Impact
Techniques
| ID | Name | Description |
|---|---|---|
| EST000188 | Activate Firmware Update Mode | A Cyber Embedded Technique in which an adversary activates firmware update mode on devices to prevent expected response functions from engaging in reaction to an emergency or process malfunction. Also known as maintenance mode or an OEM debug mode. For example, devices such as protection relays may have an operation mode designed for firmware installation. This mode may halt process monitoring and related functions to allow new firmware to be loaded. A device left in update mode may be placed in an inactive holding state if no firmware is provided to it. By entering and leaving a device in this mode, the adversary may deny its usual functionalities. |
| EST000190 | Alarm Suppression | A Cyber Embedded Technique in which an adversary targets protection function alarms to prevent them from notifying operators of critical conditions. Alarm messages may be a part of an overall reporting system and of particular interest for adversaries. Disruption/Degradation of the alarm system does not imply the disruption/degradation of the reporting system as a whole. The adversary may have to suppress or contend with multiple alarms and/or alarm propagation to achieve a specific goal to evade detection or prevent intended responses from occurring. Methods of suppression may involve tampering or altering device displays and logs, modifying in memory code to fixed values, or even tampering with assembly level instruction code. |
| EST000191 | Block Command Message | A Cyber Embedded Technique in which an adversary blocks a command message from reaching its intended target to prevent command execution. In OT networks, command messages are sent to provide instructions to control system devices. A blocked command message can inhibit response functions from correcting a disruption or unsafe condition. |
| EST000192 | Block Reporting Message | A Cyber Embedded Technique in which an adversary blocks or prevents a reporting message from reaching its intended target. Reporting messages relay the status of control system devices, which can include event log data and I/O values of the associated device. By blocking these reporting messages, an adversary can potentially hide their actions from an operator. Blocking reporting messages in control systems that manage physical processes may contribute to system impact, causing inhibition of a response function. A control system may not be able to respond in a proper or timely manner to an event, such as a dangerous fault, if its corresponding reporting message is blocked. |
| EST000193 | Data Manipulation | A Cyber Embedded Technique in which an adversary modifies or removes data within an embedded system to achieve various objectives, such as disrupting system functionality, evading detection, or gaining unauthorized control. This can involve manipulating configuration files, system logs, sensor data, or control parameters. Specific examples include: -Manipulating Electrical Signals: Altering electrical signals to disrupt system operation or cause physical damage. (Previously EST000216) -Manipulating Gas Systems: Modifying gas flow rates, pressures, or compositions to disable safety mechanisms or cause malfunctions. (Previously EST000217) -Manipulating Fluid Systems: Altering fluid flow rates, pressures, or compositions to disrupt cooling systems or cause damage to mechanical components. (Previously EST000218) The adversary may drop or create malware, tools, or other non-native files on a target system to accomplish this, potentially leaving behind traces of malicious activities. Such non-native files and other data may be removed or modified over the course of an intrusion to maintain a small footprint or as a standard part of the post-intrusion cleanup process. Data removal may also be used to render operator interfaces unable to respond and to disrupt response functions from occurring as expected. An adversary may also remove data backups that are vital to recovery after an incident. |
| EST000194 | Denial of Service | A Cyber Embedded Technique in which an adversary performs a Denial-of-Service (DoS) attack to disrupt expected device functionality. Examples of DoS attacks include overwhelming the target device with a high volume of network traffic in a short period of time and sending the target device traffic it does not know how to handle. Disrupting device state may temporarily render it unresponsive, possibly lasting until a reboot can occur. When placed in this state, devices may be unable to send and receive network traffic and may not perform expected response functions in reaction to other events in the environment. Adversaries may exploit a software vulnerability to cause a denial of service by taking advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Vulnerabilities may exist in software that may be used to cause a or denial of service condition. |
| EST000195 | Device Restart/Shutdown | A Cyber Embedded Technique in which an adversary restarts or shuts down a device, or multiple devices, in the platform to disrupt and potentially cause adverse effects on the processes it controls. Methods of device restart and shutdown exist as built-in, standard functionalities. This can include network protocol usage, CLIs, and interactive device web interfaces, among others. Device restart or shutdown may also occur as a consequence of changing a device into an alternative mode of operation for testing, firmware loading, debug mode or maintenance mode. Unexpected restart or shutdown of control system devices may contribute to impact, by preventing expected response functions from activating and being received in critical states. This can also be a sign of malicious device modification, as many updates require a shutdown in order to take effect. |
| EST000196 | Manipulate Instumentation and/or Controls | A Cyber Embedded Technique in which an adversary targets the human to system interface to inhibit response. In platforms that require human intervention it is possible to simply stop the alarm from displaying to the operator or stop the operator from interacting with the platform. This will typically involve inhibiting the audio platform warning system and any form of display that operators of the platform obtain information from visually. Adversaries may also seek to inform the operator that something has occurred when in reality it has not. Adversaries may also seek to stop operators from interacting with the platform by interfering with the operator’s ability to control the platform. This may involve disabling buttons, removing or blocking messages sent from the indicator control system or other methods. |
