T0858 Change Operating Mode
Adversaries may change the operating mode of a controller to gain additional access to engineering functions such as Program Download. Programmable controllers typically have several modes of operation that control the state of the user program and control access to the controllers API. Operating modes can be physically selected using a key switch on the face of the controller but may also be selected with calls to the controllers API. Operating modes and the mechanisms by which they are selected often vary by vendor and product line. Some commonly implemented operating modes are described below:
- Program - This mode must be enabled before changes can be made to a devices program. This allows program uploads and downloads between the device and an engineering workstation. Often the PLCs logic Is halted, and all outputs may be forced off. 2
- Run - Execution of the devices program occurs in this mode. Input and output (values, points, tags, elements, etc.) are monitored and used according to the programs logic. Program Upload and Program Download are disabled while in this mode. 3 1 2 4
- Remote - Allows for remote changes to a PLCs operation mode. 4
- Stop - The PLC and program is stopped, while in this mode, outputs are forced off. 1
- Reset - Conditions on the PLC are reset to their original states. Warm resets may retain some memory while cold resets will reset all I/O and data registers. 1
- Test / Monitor mode - Similar to run mode, I/O is processed, although this mode allows for monitoring, force set, resets, and more generally tuning or debugging of the system. Often monitor mode may be used as a trial for initialization. 3
Item | Value |
---|---|
ID | T0858 |
Sub-techniques | |
Tactics | TA0104, TA0103 |
Platforms | Field Controller/RTU/PLC/IED, Safety Instrumented System/Protection Relay |
Version | 1.0 |
Created | 21 May 2020 |
Last Modified | 09 March 2023 |
Procedure Examples
ID | Name | Description |
---|---|---|
S1045 | INCONTROLLER | INCONTROLLER can establish a remote HTTP connection to change the operating mode of Omron PLCs.78 |
S1006 | PLC-Blaster | PLC-Blaster stops the execution of the user program on the target to enable the transfer of its own code. The worm then copies itself to the target and subsequently starts the target PLC again. 6 |
S1009 | Triton | Triton has the ability to halt or run a program through the TriStation protocol. TsHi.py contains instances of halt and run functions being executed. 9 |
Mitigations
ID | Mitigation | Description |
---|---|---|
M0801 | Access Management | Authenticate all access to field controllers before authorizing access to, or modification of, a device’s state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS. |
M0800 | Authorization Enforcement | All field controllers should restrict operating mode changes to only required authenticated users (e.g., engineers, field technicians), preferably through implementing a role-based access mechanism. Further, physical mechanisms (e.g., keys) can also be used to limit unauthorized operating mode changes. |
M0802 | Communication Authenticity | Protocols used for device management should authenticate all network messages to prevent unauthorized system changes. |
M0804 | Human User Authentication | All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support Account Use Policies, Password Policies, and User Account Management. |
M0807 | Network Allowlists | Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. 5 |
M0930 | Network Segmentation | Segment operational network and systems to restrict access to critical system functions to predetermined management systems. 5 |
M0813 | Software Process and Device Authentication | Authenticate connections fromsoftware and devices to prevent unauthorized systems from accessing protected management functions. |
Detection
ID | Data Source | Data Component |
---|---|---|
DS0015 | Application Log | Application Log Content |
DS0029 | Network Traffic | Network Traffic Content |
DS0040 | Operational Databases | Device Alarm |
References
-
Machine Information Systems 2007 How PLCs Work Retrieved. 2021/01/28 ↩↩↩
-
N.A. 2017, October What are the different operating modes in PLC? Retrieved. 2021/01/28 ↩↩
-
Omron Machine Information Systems 2007 How PLCs Work Retrieved. 2021/01/28 PLC Different Operating Modes Retrieved. 2021/01/28 ↩↩
-
PLCgurus 2021 PLC Basics Modes Of Operation Retrieved. 2021/01/28 ↩↩
-
Department of Homeland Security 2016, September Retrieved. 2020/09/25 ↩↩
-
Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke 2016, March 31 Plc-blaster: A worm living solely in the plc. Retrieved. 2017/09/19 ↩
-
DRAGOS. (2022, April 13). Pipedream: Chernovite’s Emerging Malware Targeting Industrial Control Systems. Retrieved September 28, 2022. ↩
-
Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30. ↩