Skip to content

T0801 Monitor Process State

Adversaries may gather information about the physical process state. This information may be used to gain more information about the process itself or used as a trigger for malicious actions. The sources of process state information may vary such as, OPC tags, historian data, specific PLC block information, or network traffic.

Item Value
ID T0801
Tactics TA0100
Platforms Control Server, Data Historian, Field Controller/RTU/PLC/IED, Human-Machine Interface, Safety Instrumented System/Protection Relay
Version 1.0
Created 21 May 2020
Last Modified 09 March 2023

Procedure Examples

ID Name Description
S0604 Industroyer Industroyer‘s OPC and IEC 61850 protocol modules include the ability to send stVal requests to read the status of operational variables. 1
S1072 Industroyer2 Industroyer2 uses a General Interrogation command to monitor the device’s Information Object Addresses (IOAs) and their IO state values.2
S0603 Stuxnet Stuxnet examines fields recorded by the DP_RECV monitor to determine if the target system is in a particular state of operation. 3


ID Mitigation Description
M0816 Mitigation Limited or Not Effective This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.


ID Data Source Data Component
DS0015 Application Log Application Log Content
DS0029 Network Traffic Network Traffic Content