TID-302: Install Untrusted Application
Threat Description
A threat actor can install a malicious program to the device to manipulate its operations or prevent the device from operating as expected. Devices can utilize a variety of different approaches to support the download, modification, and execution of programs/logic. For example, some devices might support program downloads through traditional operating system interfaces (e.g., Telnet, SSH, RDP), while other devices, such as PLCs, often use proprietary interfaces to deploy and execute IEC 61131 based logic programs. Devices are often dependent on a remote system, such as a Windows workstations, with a vendor-specific application program or IDE to develop and transfer the programs to the device. However, devices often assume that all code originates from that trusted program/IDE, and therefore do not perform any integrity checking of the code before downloading or executing it.
Threat Maturity and Evidence
Observed Adversarial Technique
ATT&CK Technique: Program Download (T0843)
Procedure Example: Triton (S1009)
“Triton leveraged the TriStation protocol to download programs onto Triconex Safety Instrumented System”.
Procedure Example: Incontroller (S1045)
“The Incontroller software was able to perform program downloads to a controller through a self-contained API.”
CWE
CWE-494: Download of Code Without Integrity Check
“The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.”