T0821 Modify Controller Tasking
Adversaries may modify the tasking of a controller to allow for the execution of their own programs. This can allow an adversary to manipulate the execution flow and behavior of a controller.
According to 61131-3, the association of a Task with a Program Organization Unit (POU) defines a task association. 1 An adversary may modify these associations or create new ones to manipulate the execution flow of a controller. Modification of controller tasking can be accomplished using a Program Download in addition to other types of program modification such as online edit and program append.
Tasks have properties, such as interval, frequency and priority to meet the requirements of program execution. Some controller vendors implement tasks with implicit, pre-defined properties whereas others allow for these properties to be formulated explicitly. An adversary may associate their program with tasks that have a higher priority or execute associated programs more frequently. For instance, to ensure cyclic execution of their program on a Siemens controller, an adversary may add their program to the task, Organization Block 1 (OB1).
| Item | Value |
|---|---|
| ID | T0821 |
| Sub-techniques | |
| Tactics | TA0104 |
| Platforms | Field Controller/RTU/PLC/IED |
| Version | 1.1 |
| Created | 13 April 2021 |
| Last Modified | 09 March 2023 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S1006 | PLC-Blaster | PLC-Blaster‘s code is stored in OB9999. The original code on the target is untouched. The OB is automatically detected by the PLC and executed. 3 |
| S0603 | Stuxnet | Stuxnet infects OB1 so that its malicious code sequence is executed at the start of a cycle. It also infects OB35. OB35 acts as a watchdog, and on certain conditions, it can stop the execution of OB1. 6 |
| S1009 | Triton | Triton‘s argument-setting and inject.bin shellcode are added to the program table on the Tricon so that they are executed by the firmware once each cycle. 4 5 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M0947 | Audit | Provide the ability to verify the integrity of control logic or programs loaded on a controller. While techniques like CRCs and checksums are commonly used, they are not cryptographically strong and can be vulnerable to collisions. Preferably cryptographic hash functions (e.g., SHA-2, SHA-3) should be used. 2 |
| M0945 | Code Signing | Utilize code signatures to verify the integrity of the installed program on safety or control assets has not been changed. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0015 | Application Log | Application Log Content |
| DS0039 | Asset | Software |
| DS0040 | Operational Databases | Device Alarm |
References
-
IEC 2013, February 20 IEC 61131-3:2013 Programmable controllers - Part 3: Programming languages Retrieved. 2019/10/22 ↩
-
IEC 2019, February Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components Retrieved. 2020/09/25 ↩
-
Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke 2016, March 31 Plc-blaster: A worm living solely in the plc. Retrieved. 2017/09/19 ↩
-
DHS CISA 2019, February 27 MAR-17-352-01 HatManSafety System Targeted Malware (Update B) Retrieved. 2019/03/08 ↩
-
Jos Wetzels 2018, January 16 Analyzing the TRITON industrial malware Retrieved. 2019/10/22 ↩
-
Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ↩