T0848 Rogue Master
Adversaries may setup a rogue master to leverage control server functions to communicate with outstations. A rogue master can be used to send legitimate control messages to other control system devices, affecting processes in unintended ways. It may also be used to disrupt network communications by capturing and receiving the network traffic meant for the actual master. Impersonating a master may also allow an adversary to avoid detection.
In the case of the 2017 Dallas Siren incident, adversaries used a rogue master to send command messages to the 156 distributed sirens across the city, either through a single rogue transmitter with a strong signal, or using many distributed repeaters. 1 2
| Item | Value |
|---|---|
| ID | T0848 |
| Sub-techniques | |
| Tactics | TA0108 |
| Platforms | Control Server, Engineering Workstation, Human-Machine Interface |
| Version | 1.2 |
| Created | 21 May 2020 |
| Last Modified | 30 March 2023 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| C0020 | Maroochy Water Breach | In the Maroochy Water Breach, the adversary falsified network addresses in order to send false data and instructions to pumping stations.7 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M0802 | Communication Authenticity | Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs). |
| M0937 | Filter Network Traffic | Perform inline allowlisting of automation protocol commands to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid reporting messages. |
| M0807 | Network Allowlists | Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. 5 |
| M0930 | Network Segmentation | Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment. 3 4 5 6 |
| M0813 | Software Process and Device Authentication | Devices should authenticate all messages between master and outstation assets. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0015 | Application Log | Application Log Content |
| DS0039 | Asset | Asset Inventory |
| DS0029 | Network Traffic | Network Traffic Content |
| DS0040 | Operational Databases | Device Alarm |
References
-
Bastille 2017, April 17 Dallas Siren Attack Retrieved. 2020/11/06 ↩
-
Zack Whittaker 2017, April 12 Dallas’ emergency sirens were hacked with a rogue radio signal Retrieved. 2020/11/06 ↩
-
Karen Scarfone; Paul Hoffman 2009, September Guidelines on Firewalls and Firewall Policy Retrieved. 2020/09/25 ↩
-
Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ↩
-
Department of Homeland Security 2016, September Retrieved. 2020/09/25 ↩↩
-
Dwight Anderson 2014 Protect Critical Infrastructure Systems With Whitelisting Retrieved. 2020/09/25 ↩
-
Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ↩