Skip to content

T0877 I/O Image

Adversaries may seek to capture process values related to the inputs and outputs of a PLC. During the scan cycle, a PLC reads the status of all inputs and stores them in an image table. 1 The image table is the PLCs internal storage location where values of inputs/outputs for one scan are stored while it executes the user program. After the PLC has solved the entire logic program, it updates the output image table. The contents of this output image table are written to the corresponding output points in I/O Modules.

The Input and Output Image tables described above make up the I/O Image on a PLC. This image is used by the user program instead of directly interacting with physical I/O. 2

Adversaries may collect the I/O Image state of a PLC by utilizing a devices Native API to access the memory regions directly. The collection of the PLCs I/O state could be used to replace values or inform future stages of an attack.

Item Value
ID T0877
Sub-techniques
Tactics TA0100
Platforms Field Controller/RTU/PLC/IED
Version 1.1
Created 21 May 2020
Last Modified 09 March 2023

Procedure Examples

ID Name Description
S0603 Stuxnet Stuxnet copies the input area of an I/O image into data blocks with a one second interval between copies, forming a 21 second recording of the input area. The input area contains information being passed to the PLC from a peripheral. For example, the current state of a valve or the temperature of a device. 3

Mitigations

ID Mitigation Description
M0816 Mitigation Limited or Not Effective This technique may not be effectively mitigated against, consider controls for assets and processes that lead to the use of this technique.

Detection

ID Data Source Data Component
DS0039 Asset Software

References

  1. Nanjundaiah, Vaidyanath PLC Ladder Logic Basics Retrieved. 2021/10/11  

  2. Spenneberg, Ralf 2016 PLC-Blaster Retrieved. 2019/06/06  

  3. Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22