T0864 Transient Cyber Asset
Adversaries may target devices that are transient across ICS networks and external networks. Normally, transient assets are brought into an environment by authorized personnel and do not remain in that environment on a permanent basis. 1 Transient assets are commonly needed to support management functions and may be more common in systems where a remotely managed asset is not feasible, external connections for remote access do not exist, or 3rd party contractor/vendor access is required.
Adversaries may take advantage of transient assets in different ways. For instance, adversaries may target a transient asset when it is connected to an external network and then leverage its trusted access in another environment to launch an attack. They may also take advantage of installed applications and libraries that are used by legitimate end-users to interact with control system devices.
Transient assets, in some cases, may not be deployed with a secure configuration leading to weaknesses that could allow an adversary to propagate malicious executable code, e.g., the transient asset may be infected by malware and when connected to an ICS environment the malware propagates onto other systems.
| Item | Value |
|---|---|
| ID | T0864 |
| Sub-techniques | |
| Tactics | TA0108 |
| Platforms | Engineering Workstation |
| Version | 1.2 |
| Created | 14 October 2021 |
| Last Modified | 30 March 2023 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| C0020 | Maroochy Water Breach | In the Maroochy Water Breach, the adversary utilized a computer, possibly stolen, with proprietary engineering software to communicate with a wastewater system.6 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M0949 | Antivirus/Antimalware | Install anti-virus software on all workstation and transient assets that may have external access, such as to web, email, or remote file shares. |
| M0947 | Audit | Integrity checking of transient assets can include performing the validation of the booted operating system and programs using TPM-based technologies, such as Secure Boot and Trusted Boot. 3 It can also include verifying filesystem changes, such as programs and configuration files stored on the system, executing processes, libraries, accounts, and open ports. 4 |
| M0941 | Encrypt Sensitive Information | Consider implementing full disk encryption, especially if engineering workstations are transient assets that are more likely to be lost, stolen, or tampered with. 5 |
| M0930 | Network Segmentation | Segment and control software movement between business and OT environments by way of one directional DMZs. Web access should be restricted from the OT environment. Engineering workstations, including transient cyber assets (TCAs) should have minimal connectivity to external networks, including Internet and email, further limit the extent to which these devices are dual-homed to multiple networks. 2 |
| M0951 | Update Software | Update software on control network assets when possible. If feasible, use modern operating systems and software to reduce exposure to known vulnerabilities. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0015 | Application Log | Application Log Content |
| DS0029 | Network Traffic | Network Traffic Flow |
References
-
North American Electric Reliability Corporation 2021, June 28 Glossary of Terms Used in NERC Reliability Standards Retrieved. 2021/10/11 ↩
-
North America Transmission Forum 2019, December NATF Transient Cyber Asset Guidance Retrieved. 2020/09/25 ↩
-
Emerson Exchange Increase Security with TPM, Secure Boot, and Trusted Boot Retrieved. 2020/09/25 ↩
-
National Security Agency 2016, February Position Zero: Integrity Checking Windows-Based ICS/SCADA Systems Retrieved. 2020/09/25 ↩
-
National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ↩
-
Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ↩