| EST000197 | Modify Alarm Settings | A Cyber Embedded Technique in which an adversary modifies alarm settings to prevent alerts that may inform operators of their presence or to prevent responses to dangerous and unintended scenarios. By modifying the sensing parameters that the alarm system uses to trigger adversaries are able to control when the alarm triggers. |
| EST000198 | Inhibit Control Logic | A Cyber Embedded Technique in which an adversary places malicious code in a system to cause the system to malfunction by modifying its control logic. In both cases of responding and modifying process control adversaries may seek to control the process that a platform undergoes by controlling the logic that systems or devices use to accomplish their goals. Relating to alarm suppression/response: adversaries may seek to control the response to an alarm by modifying the devices reaction to certain commands. This may include disregarding operator commands. |
| EST000199 | Function Inhibiting Program Download | A Cyber Embedded Technique in which an adversary performs a program download to load malicious or unintended program logic on a device to disrupt response functions. Program download onto devices, such as PLCs, allows adversaries to implement custom logic. Malicious PLC programs may be used to disrupt physical processes. The act of a program download will cause the PLC to enter a STOP operation state, which may prevent response functions from operating correctly. |
| EST000200 | Inhibiting Rootkit | A Cyber Embedded Technique in which an adversary uses rootkits to inhibit system response functions. Rootkits are programs that hide the existence of malware by intercepting (i.e., Hooking) and modifying operating system API calls that supply system information. Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a Hypervisor, Master Boot Record, or the System Firmware. Rootkits have been seen for Windows, Linux, Mac OS X systems and shown to work on VXWorks systems and may be possible on other common embedded operating systems. |
| EST000201 | Inhibiting System Firmware | A Cyber Embedded Technique in which an adversary utilizes the BIOS (Basic Input/Output System) or similar capabilities as a way to interject executable code prior to operating system boot. The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. System firmware like BIOS and (U)EFI underly the functionality of a computer and may be modified by an adversary to perform or assist in malicious activity. |
| EST000202 | Inhibiting via Operating Mode Changes | A Cyber Embedded Technique in which an adversary places controllers into an alternate mode of operation to enable configuration setting changes to inhibit device functionality. Programmable controllers typically have several modes of operation. These modes can be broken down into three main categories: program run, program edit, and program write. Each of these modes puts the device in a state in which certain functions are available. For instance, the program edit mode allows alterations to be made to the user program while the device is still online. By driving a device into an alternate mode of operation, an adversary has the ability to change configuration settings in such a way to cause an impact to equipment and/or industrial process associated with the targeted device. An adversary may also use this alternate mode to execute arbitrary code which could be used to evade defenses. |
| EST000203 | Deprecated | This technique was consolidated between ESTM 1.0 and ESTM 2.1 releases and inadvertantly created a duplication with EST 000196, Manipulate Instrumentation and/or Controls. |
| EST000204 | Impair Process via Modified System Tasking | A Cyber Embedded Technique in which an adversary modifies the tasking of an embedded system to impair process controls. This can allow an adversary to manipulate the execution flow and behavior of an embedded system. On platforms this applies to anything that controls physical systems control, e.g. landing gear on an aircraft no longer effecting the pilot’s capability to fire munitions. An adversary may modify these associations or create new ones to manipulate the execution flow of an embedded system. Modification of embedded system tasking can be accomplished using a Program Download in addition to other types of program modification such as online edit and program append. Tasks have properties, such as interval, frequency and priority to meet the requirements of program execution. Some embedded system vendors implement tasks with implicit, pre-defined properties whereas others allow for these properties to be formulated explicitly. An adversary may associate their program with tasks that have a higher priority or execute associated programs more frequently. |
| EST000205 | Impairing Masquerade | A Cyber Embedded Technique in which an adversary masquerades via at least one means to appear legitimate. Any manipulation or abuse for the sake of appearing as legitimate processes. For example, additional spoofed configuration files or hardware man in the middle attacks targeting decreate line. On platforms this applies to anything that controls physical systems control, e.g. landing gear on an aircraft no longer effecting the pilot’s capability to operate aircraft functions. |
| EST000206 | Process Masquerading | A Cyber Embedded Technique in which an adversary masquerades as a legitimate executable to impair a software process. Within an LRU, masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed. On platforms this applies to anything that controls physical systems control, e.g. landing gear on an aircraft no longer effecting the pilot’s capability to fire munitions. |
| EST000207 | Impair Processes via Logical Masquerading | A Cyber Embedded Technique in which an adversary masquerades as legitimate data processing to impair physical processes. For example, some serial busses do not have authentication built into the bus protocol. Some serial protocols allow any device to communicate onto the bus at any point in time.Additionally, it may be possible to target specific algorithms contained in device or application drivers. |
