T0878 Alarm Suppression
Adversaries may target protection function alarms to prevent them from notifying operators of critical conditions. Alarm messages may be a part of an overall reporting system and of particular interest for adversaries. Disruption of the alarm system does not imply the disruption of the reporting system as a whole.
A Secura presentation on targeting OT notes a dual fold goal for adversaries attempting alarm suppression: prevent outgoing alarms from being raised and prevent incoming alarms from being responded to. 1 The method of suppression may greatly depend on the type of alarm in question:
- An alarm raised by a protocol message
- An alarm signaled with I/O
- An alarm bit set in a flag (and read)
In ICS environments, the adversary may have to suppress or contend with multiple alarms and/or alarm propagation to achieve a specific goal to evade detection or prevent intended responses from occurring. 1 Methods of suppression may involve tampering or altering device displays and logs, modifying in memory code to fixed values, or even tampering with assembly level instruction code.
| Item | Value |
|---|---|
| ID | T0878 |
| Sub-techniques | |
| Tactics | TA0107 |
| Platforms | Device Configuration/Parameters, Field Controller/RTU/PLC/IED, Safety Instrumented System/Protection Relay |
| Version | 1.2 |
| Created | 21 May 2020 |
| Last Modified | 30 March 2023 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| C0020 | Maroochy Water Breach | In the Maroochy Water Breach, the adversary suppressed alarm reporting to the central computer.6 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M0807 | Network Allowlists | Utilize network allowlists to restrict unnecessary connections to network devices (e.g., comm servers, serial to ethernet converters) and services, especially in cases when devices have limits on the number of simultaneous sessions they support. |
| M0930 | Network Segmentation | Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment. 2 3 4 5 |
| M0810 | Out-of-Band Communications Channel | Provide an alternative method for alarms to be reported in the event of a communication failure. |
| M0814 | Static Network Configuration | Unauthorized connections can be prevented by statically defining the hosts and ports used for automation protocol connections. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0029 | Network Traffic | Network Traffic Flow |
| DS0040 | Operational Databases | Device Alarm |
References
-
Jos Wetzels, Marina Krotofil 2019 A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded Devices Retrieved. 2019/11/01 ↩↩
-
Karen Scarfone; Paul Hoffman 2009, September Guidelines on Firewalls and Firewall Policy Retrieved. 2020/09/25 ↩
-
Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ↩
-
Department of Homeland Security 2016, September Retrieved. 2020/09/25 ↩
-
Dwight Anderson 2014 Protect Critical Infrastructure Systems With Whitelisting Retrieved. 2020/09/25 ↩
-
Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ↩