Transcription
HOW ARMIS SUPPORTSTHE MITRE ATT&CK FOR ICS MATRIXMITRE ATT&CK for ICS provides a useful framework for security managers to assessand improve their security controls for industrial control systems (ICS) and operationaltechnology (OT) environments. Traditional IT security controls that utilize agents will notwork for these environments, and network-based scans and probes can often adverselyimpact such devices, even potentially taking the devices and corresponding businesscapabilities offline.This white paper proposes an alternative approach — one based on passive trafficmonitoring, a massive device knowledgebase, and an advanced threat detection engine —that can alert against a broad range of the tactics and techniques listed in the new ATT&CKfor ICS framework.MITRE ATT&CK FOR ICS – 2021 ARMIS, INC.
TABLE OF CONTENTSIntroduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3The Security Challenge for Industrial Control Systems . . . . . 4The MITRE ATT&CK Framework . 6The New MITRE ATT&CK for ICS . 7Comprehensive Coverage for ATT&CK for ICS. . . . . . . . . . . . . . . . . . 8ATT&CK Tactic: Initial Access . . . . . . . . . . . . . . . . . . . . . . . . . . 10ATT&CK Tactic: Execution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12ATT&CK Tactic: Persistence . 13ATT&CK Tactic: Evasion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14ATT&CK Tactic: Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15ATT&CK Tactic: Lateral Movement . . . . . . . . . . . . . . . . . . . 16ATT&CK Tactic: Collection . 17ATT&CK Tactic: Command and Control . 19ATT&CK Tactic: Inhibit Response Function . . . . . . . . 20ATT&CK Tactic: Impair Process Control . 22ATT&CK Tactic: Impact . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Deploying Armis to Protect ICS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Conclusion . 27MITRE ATT&CK FOR ICS – 2021 ARMIS, INC.2
INTRODUCTIONIndustrial Control Systems (ICS) are increasingly vulnerable to cyberattacks. In recent years, we haveseen various types of malware with names like WannaCry, NotPetya, LockerGoga, and Triton shut downoperations at major firms such as Maersk, Renault-Nissan, Norsk Hydro, and others. Each firm sufferedmajor financial loss.The attacks are not limited to large enterprises. According to a commissioned study conducted byForrester Consulting on behalf of Armis, 66% of manufacturers have experienced a security incidentrelated to IoT or ICS devices over the past two years.1To help solve this problem, The MITRE Corporation has developed a new version of their highly popularMITRE ATT&CK framework. This new version is focused on Industrial Control Systems. Unlike previousATT&CK frameworks that were oriented towards traditional andmobile computing environments, the new ATT&CK for ICS isdesigned to help enterprise security practitioners understandadversary behavior and plan appropriate security systems that aretailored to the unique challenges of operational technology (OT)and ICS environments.66%This white paper reviews the reasons why ICS environments areincreasingly exposed to cyberattacks and proposes a new type ofsecurity system that can alert against a broad range of the tacticsand techniques listed in ATT&CK for ICS. This new approachrelies on passive traffic monitoring, a massively scalable deviceknowledgebase, and an advanced threat detection engine.INDUSTRIALMITRE ATT&CKANDFORMANUFACTURINGICS – 2021 ARMIS,IOT –INC. 2019 ARMIS, INC.of manufacturershave experienceda security incidentrelated to IoT or ICSdevices over the pasttwo years.3
THE SECURITY CHALLENGE FOR INDUSTRIAL CONTROL SYSTEMSThe United States National Institute of Standards and Technology (NIST) defines ICS as:“An information system used to control industrial processes such as manufacturing, producthandling, production, and distribution. Industrial control systems include supervisory control anddata acquisition systems used to control geographically dispersed assets, as well as distributedcontrol systems and smaller control systems using programmable logic controllers to controllocalized processes.”2There are a wide range of ICS devices, some of which include: Process Control Systems (PCS) Distributed Control Systems (DCS) Supervisory Control and Data Acquisition (SCADA) Servers/Clients Programmable Logic Controllers (PLC) Human Machine Interface (HMI) Manufacturing Execution Systems (MES) Field Devices IT/ICS Boundary interfacesMany people refer to the environments listed above as “operational technology” or OT environments. Inthis white paper, we shall use the term ICS simply to remain consistent with the term used by MITRE, butwe view the terms as largely interchangeable.Historically, ICS environments were relatively safe from cyberattacks because ICS devices were installed inisolated or “air-gapped” networks, and because many of the devices were obscure and therefore unknownand untargeted by most attackers.All of this is changing. Control system architectures are being connected to traditional enterprise ITnetworks (Ethernet, Wi-Fi, etc.), and device manufacturers are building ICS devices on top of commonoperating systems such as Windows, Linux, Android, and VxWorks. These changes increase the riskthat ICS can be compromised by the same kind of attacks used to compromise devices on corporateIT networks.MITRE ATT&CK FOR ICS – 2021 ARMIS, INC.4
