MID-017: Security-relevant Auditing and Logging
Mitigation Tier: Foundational
Description
Devices should include audit logs of all user access, configuration changes, program updates, service starts and stops, and other events related to security. This allows device operators and security teams to investigate device actions and hunt for unusual behavior that may be indicators of compromise.
Programmable devices like PLCS should keep logs of all program changes so that device operators have the ability to audit them to check for threat actor attempts to manipulate device operating environments. Particularly useful auditable events include program edits, appends, and online edits.
Limitations: Embedded devices often have constraints that limit the extent of on-device logging, such as a lack of storage space, NVRAM burnout, and network bandwidth limitations. Device designers and operators should take these limitations into account when choosing what data should be logged either locally or remotely.
Consideration: Devices should take TID-224: Excessive Access via Software Diagnostic Features into consideration when designing their logging and log access scheme. Logging sensitive information, such as system crash information (core dumps, memory addresses), credentials, or keys, or giving read access to non-privileged users, could expose the device to information leaks.
Note: It is possible to overcome some of the storage limitations by offloading the data over the network. While this presents other issues related to network bandwidth, data reliability, and network-data costs, it helps to overcome some other device-level limitations.
Note: See the threats associated with PID-324 - Device includes support for “program uploads” to retrieve programs from the device from an engineering workstation for more information about uploading programs for inspection.
IEC 62443 4-2 Mappings
CR 2.8 - Auditable events
CR 3.7 – Error handling
References
[1] CISA. “Identifying and Mitigating Living Off the Land Techniques.” cisa.gov. Accessed: Aug. 28, 2024. [Online.] Available: https://www.cisa.gov/sites/default/files/2024-02/Joint-Guidance-Identifying-and-Mitigating-LOTL_V3508c.pdf
[2] P. Czanik. “Reliable IoT event logging with syslog-ng.” opensource.com. Accessed: Aug. 28, 2024. [Online.] Available: https://opensource.com/article/18/3/logging-iot-events-syslog-ng
[3] RedHat. “A. Bharadwaj Madabhushana.” redhat.com. Accessed: Aug. 28, 2024. [Online.] Available: https://www.redhat.com/sysadmin/configure-linux-auditing-auditd