T0861 Point & Tag Identification
Adversaries may collect point and tag values to gain a more comprehensive understanding of the process environment. Points may be values such as inputs, memory locations, outputs or other process specific variables. 1 Tags are the identifiers given to points for operator convenience.
Collecting such tags provides valuable context to environmental points and enables an adversary to map inputs, outputs, and other values to their control processes. Understanding the points being collected may inform an adversary on which processes and values to keep track of over the course of an operation.
| Item | Value |
|---|---|
| ID | T0861 |
| Sub-techniques | |
| Tactics | TA0100 |
| Platforms | Control Server, Data Historian, Human-Machine Interface |
| Version | 1.1 |
| Created | 21 May 2020 |
| Last Modified | 09 March 2023 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0093 | Backdoor.Oldrea | The Backdoor.Oldrea payload has the capability of enumerating OPC tags, in addition to more generic OPC server information. The server data and tag names can provide information about the names and function of control devices. 7 6 |
| S1045 | INCONTROLLER | INCONTROLLER can remotely read the OCP UA structure from devices.8 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M0801 | Access Management | Authenticate all access to field controllers before authorizing access to, or modification of, a device’s state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS. |
| M0800 | Authorization Enforcement | Systems and devices should restrict access to any data with potential confidentiality concerns, including point and tag information. |
| M0802 | Communication Authenticity | Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs). |
| M0937 | Filter Network Traffic | Perform inline allowlisting of automation protocol commands to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid messages. |
| M0804 | Human User Authentication | All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support Account Use Policies, Password Policies, and User Account Management. |
| M0807 | Network Allowlists | Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. 2 |
| M0930 | Network Segmentation | Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment. 3 4 2 5 |
| M0813 | Software Process and Device Authentication | Devices should authenticate all messages between master and outstation assets. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0015 | Application Log | Application Log Content |
| DS0029 | Network Traffic | Network Traffic Content |
References
-
Dennis L. Sloatman 2016, September 16 Understanding PLC Programming Methods and the Tag Database System Retrieved. 2017/12/19 ↩
-
Department of Homeland Security 2016, September Retrieved. 2020/09/25 ↩↩
-
Karen Scarfone; Paul Hoffman 2009, September Guidelines on Firewalls and Firewall Policy Retrieved. 2020/09/25 ↩
-
Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ↩
-
Dwight Anderson 2014 Protect Critical Infrastructure Systems With Whitelisting Retrieved. 2020/09/25 ↩
-
Daavid Hentunen, Antti Tikkanen 2014, June 23 Havex Hunts For ICS/SCADA Systems Retrieved. 2019/04/01 ↩
-
ICS-CERT 2018, August 22 Advisory (ICSA-14-178-01) Retrieved. 2019/04/01 ↩
-
DHS/CISA. (2022, May 25). Alert (AA22-103A) APT Cyber Tools Targeting ICS/SCADA Devices. Retrieved September 28, 2022. ↩