THE FOLLOWING ARE SOME OF THE REASONS WHY MAINTAININGSECURITY FOR ICS ENVIRONMENTS IS INCREASINGLY CHALLENGING.UnpatchableICS devices range from complex large-scale robots tosmall sensors built on a single circuit board. Many ofthese devices were never designed to be updated, or ifthe capability exists, it requires a very manual process toaccomplish. This means that any vulnerabilities disclosedpost-manufacture will either persist through the lifecycle ofthe device or will be very difficult to patch manually.UnagentableMost ICS devices do not give administrators the abilityto gain root access to the underlying operating system,thus eliminating the possibility of installing an agent onthe device. Often, the ICS device includes a tailoredoperating system which is unable to host agentsdesigned for the mass market of manageable computers.The result is that traditional endpoint protection agentsthat are commonly used within the IT environment won’twork with ICS devices.ICS SECURITYCHALLENGES Unpatchable Unagentable Disruptable Accessible Proprietary Protocols ProliferationDisruptableA standard method for device discovery and vulnerability assessment on an IT network is to perform anetwork scan using something like NMAP. However, it is commonly known that network scans and probescan disrupt the functionality of an ICS device. ICS devices have historically not been designed to be able totolerate the same kinds of scans and probes that are commonly used on IT networks. Therefore, in the vastmajority of ICS environments, scanning of ICS devices is prohibited simply because of the risk of disruptingcritical business operations.AccessibleMost ICS devices in use today were designed under the assumption that they would either be installedas a standalone device or placed on an isolated network. Therefore, they were designed to be highlyaccessible, and they contained few (or no) built-in protections. Once they are placed onto a network, theyare unable to withstand a cyberattack.MITRE ATT&CK FOR ICS – 2021 ARMIS, INC.5
Proprietary ProtocolsSome ICS devices operate using proprietary protocols, either due to the specific nature of the deviceitself or to reduce the computational burden associated with other protocols. The result of using theseprotocols is that development, quality assurance, peer review and security processes have not matured inthe manner that widely-used protocols have. This leads to inherent vulnerabilities that cannot be resolvedwithout extensive development changes or replacing the protocol itself.It’s also worth noting that the security research community has traditionally focused on widely used,common protocols when hunting for and reporting vulnerabilities to software providers and hardwaremanufacturers. In turn, though many ICS devices are vulnerable to a variety of cyberattacks, theseexposures have not been recorded within standard vulnerability databases such as CVD.ProliferationThe rapid proliferation of the Internet of Things (IoT) has made an impact beyond the consumermarketplace and has exponentially increased the number of ICS devices available. This has changed thecompetitive marketplace for these devices, increasing the importance of time to market and cost savings.For all manufactures, these priorities reduce the time and resources available to develop, implement, andtest their products.The combination of the factors listed above explain the unique security challenges that are associated withICS devices. It can be overwhelming to understand how attacks against ICS devices occur, who is targetingthese devices, and what mitigations can be effective in defending this arena. It is for this reason that MITREhas developed the ATT&CK for ICS framework.THE MITRE ATT&CK FRAMEWORKMITRE ATT&CK is a well-known framework which outlines the tactics, techniques, and procedures (TTP) thatare typically employed by adversaries. Effectively, each MITRE ATT&CK framework helps a business to: Identify the most active and/or effective threat actors targeting your industry Understand the techniques used by the threat actors Prioritize each technique based on probability and potential impact to your business Assess current defenses, understand gaps, and plan improved defensesSecurity vendors should be able to articulate which ATT&CK techniques their products address. In this way,ATT&CK gives enterprise security architects an “apples to apples” comparison across different securityproducts. ATT&CK simplifies this discussion by standardizing the tactics and techniques and giving solidexamples of what specific threat actors’ procedures are in those areas.MITRE ATT&CK FOR ICS – 2021 ARMIS, INC.6
