T0845 Program Upload
Adversaries may attempt to upload a program from a PLC to gather information about an industrial process. Uploading a program may allow them to acquire and study the underlying logic. Methods of program upload include vendor software, which enables the user to upload and read a program running on a PLC. This software can be used to upload the target program to a workstation, jump box, or an interfacing device.
| Item | Value |
|---|---|
| ID | T0845 |
| Sub-techniques | |
| Tactics | TA0100 |
| Platforms | Field Controller/RTU/PLC/IED, Safety Instrumented System/Protection Relay |
| Version | 1.0 |
| Created | 21 May 2020 |
| Last Modified | 09 March 2023 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S1045 | INCONTROLLER | INCONTROLLER can use the CODESYS protocol to upload programs from Schneider PLCs.34 |
| S1009 | Triton | Triton calls the SafeAppendProgramMod to transfer its payloads to the Tricon. Part of this call includes preforming a program upload. 2 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M0801 | Access Management | Authenticate all access to field controllers before authorizing access to, or modification of, a device’s state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS. |
| M0800 | Authorization Enforcement | All field controllers should restrict program uploads to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism. |
| M0802 | Communication Authenticity | Protocols used for device management should authenticate all network messages to prevent unauthorized system changes. |
| M0937 | Filter Network Traffic | Filter for protocols and payloads associated with program upload activity to prevent unauthorized access to device configurations. |
| M0804 | Human User Authentication | All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support Account Use Policies, Password Policies, and User Account Management. |
| M0807 | Network Allowlists | Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. 1 |
| M0930 | Network Segmentation | Segment operational network and systems to restrict access to critical system functions to predetermined management systems. 1 |
| M0813 | Software Process and Device Authentication | Authenticate connections from software and devices to prevent unauthorized systems from accessing protected management functions. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0015 | Application Log | Application Log Content |
| DS0029 | Network Traffic | Network Traffic Content |
References
-
Department of Homeland Security 2016, September Retrieved. 2020/09/25 ↩↩
-
Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30. ↩
-
Nathan Brubaker, Keith Lunden, Ken Proska, Muhammad Umair, Daniel Kapellmann Zafra, Corey Hildebrandt, Rob Caldwell. (2022, April 13). INCONTROLLER: New State-Sponsored Cyber Attack Tools Target Multiple Industrial Control Systems. Retrieved September 28, 2022. ↩