MITRE ATT&CK for ICS – Practical Applications Series (Final Update March 19, 2020)

Part Five: MITRE ATT&CK for ICS – Practical Applications for Device Restart/Shutdown

In the final installment of its Practical Application for the MITRE ATT&CK for ICS series, IoT cybersecurity firm Armis takes a look at the Device Restart/Shutdown technique. This is the second technique the group has highlighted from the Inhibit Response Function of tactics. The Device Restart/Shutdown technique can be used for more than its name implies. An adversary’s goal is not always to just shutdown or restart a machine to demonstrate control or take it offline. Similar to having to reboot a Windows computer in order to finish applying patches, bad guys also restart devices, including ICS/OT devices, to complete a malware installation. MITRE’s primary example of this technique is the Industroyer/CRASHOVERRIDE malware that exploited vulnerabilities in the SIPROTEC DoS module rendering the device unresponsive. For more information and practical defense strategies, Read Part Five at Armis

WaterISAC provided on-going updates to this educational series as they were published. In addition to relevant notifications in the Security & Resilience Update, the complete series can be found on the WaterISAC portal, here.

Part Four: MITRE ATT&CK for ICS – Practical Applications for Utilize/Change Operating Mode

Continuing its Practical Application for the MITRE ATT&CK for ICS series, IoT cybersecurity firm Armis takes a look at the Utilize/Change Operating Mode technique found under two tactic categories, Evasion and Inhibit Response Function. Read Part Four at Armis

WaterISAC continues to provide updates to this educational series as they are published. In addition to relevant notifications in the Security & Resilience Update, the ongoing series can be found on the WaterISAC portal, here.

Part Three: MITRE ATT&CK for ICS – Practical Applications for Module Firmware

Continuing its Practical Application for the MITRE ATT&CK for ICS series, IoT cybersecurity firm Armis takes a look at the Module Firmware technique from the Persistence category of tactics. Read Part Three at Armis

WaterISAC reported on Part One and Part Two in this series in the February 13 and February 20 Security and Resilience Update, respectively.

Part Two: MITRE ATT&CK for ICS – Practical Applications for Change Program State

Continuing its Practical Application for the MITRE ATT&CK for ICS series, IoT cybersecurity firm Armis takes a look at the Change Program State technique from the Execution category of tactics. Read Part 2 at Armis

Part One: MITRE ATT&CK for ICS – Practical Applications for Internet Accessbile Device

IoT cybersecurity firm Armis is endeavoring to publish a blog series on practical applications with respect to the recently released MITRE ATT&CKTM for ICS. The series declares to include actionable advice on how ICS asset owners could bolster their defenses. The first post in the series discusses the technique of Internet Accessible Device from the Initial Access category of tactics.

If you are able to access something from the internet, chances increase that an adversary can too. Open source tools like Shodan make it trivial for unsecured internet accessible devices to be discovered by anyone with an internet connection and an interest in exploiting industrial control systems (or any unsecured system). While many defenders have segmented and secured access to internet accessible devices, Armis points out these defensive measures by themselves are error-prone and should be part of a layered security strategy, not the only strategy. The post references real-world examples and cites practical steps to overcome the risk posed from internet accessible devices, including strategies highlighted in WaterISAC’s 15 Cybersecurity Fundamentals. Armis discusses knowing your network (15 Cybersecurity Fundamentals, #1 – Perform Asset Inventories), and monitor and control connections (15 Cybersecurity Fundamentals, #3 – Minimize Control System Exposure, and #4 – Enforce User Access Controls, among others). Above all, cybersecurity is not one and done; controls and processes need to be regularly revisited and reevaluated for effectiveness. Read Part 1 at Armis

Please note: WaterISAC is not explicitly promoting Armis’ solutions, as used in its illustrations, but we do believe the no-nonsense practical approach to defense strategies in this series is a valuable resource and can be applied to other ICS defense products.