Isabel Tuson
68 lines
4.5 KiB
JSON
68 lines
4.5 KiB
JSON
{
|
|
"type": "bundle",
|
|
"id": "bundle--64ed6f43-e07d-4f46-97a4-886e485d1047",
|
|
"spec_version": "2.0",
|
|
"objects": [
|
|
{
|
|
"type": "attack-pattern",
|
|
"name": "Device Restart/Shutdown",
|
|
"description": "Adversaries may forcibly restart or shutdown a device in the ICS environment to disrupt and potentially cause adverse effects on the physical processes it helps to control. Methods of device restart and shutdown exist as built-in, standard functionalities. This can include interactive device web interfaces, CLIs, and network protocol commands, among others. Device restart or shutdown may also occur as a consequence of changing a device into an alternative mode of operation for testing or firmware loading.\n\nUnexpected restart or shutdown of control system devices may contribute to impact, by preventing expected response functions from activating and being received in critical states. This can also be a sign of malicious device modification, as many updates require a shutdown in order to take affect. (Citation: Research - Research - Taxonomy Cyber Attacks on SCADA)\n\nFor example, DNP3's function code 0x0D can reset and reconfigure DNP3 outstations by forcing them to perform a complete power cycle. (Citation: Research - Research - Taxonomy Cyber Attacks on SCADA)\n\nIn the 2015 attack on the Ukranian power grid, the adversaries gained access to the control networks of three different energy companies. The adversaries scheduled disconnects for the uniterruptable power supply (UPS) systems so that when power was disconnected from the substations, the devices would shut down and service could not be recovered. (Citation: Ukraine15 - EISAC - 201603)\n\nPlatforms: Linux, SCADA/ICS device, Windows 7, Windows 8, Windows 8.1, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Vista, Windows XP\n\nData Sources: Sequential event recorder, Alarm history, Network protocol analysis, Packet capture",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "mitre-ics-attack",
|
|
"phase_name": "inhibit-response-function"
|
|
}
|
|
],
|
|
"x_mitre_platforms": [
|
|
"Windows",
|
|
"Field Controller/RTU/PLC/IED"
|
|
],
|
|
"external_references": [
|
|
{
|
|
"url": "https://collaborate.mitre.org/attackics/index.php/Technique/T816",
|
|
"source_name": "mitre-ics-attack",
|
|
"external_id": "T0816"
|
|
},
|
|
{
|
|
"description": "Bonnie Zhu, Anthony Joseph, Shankar Sastry. (2011). A Taxonomy of Cyber Attacks on SCADA Systems. Retrieved January 12, 2018.",
|
|
"source_name": "Research - Research - Taxonomy Cyber Attacks on SCADA",
|
|
"url": "http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258"
|
|
},
|
|
{
|
|
"description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018.",
|
|
"source_name": "Ukraine15 - EISAC - 201603",
|
|
"url": "https://ics.sans.org/media/E-ISAC%20SANS%20Ukraine%20DUC%205.pdf"
|
|
}
|
|
],
|
|
"object_marking_refs": [
|
|
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
|
|
],
|
|
"created": "2020-05-21T17:43:26.506Z",
|
|
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
|
|
"x_mitre_platforms": [
|
|
"Linux",
|
|
"SCADA/ICS device",
|
|
"Windows 7",
|
|
"Windows 8",
|
|
"Windows 8.1",
|
|
"Windows Server 2003",
|
|
"Windows Server 2003 R2",
|
|
"Windows Server 2008",
|
|
"Windows Server 2008 R2",
|
|
"Windows Server 2012",
|
|
"Windows Server 2012 R2",
|
|
"Windows Vista",
|
|
"Windows XP"
|
|
],
|
|
"x_mitre_data_sources": [
|
|
"Sequential event recorder",
|
|
"Alarm history",
|
|
"Network protocol analysis",
|
|
"Packet capture"
|
|
],
|
|
"modified": "2020-05-21T17:43:26.506Z",
|
|
"type": "attack-pattern",
|
|
"id": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9"
|
|
}
|
|
]
|
|
} |