Manipulate I/O Image

From attackics
Jump to navigation Jump to search
Manipulate I/O Image
Technique
ID T0835
Tactic Inhibit Response Function
Data Sources Controller program, Process monitoring
Asset Field Controller/RTU/PLC/IED

Description

Adversaries may manipulate the I/O image of PLCs through various means to prevent them from functioning as expected. Methods of I/O image manipulation may include overriding the I/O table via direct memory manipulation or using the override function used for testing PLC programs.1

During the PLC scan cycle, the state of the actual physical inputs is copied to a portion of the PLC memory, commonly called the input image table. When the program is scanned, it examines the input image table to read the state of a physical input.

When the logic determines the state of a physical output, it writes to a portion of the PLC memory commonly called the output image table. The output image may also be examined during the program scan. To update the physical outputs, the output image table contents are copied to the physical outputs after the program is scanned.

One of the unique characteristics of PLCs is their ability to override the status of a physical discrete input or to override the logic driving a physical output coil and force the output to a desired status.


Procedure Examples

  • PLC-Blaster may manipulate any outputs of the PLC. Using the POU POKE any value within the process image may be modified.2
  • When the peripheral output is written to, sequence C intercepts the output and ensures it is not written to the process image output. The output is the instructions the PLC sends to a device to change its operating behavior. By intercepting the peripheral output, Stuxnet prevents an operator from noticing unauthorized commands sent to the peripheral.3

Mitigations

  • Mitigation Limited or Not Effective - This technique may not be effectively mitigated against, consider controls for assets and processes that lead to the use of this technique.