{"description": "ICS techniques mitigated by Communication Authenticity, ATT&CK mitigation M0802 (v1.0)", "name": "Communication Authenticity (M0802)", "domain": "ics-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T0800", "comment": "Protocols used for device management should authenticate all network messages to prevent unauthorized system changes.\n", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0830", "comment": "Communication authenticity will ensure that any messages tampered with through AiTM can be detected, but cannot prevent eavesdropping on these. In addition, providing communication authenticity around various discovery protocols, such as DNS, can be used to prevent various AiTM procedures.\n", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0858", "comment": "Protocols used for device management should authenticate all network messages to prevent unauthorized system changes.\n", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0868", "comment": "Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).\n", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0816", "comment": "Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).\n", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0831", "comment": "Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).\n", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0832", "comment": "Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).\n", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0839", "comment": "Protocols used for device management should authenticate all network messages to prevent unauthorized system changes.\n", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0861", "comment": "Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).\n", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0843", "comment": "Protocols used for device management should authenticate all network messages to prevent unauthorized system changes.\n", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0845", "comment": "Protocols used for device management should authenticate all network messages to prevent unauthorized system changes.\n", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0848", "comment": "Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).\n", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0856", "comment": "Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).\n", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0857", "comment": "Protocols used for device management should authenticate all network messages to prevent unauthorized system changes.\n", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0855", "comment": "Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).\n", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0860", "comment": "Do not inherently rely on the authenticity provided by the network/link layer (e.g., 802.11, LTE, 802.15.4), as link layer equipment may have long lifespans and protocol vulnerabilities may not be easily patched. Provide defense-in-depth by implementing authenticity within the associated application-layer protocol, or through a network-layer VPN. (Citation: CISA March 2010)  Furthermore, ensure communication schemes provide strong replay protection, employing techniques such as timestamps or cryptographic nonces.\n", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "mitigated by Communication Authenticity", "color": "#66b1ff"}]}