MITRE ATT&CK FOR ICSMITRE has previously published two ATT&CK frameworks — one for enterprise environments and anotherfor mobile devices. The vast majority of techniques included in those frameworks are unique to Windows,macOS, iOS, and Android devices. They provide little help to security managers who are interested inunderstanding techniques that are used to attack ICS environments.In January 2020, MITRE released the first version of ATT&CK for ICS. This new framework is unique to theoperating systems, TTPs, and adversaries of concern for users of ICS devices.The new ATT&CK for ICS lists the following tactics: Initial Access Execution Persistence Evasion Discovery Lateral Movement Collection Command and Control Inhibit Response Function Inhibit Process Control ImpactWhile many of these tactics and the underlying 81 techniques share the same names as the ones containedin MITRE’s enterprise ATT&CK framework, the detailed descriptions of the tactics and techniques havebeen tailored specific to ICS devices. Each technique may be associated with one or more tactics if theyhave the capability to support different adversarial objectives.The following enterprise tactics are not included in ATT&CK for ICS: Credential Access ExfiltrationThis does not imply that an adversary will not use these techniques when targeting ICS, but rather thatthese techniques will be used within the victim’s enterprise network, which in turn may bridge into thevictim’s ICS environment.MITRE ATT&CK FOR ICS – 2021 ARMIS, INC.7
ARMIS PROVIDES COMPREHENSIVE COVERAGE FOR ATT&CK FOR ICSThe Armis agentless device security platform provides comprehensive coverage of the cyber attacktechniques listed in the MITRE ATT&CK for ICS matrix. The Armis platform discovers every device on yournetwork as well as devices that are transmitting in your airspace. Once each device has been discovered,The Armis platform analyzes device behavior to identify risks and detect cyber attack techniques. theplatform is cloud-based, agentless, and integrates easily with your existing network and security products.The Armis platform does not utilize any kind of active scanning or probing because such methods arepotentially dangerous to ICS devices. Instead, it passively monitors wired and wireless traffic to identifyeach device and to understand its behavior without disruption. The Armis Risk Analysis Engine analyzesthis data and uses device profiles and characteristics stored in the Armis Device Knowledgebase toassess each device’s risk, detect threats, and block threats automatically.AGENTLESSDEVICESECURITYANOMALY DETECTEDThe Role of Programmable Logic Controllers (PLCs)As addressed above, there are many different devices under the category of Industrial Control Systems.PLCs are commonly used as an abstraction layer for dumber devices, and as such represent the primaryattack surface for those devices. For many of the ICS techniques, The Armis platform's ability to detect thetechniques against PLCs enables it to provide protection for a broad range of ICS devices.The table below lists all of the ATT&CK for ICS techniques organized by tactic. The darker purplerepresents techniques that the Armis platform can detect at inception, and the lighter purple representsthe techniques that it can detect subsequently, or where it may be one of many indicators necessary tovalidate that the technique has occurred. Each technique is further described following this table.MITRE ATT&CK FOR ICS – 2021 ARMIS, INC.8
ATT&CK FOR ICS rolImpactCommonlyUsed PortActivateFirmwareUpdate ModeBruteForce I/ODamageto PropertyData pressionChange ProgramState *Denialof ControlExternalRemoteServices *DetectOperatingModeStandardApplicationLayer ProtocolBlockCommandMessageMasquerading *Denialof ViewNetworkServiceScanningProgramOrganizationUnits rolLogic *Loss ofAvailabilityRootkit *NetworkSniffingRemoteFile CopyI/O ImageBlock SerialCommModifyParameterLossof ControlSpoofReportingMessage *RemoteSystemDiscoveryValidAccounts re *Loss ofProductivityand RevenueUtilize/ChangeOperatingMode ial ofServiceProgramDownload **Lossof SafetyScriptingPoint & TagIdentificationDevice Restart/ ShutdownRogueMasterDevice *Lossof ViewUserExecutionProgramUploadManipulateI/O ImageServiceStopManipulationof ControlRoleIdentificationModify AlarmSettingsSpoofReportingMessage *Manipulationof ViewScreenCaptureModifyControlLogic *UnauthorizedCommandMessageTheft ntCollectionCommand& torianCompromiseChangeProgramState *HookingExploitationfor InterfaceModuleFirmware *IndicatorRemoval onHostI/O