Skip to content

T0821 Modify Controller Tasking

Adversaries may modify the tasking of a controller to allow for the execution of their own programs. This can allow an adversary to manipulate the execution flow and behavior of a controller.

According to 61131-3, the association of a Task with a Program Organization Unit (POU) defines a task association. 1 An adversary may modify these associations or create new ones to manipulate the execution flow of a controller. Modification of controller tasking can be accomplished using a Program Download in addition to other types of program modification such as online edit and program append.

Tasks have properties, such as interval, frequency and priority to meet the requirements of program execution. Some controller vendors implement tasks with implicit, pre-defined properties whereas others allow for these properties to be formulated explicitly. An adversary may associate their program with tasks that have a higher priority or execute associated programs more frequently. For instance, to ensure cyclic execution of their program on a Siemens controller, an adversary may add their program to the task, Organization Block 1 (OB1).

Item Value
ID T0821
Tactics TA0104
Platforms Field Controller/RTU/PLC/IED
Version 1.1
Created 13 April 2021
Last Modified 09 March 2023

Procedure Examples

ID Name Description
S1006 PLC-Blaster PLC-Blaster‘s code is stored in OB9999. The original code on the target is untouched. The OB is automatically detected by the PLC and executed. 3
S0603 Stuxnet Stuxnet infects OB1 so that its malicious code sequence is executed at the start of a cycle. It also infects OB35. OB35 acts as a watchdog, and on certain conditions, it can stop the execution of OB1. 6
S1009 Triton Triton‘s argument-setting and inject.bin shellcode are added to the program table on the Tricon so that they are executed by the firmware once each cycle. 4 5


ID Mitigation Description
M0947 Audit Provide the ability to verify the integrity of control logic or programs loaded on a controller. While techniques like CRCs and checksums are commonly used, they are not cryptographically strong and can be vulnerable to collisions. Preferably cryptographic hash functions (e.g., SHA-2, SHA-3) should be used. 2
M0945 Code Signing Utilize code signatures to verify the integrity of the installed program on safety or control assets has not been changed.


ID Data Source Data Component
DS0015 Application Log Application Log Content
DS0039 Asset Software
DS0040 Operational Databases Device Alarm