Skip to content

T0835 Manipulate I/O Image

Adversaries may manipulate the I/O image of PLCs through various means to prevent them from functioning as expected. Methods of I/O image manipulation may include overriding the I/O table via direct memory manipulation or using the override function used for testing PLC programs. 1 During the scan cycle, a PLC reads the status of all inputs and stores them in an image table. 2 The image table is the PLCs internal storage location where values of inputs/outputs for one scan are stored while it executes the user program. After the PLC has solved the entire logic program, it updates the output image table. The contents of this output image table are written to the corresponding output points in I/O Modules.

One of the unique characteristics of PLCs is their ability to override the status of a physical discrete input or to override the logic driving a physical output coil and force the output to a desired status.

Item Value
ID T0835
Sub-techniques
Tactics TA0107
Platforms Field Controller/RTU/PLC/IED
Version 1.1
Created 21 May 2020
Last Modified 20 October 2022

Procedure Examples

ID Name Description
S1006 PLC-Blaster PLC-Blaster may manipulate any outputs of the PLC. Using the POU POKE any value within the process image may be modified. 4
S0603 Stuxnet When the peripheral output is written to, sequence C intercepts the output and ensures it is not written to the process image output. The output is the instructions the PLC sends to a device to change its operating behavior. By intercepting the peripheral output, Stuxnet prevents an operator from noticing unauthorized commands sent to the peripheral. 3

Mitigations

ID Mitigation Description
M0816 Mitigation Limited or Not Effective This technique may not be effectively mitigated against, consider controls for assets and processes that lead to the use of this technique.

Detection

ID Data Source Data Component
DS0039 Asset Software

References