ModuleDiscoveryExploitationof utionthrough APIProgramDownload **Masquerading pplicationGraphicalUserInterfaceProject FileInfection *RogueMasterDevice *ExternalRemoteServices *Man in theMiddleSystemFirmware *InternetAccessibleDeviceProgramOrganizationUnits *ValidAccounts *ReplicationThroughRemovableMediaProject File *SpearphishingAttachmentSupply ChainCompromiseWirelessCompromiseProgramDownload **Techniques that the Armis platform can detect at inceptionTechniques that the Armis platform can detectsubsequently, or where it may be one of manyindicators necessary to validate* Technique is used in two different tactics** Technique is used in three different tacticsFor brevity, we are not duplicating full descriptions of each Tactic or Technique.Further details on each of these methods are available p/All Techniques.MITRE ATT&CK FOR ICS – 2021 ARMIS, INC.Rootkit *SystemFirmware *Utilize /ChangeOperatingMode *9
ATT&CK TACTIC: INITIAL ACCESSThe adversary is trying to get into your ICS environment.NAMETHE ARMIS PLATFORM'S CAPABILITIEST810: DataHistorianCompromiseThe Armis platform is able to detect and alert on abnormal traffic orcommunication behavior which may indicate that an adversary isattempting to compromise, or has already compromised, the DataHistorian.T817: Drive-byCompromiseThe Armis platform's policy engine can be configured to alert and takeaction whenever Armis observes a device accessing unauthorizedor known malicious websites. The Armis platform's threat feedsautomatically populate the list of known malicious sites, and a predefinedpolicy can alert if a device reaches out to a site on the list.T818: EngineeringWorkstationCompromiseThe Armis platform is able to alert on abnormal traffic or communicationbehavior which may indicate that an engineering workstation, SCADA orHMI has been compromised.T819: ExploitPublic-FacingApplicationThe Armis platform is able to detect software vulnerabilities on Internetfacing applications; this helps security managers take proactive steps toupdate the software or otherwise mitigate the risk of exploitation. Also,it continuously monitors the behavior of systems hosting public-facingapplications to detect if they have been compromised.T822: ExternalRemote Services*The Armis platform passively monitors device communications andassociates active ports, services, and protocols. The Armis platform'spolicy engine can be configured to alert when Armis observes a deviceutilizing unauthorized services.T883: InternetAccessible DeviceThe Armis platform's passive monitoring can identify specific devicesthat are communicating with the internet and therefore are internetaccessible, and can alert on those devices that should not beexhibiting this type of communication.T847: ReplicationThroughRemovable MediaThe Armis platform monitors network traffic, so once a maliciousapplication is active on the network, even those transferred throughremovable media, Armis will be able to detect malicious activity.MITRE ATT&CK FOR ICS – 2021 ARMIS, INC.10
ATT&CK TACTIC: INITIAL ACCESSThe adversary is trying to get into your ICS y ChainCompromiseIf a system has been compromised through a spearfishing attachment,the Armis platform will detect and alert on abnormal behavior caused bythe malware/attacker.The Armis platform passively and continuously monitors the behavior ofevery device on our customers’ networks. The platform compares everydevice’s real-time activity to the established and “known-good” activitybaseline for the specific device which is stored in the Armis DeviceKnowledge Base. When abnormal behavior in your network is detected,Armis updates the risk score and generates a security alert.In the event of a supply chain compromise, the Armis platform willalert when the compromised product behaves abnormal compared toother legitimate products.T860: WirelessCompromiseMITRE ATT&CK FOR ICS – 2021 ARMIS, INC.The Armis platform passively monitors all communications in the 2.3and 5 GHz frequency spectrum which is used by Wi-Fi, Bluetooth, BLE,Zigbee, and other peer-to-peer protocols. Through this monitoring, theArmis platform is able to detect and alert on unauthorized devices andunexpected or malicious wireless activity.11
