T0873 Project File Infection
Adversaries may attempt to infect project files with malicious code. These project files may consist of objects, program organization units, variables such as tags, documentation, and other configurations needed for PLC programs to function. 1 Using built in functions of the engineering software, adversaries may be able to download an infected program to a PLC in the operating environment enabling further Execution and Persistence techniques. 3
Adversaries may export their own code into project files with conditions to execute at specific intervals. 2 Malicious programs allow adversaries control of all aspects of the process enabled by the PLC. Once the project file is downloaded to a PLC the workstation device may be disconnected with the infected project file still executing. 3
| Item | Value |
|---|---|
| ID | T0873 |
| Sub-techniques | |
| Tactics | TA0110 |
| Platforms | Engineering Workstation, Human-Machine Interface |
| Version | 1.0 |
| Created | 21 May 2020 |
| Last Modified | 08 May 2023 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0603 | Stuxnet | Stuxnet copies itself into Step 7 projects in such a way that it automatically executes when the Step 7 project is loaded. 2 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M0947 | Audit | Review the integrity of project files to verify they have not been modified by adversary behavior. Verify a cryptographic hash for the file with a known trusted version, or look for other indicators of modification (e.g., timestamps). |
| M0945 | Code Signing | Allow for code signing of any project files stored at rest to prevent unauthorized tampering. Ensure the signing keys are not easily accessible on the same system. |
| M0941 | Encrypt Sensitive Information | When at rest, project files should be encrypted to prevent unauthorized changes. 4 |
| M0922 | Restrict File and Directory Permissions | Ensure permissions restrict project file access to only engineer and technician user groups and accounts. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0022 | File | File Modification |
References
-
Beckhoff TwinCAT 3 Source Control: Project Files Retrieved. 2019/11/21 ↩
-
Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ↩↩
-
PLCdev Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 Siemens SIMATIC Step 7 Programmer’s Handbook Retrieved. 2019/11/21 ↩↩
-
National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ↩