T0843 Program Download
Adversaries may perform a program download to transfer a user program to a controller.
Variations of program download, such as online edit and program append, allow a controller to continue running during the transfer and reconfiguration process without interruption to process control. However, before starting a full program download (i.e., download all) a controller may need to go into a stop state. This can have negative consequences on the physical process, especially if the controller is not able to fulfill a time-sensitive action. Adversaries may choose to avoid a download all in favor of an online edit or program append to avoid disrupting the physical process. An adversary may need to use the technique Detect Operating Mode or Change Operating Mode to make sure the controller is in the proper mode to accept a program download.
The granularity of control to transfer a user program in whole or parts is dictated by the management protocol (e.g., S7CommPlus, TriStation) and underlying controller API. Thus, program download is a high-level term for the suite of vendor-specific API calls used to configure a controllers user program memory space.
Modify Controller Tasking and Modify Program represent the configuration changes that are transferred to a controller via a program download.
| Item | Value |
|---|---|
| ID | T0843 |
| Sub-techniques | |
| Tactics | TA0109 |
| Platforms | Field Controller/RTU/PLC/IED, Safety Instrumented System/Protection Relay |
| Version | 1.1 |
| Created | 21 May 2020 |
| Last Modified | 09 March 2023 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S1045 | INCONTROLLER | INCONTROLLER can use the CODESYS protocol to download programs to Schneider PLCs.67 |
| S1006 | PLC-Blaster | PLC-Blaster utilizes the PLC communication and management API to load executable Program Organization Units. 4 |
| S0603 | Stuxnet | Stuxnet‘s infection sequence consists of code blocks and data blocks that will be downloaded to the PLC to alter its behavior. 5 |
| S1009 | Triton | Triton leveraged the TriStation protocol to download programs onto Triconex Safety Instrumented System. 3 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M0801 | Access Management | Authenticate all access to field controllers before authorizing access to, or modification of, a device’s state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS. |
| M0947 | Audit | Provide the ability to verify the integrity of control logic or programs loaded on a controller. While techniques like CRCs and checksums are commonly used, they are not cryptographically strong and can be vulnerable to collisions. Preferably cryptographic hash functions (e.g., SHA-2, SHA-3) should be used. 2 |
| M0800 | Authorization Enforcement | All field controllers should restrict the modification of programs to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism. |
| M0945 | Code Signing | Utilize code signatures to verify the integrity of the installed program on safety or control assets has not been changed. |
| M0802 | Communication Authenticity | Protocols used for device management should authenticate all network messages to prevent unauthorized system changes. |
| M0937 | Filter Network Traffic | Filter for protocols and payloads associated with program download activity to prevent unauthorized device configurations. |
| M0804 | Human User Authentication | All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support Account Use Policies, Password Policies, and User Account Management. |
| M0807 | Network Allowlists | Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. 1 |
| M0930 | Network Segmentation | Segment operational network and systems to restrict access to critical system functions to predetermined management systems. 1 |
| M0813 | Software Process and Device Authentication | Authenticate connections from software and devices to prevent unauthorized systems from accessing protected management functions. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0015 | Application Log | Application Log Content |
| DS0039 | Asset | Asset Inventory |
| DS0029 | Network Traffic | Network Traffic Content |
| DS0040 | Operational Databases | Device Alarm |
References
-
Department of Homeland Security 2016, September Retrieved. 2020/09/25 ↩↩
-
IEC 2019, February Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components Retrieved. 2020/09/25 ↩
-
Jos Wetzels 2018, January 16 Analyzing the TRITON industrial malware Retrieved. 2019/10/22 ↩
-
Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke 2016, March 31 Plc-blaster: A worm living solely in the plc. Retrieved. 2017/09/19 ↩
-
Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ↩
-
Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30. ↩
-
Nathan Brubaker, Keith Lunden, Ken Proska, Muhammad Umair, Daniel Kapellmann Zafra, Corey Hildebrandt, Rob Caldwell. (2022, April 13). INCONTROLLER: New State-Sponsored Cyber Attack Tools Target Multiple Industrial Control Systems. Retrieved September 28, 2022. ↩