ATT&CK TACTIC: EXECUTIONThe adversary is trying to run malicious code.NAMETHE ARMIS PLATFORM'S CAPABILITIEST875: ChangeProgram State*The Armis platform is able to detect and alert on a wide range of PLCspecific network traffic, including the commands related to changing theprogram state on a device.T807: CommandLine InterfaceThe Armis platform is able to monitor remote access services such asSSH, Telnet, and RDP which are likely to be used by attackers who areattempting to access ICS environments via the command-line interface.When such remote access activity is abnormal (e.g. at an unusual time ofthe day, or the first such remote access ever observed), Armis can alerton the remote access service activity.T871: Executionthrough APIThe Armis platform can detect API calls and, through its threat detectionengine, alert if the API activity, or the source of the API calls, is abnormal.T823: GraphicalUser InterfaceThe Armis platform's passive monitoring of device communicationspatterns allows it to detect abnormal traffic which may indicate anadversary is remotely accessing a GUI to conduct malicious behavior.T830: Man in theMiddleThe Armis platform's passive monitoring of device communications,including network traffic characteristics like TCP options and latency, allowsit to detect anomalies which may indicate a Man-in-the-Middle attack.T844: ProgramOrganization Units*The Armis platform is able to detect and alert on a wide range of PLCspecific network traffic, including the commands related to changing theprogram on a device.T873: Project FileInfection*The Armis platform is able to detect when a PLC has been reprogrammedand alert on that activity.T853: ScriptingIf a malicious script is used to attack or alter a device, causing thedevice to behave abnormally, The Armis platform will detect and alert onthe abnormal behavior.T863: UserExecutionIf a system is compromised through user execution, then the Armisplatform will detect when the system acts abnormally.MITRE ATT&CK FOR ICS – 2021 ARMIS, INC.12
ATT&CK TACTIC: PERSISTENCEThe adversary is trying to maintain their foothold in your ICS environment.NAMETHE ARMIS PLATFORM'S CAPABILITIEST874: HookingThe Armis platform's passive network monitoring and device profilingenables it to detect when a system has been compromised and isredirecting API calls across the network. If the system acts abnormally orredirects the API calls across the network, then Armis will generate analert.T839: ModuleFirmware*The Armis platform detects when firmware is downloaded to PLCs. Then,if the new firmware causes the behavior of a PLC to change abnormally,Armis will detect and issue an alert.T843: ProgramDownload**The Armis platform detects when programs are downloaded to PLCs.Then, if the new program causes the behavior of a PLC to changeabnormally, Armis will detect the abnormality and issue an alert.T873: Project FileInfection*The Armis platform is able to detect when a PLC has been reprogrammedand alert on that activity.T857: SystemFirmware*The Armis platform passively monitors device communications acrossthe network, and is able to profile every device to determine the currentversion of system firmware that is operating. This gives our customer theability to monitor the firmware version across devices, understand theknown threats to the firmware, and intelligently manage their firmwareupgrade strategy.In addition, it has the ability to detect when a PLC firmware has beenchanged and to alert on that activity.T859: ValidAccounts*MITRE ATT&CK FOR ICS – 2021 ARMIS, INC.The Armis platform's passive monitoring and device profiling can detectwhen abnormal network connections are being made, which is indicativeof an adversary using valid accounts to conduct lateral movement outsideof the normal behavior for the legitimate account holder.13
ATT&CK TACTIC: EVASIONThe adversary is trying to avoid being detected.NAMET820: Exploitationfor EvasionTHE ARMIS PLATFORM'S CAPABILITIESThe Armis platform identifies all known software vulnerabilities. Thisfacilitates proactive attempts to remediate vulnerable devices, removethem from the network, or provide other forms of risk mitigations.Once a device has been exploited for evasion, it can detect and alert onbehavioral changes.T872: IndicatorRemoval on HostThe Armis platform's passive network monitoring is able to detect anadversary’s remote commands related to removing indications of theirpresence on a specific host.T849:Masquerading*Since the Armis platform monitors the behavior of devices, not the fileson the devices, it is not fooled by attackers’ masquerading techniques.The platform passively and continuously monitors the behavior of everydevice to detect and alert on abnormal behavior.T848: RogueMaster Device*The Armis platform passively monitors device communications and canalert whenever a device communicates with a rogue master device.T851: Rootkit*The Armis platform's passive network monitoring enables its to detectabnormal behavior which is indicative of a rootkit. If the adversaryis targeting a PLC for the rootkit, the platform will detect when theconfiguration and firmware have been altered.T856: SpoofReporting Message*The Armis platform's passive network monitoring allows it to detectabnormal message traffic which may be indicative of message spoofing.T858: Utilize/Change OperatingMode*The Armis platform is able to detect and alert on PLC Mode Changes.MITRE ATT&CK FOR ICS – 2021 ARMIS, INC.14
