drives. For example one of the frames contains records that change the maximum frequency (the speed at which the motor will operate). The frequency converter drives consist of parameters, which can be remotely configured via Profibus. One can write new values to these parameters changing the behavior of the device. 5 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M0947 | Audit | Provide the ability to verify the integrity and authenticity of changes to parameter values. |
| M0800 | Authorization Enforcement | All field controllers should restrict the modification of parameter values to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism. They should also restrict online edits and enable write protection for parameters. |
| M0804 | Human User Authentication | All field controllers should require that user authenticate for all remote or local management sessions. The authentication mechanisms should also support Account Use Policies, Password Policies, and User Account Management. |
| M0818 | Validate Program Inputs | Devices and programs should validate the content of any remote parameter changes, including those from HMIs, control servers, or engineering workstations.1 |
References
-
PLC Security, Top 20 Community. (2021, June 15). Secure PLC Coding Practices: Top 20 version 1.0. Retrieved March 22, 2023. ↩
-
Mark Graham, Carolyn Ahlers, Kyle O’Meara; Dragos. (2024, July). Impact of FrostyGoop ICS Malware on Connected OT Systems. Retrieved November 20, 2024. ↩↩
-
Nozomi Networks Labs. (2024, July 24). Cyberwarfare Targeting OT: Protecting Against FrostyGoop/BUSTLEBERM Malware. Retrieved November 20, 2024. ↩
-
Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30. ↩
-
Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024. ↩
-
Daniel Kapellmann Zafra, Raymond Leong, Chris Sistrunk, Ken Proska, Corey Hildebrandt, Keith Lunden, Nathan Brubaker. (2022, April 25). INDUSTROYER.V2: Old Malware Learns New Tricks. Retrieved March 30, 2023. ↩
-
Forescout. (2022, July 14). Industroyer2 and INCONTROLLER In-depth Technical Analysis of the Most Recent ICS-specific Malware. Retrieved March 30, 2023. ↩
-
Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ↩