| EST000208 | Impair Control Logic | A Cyber Embedded Technique in which an adversary places malicious code in a system to cause the system to malfunction by modifying its control logic. In both cases of responding and modifying process control adversaries may seek to control the process that a platform undergoes by controlling the logic that systems or devices use to accomplish their goals. Relating to process control: adversaries may seek to control the process so that physical actions do not occur in the order that was intended by system designers. This modification of logic can occur in any system that uses a conditional statement followed by the execution of code that controls something in the subsystem or at the platform level. |
| EST000209 | Modify Parameter | A Cyber Embedded Technique in which an adversary modifies parameters used to instruct platform control system devices. These devices operate via programs that dictate how and when to perform actions based on such parameters. Such parameters can determine the extent to which an action is performed and may specify additional options. For example, a program on a platform system device dictating motor processes may take a parameter defining the total number of seconds to run the motor or how far to move the aileron. An adversary can potentially modify these parameters to produce an outcome outside of what was intended by the operators. By modifying system and process critical parameters, the adversary may cause Impact to equipment and/or control processes. Modified parameters may be turned into dangerous, out-of-bounds, or unexpected values from typical operations. For example, specifying that a process run for more or less time than it should, or dictating an unusually high, low, or invalid value as a parameter. |
| EST000210 | Malicious Device Firmware | A Cyber Embedded Technique that results in persistent and evasive malicious behavior on a compromised system, achieved through the execution of adversary code outside of the operating system and main system in firmware or BIOS. This technique manifests as a range of system anomalies and unauthorized activities that are difficult to detect and remove using traditional software-based methods. The system operator may observe: -Persistent System Compromise: Despite reboots, hard drive reimaging, or other standard recovery procedures, the system remains compromised. -Evasion of Security Controls: Traditional host-based security software and integrity checks are unable to detect or prevent the malicious activity. -Unexplained Network Activity: The system may exhibit unusual network communications, potentially exfiltrating data or participating in botnet activities. -Unexpected System Failures: The system may experience intermittent or unexplained failures, such as the Ethernet card becoming unresponsive or other hardware components malfunctioning. -Unauthorized Access: The system may be used to gain unauthorized access to other systems or resources on the network. This technique often leverages vulnerabilities in low-level system components, such as the Ethernet card, to establish a persistent foothold. The specific methods used to implant the malicious firmware are not the focus, but rather the observable impacts on the system. This technique differs from other impact techniques in its reliance on malicious firmware to achieve persistent and evasive effects. |
| EST000211 | Process Impairing Program Download | A Cyber Embedded Technique in which an adversary performs a program download to load malicious or unintended program logic on a device to disrupt process control. Program download onto devices, such as PLCs, allows adversaries to implement custom logic. Malicious PLC programs may be used to disrupt physical processes. |
| EST000212 | Rogue Master Device | A Cyber Embedded Technique in which an adversary eatablishes a rogue master to leverage control server functions to communicate with slave devices. A rogue master device can be used to send legitimate control messages to other control system devices, affecting processes in unintended ways. It may also be used to disrupt network communications by capturing and receiving the network traffic meant for the actual master device. |
| EST000213 | Service Stop | A Cyber Embedded Technique in which an adversary stops or disables services on a system to render those services unavailable to legitimate users. Stopping critical services can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment for example, stopping the fire control systems monitoring function. Services may not allow for modification of their data stores while running. Adversaries may stop services in order to conduct Data Destruction. |
| EST000214 | Impair Process via Spoofed Reporting Message | A Cyber Embedded Technique in which an adversary spoofs reporting messages in control systems environments to impair process controls. Reporting messages are used in control systems so that operators and network defenders can understand the status of the network. Reporting messages show the status of devices and any important events that the devices control. If an adversary has the ability to Spoof Reporting Messages, then they can impact the network in many ways. The adversary can Spoof Reporting Messages that state that the device is in normal working condition, as a form of evasion. The adversary could also Spoof Reporting Messages to make the defenders and operators think that other errors were occurring, to distract them from the actual source of the problem. |
| EST000215 | Unauthorized Command Message | A Cyber Embedded Technique in which an adversary sends unauthorized command messages to instruct control systems devices to perform actions outside their expected functionality for process control. Command messages are used in ICS networks to give direct instructions to control systems devices. If an adversary can send an unauthorized command message to a control system, then it can instruct the control systems device to perform an action outside the normal bounds of the device's actions. An adversary could potentially instruct a control systems device to perform an action that will cause an impact. For example, an adversary may command the engines of an aircraft to power down mid-flight. These are legitimate commands used for adversarial gain. |