ATT&CK TACTIC: DISCOVERYThe adversary is trying to figure out your ICS environment.NAMETHE ARMIS PLATFORM'S CAPABILITIEST808: ControlDeviceIdentificationThe Armis platform can detect abnormal network traffic whichmay indicate an adversarial attempt at conducting control deviceidentification.T824: I/O ModuleDiscoveryThe Armis platform's passive network monitoring enables it to detectwhen an adversary attempts to conduct input/output discovery over thenetwork.T840: NetworkConnectionEnumerationThe Armis platform passively monitors device communications and canbe configured to alert on the presence of unauthorized network scans,netstat use, or other abnormal network traffic indicative of networkconnection enumeration.T841: NetworkService ScanningThe Armis platform detects and alerts on port scanning.T842: NetworkSniffingThe Armis platform's passive network monitoring detects when anadversary attempts to exfiltrate information sniffed from a network.T846: RemoteSystem DiscoveryThe Armis platform's passive network monitoring and device profilingallows it to detect unauthorized or abnormal network traffic associatedwith remote system discovery.T854: SerialConnectionEnumerationThe Armis platform's passive network monitoring and device profilingallows it to detect unauthorized or abnormal network traffic associatedwith querying a device for its serial connections information.MITRE ATT&CK FOR ICS – 2021 ARMIS, INC.15
ATT&CK TACTIC: LATERAL MOVEMENTThe adversary is trying to get into your ICS environment.NAMETHE ARMIS PLATFORM'S CAPABILITIEST812: DefaultCredentialsThe Armis platform's passive monitoring of the network traffic, combinedwith device profiling, allows it to detect and alert on credentialstransitioning across the network. It can also detect when one deviceconnects to another, and is able to create alerts which may indicate thatdefault credentials are being used.T866: Exploitationof Remote ServicesThe Armis platform's passive network monitoring allows it to detect whena device uses remote services in an abnormal manner, e.g. for lateralmovement.T822: ExternalRemote Services*The Armis platform's passive network monitoring allows it to characterizethe behavior of all network participants, even if they are entering thenetwork through an external remote service. The network traffic fromexternal remote services are monitored, and alerts can be created toalert on abnormal or suspicious behavior.T844: ProgramOrganization Units*The Armis platform is able to detect when a PLC has beenreprogrammed, and policies can be created to alert on this behavior.T867: Remote FileCopyThe Armis platform's passive monitoring and device profiling can detectwhen a system is remotely copying files.T859: ValidAccountsThe Armis platform's passive monitoring and device profiling can detectwhen abnormal network connections are being made, which is indicativeof an adversary using valid accounts to conduct lateral movement outsideof the normal behavior for the legitimate account holder.MITRE ATT&CK FOR ICS – 2021 ARMIS, INC.16
ATT&CK TACTIC: COLLECTIONThe adversary is trying to gather data of interest and domain knowledgeon your ICS environment to inform their goal.NAMETHE ARMIS PLATFORM'S CAPABILITIEST802: AutomatedCollectionThe Armis platform's passive network monitoring is able to detect andalert on new or abnormal network activity to include the use of tools andscripts which are used for automated collection.T811: Data fromInformationRepositoriesThe Armis platform's passive network monitoring is able to detect andalert on unauthorized or abnormal connection attempts to connect toinformation repositories.T868: DetectOperating ModeThe Armis platform is able to detect and alert on a wide range of PLCspecific network traffic, including the commands related to monitoringthe PLC status which would be used by an adversary to determine thecurrent state of the PLC.T870: DetectProgram StateThe Armis platform is able to detect and alert on a wide range of PLCspecific network traffic, including the commands related to monitoringthe PLC status which would be used by an adversary to determine thecurrent state of the PLC.T877: I/O ImageThe Armis platform's passive network monitoring and device profiling candetect and alert on unauthorized connections to ICS devices which couldbe used to extract I/O images.T825: LocationIdentificationThe Armis platform's passive network monitoring and device profiling candetect and alert on unauthorized connections to ICS devices which couldbe used to identify the device’s location.T801: MonitorProcess StateThe A
that can alert against a broad range of the tactics and techniques listed in the new ATT&CK . control systems and smaller control systems using programmable logic controllers to control localized processes."2 . A standard method for device discovery and vulnerability assessment on an IT network is to perform a network scan using something .
