Monitor Process State

From attackics
Jump to navigation Jump to search
Monitor Process State
ID T0801
Tactic Collection
Data Sources Network Traffic: Network Traffic Content 
Asset Human-Machine Interface, Control Server, Data Historian, Field Controller/RTU/PLC/IED, Safety Instrumented System/Protection Relay


Adversaries may gather information about the physical process state. This information may be used to gain more information about the process itself or used as a trigger for malicious actions. The sources of process state information may vary such as, OPC tags, historian data, specific PLC block information, or network traffic.

Procedure Examples

  • Industroyer's OPC and IEC 61850 protocol modules include the ability to send "stVal" requests to read the status of operational variables.1
  • Stuxnet examines fields recorded by the DP_RECV monitor to determine if the target system is in a particular state of operation.2