T0835 Manipulate I/O Image
Adversaries may manipulate the I/O image of PLCs through various means to prevent them from functioning as expected. Methods of I/O image manipulation may include overriding the I/O table via direct memory manipulation or using the override function used for testing PLC programs. 1 During the scan cycle, a PLC reads the status of all inputs and stores them in an image table. 2 The image table is the PLCs internal storage location where values of inputs/outputs for one scan are stored while it executes the user program. After the PLC has solved the entire logic program, it updates the output image table. The contents of this output image table are written to the corresponding output points in I/O Modules.
One of the unique characteristics of PLCs is their ability to override the status of a physical discrete input or to override the logic driving a physical output coil and force the output to a desired status.
| Item | Value |
|---|---|
| ID | T0835 |
| Sub-techniques | |
| Tactics | TA0107 |
| Platforms | Field Controller/RTU/PLC/IED |
| Version | 1.1 |
| Created | 21 May 2020 |
| Last Modified | 20 October 2022 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S1006 | PLC-Blaster | PLC-Blaster may manipulate any outputs of the PLC. Using the POU POKE any value within the process image may be modified. 4 |
| S0603 | Stuxnet | When the peripheral output is written to, sequence C intercepts the output and ensures it is not written to the process image output. The output is the instructions the PLC sends to a device to change its operating behavior. By intercepting the peripheral output, Stuxnet prevents an operator from noticing unauthorized commands sent to the peripheral. 3 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M0816 | Mitigation Limited or Not Effective | This technique may not be effectively mitigated against, consider controls for assets and processes that lead to the use of this technique. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0039 | Asset | Software |
References
-
Dr. Kelvin T. Erickson 2010, December Programmable logic controller hardware Retrieved. 2018/03/29 ↩
-
Nanjundaiah, Vaidyanath Dr. Kelvin T. Erickson 2010, December Programmable logic controller hardware Retrieved. 2018/03/29 PLC Ladder Logic Basics Retrieved. 2021/10/11 ↩
-
Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ↩
-
Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke 2016, March 31 Plc-blaster: A worm living solely in the plc. Retrieved. 2017/09/19 ↩