This site has been deprecated in favor of and will remain in place until 11/1/22.

Manipulate I/O Image

From attackics
Jump to navigation Jump to search

To visit this technique’s new page please go to and update your links to

Manipulate I/O Image
ID T0835
Tactic Inhibit Response Function
Data Sources Operational Databases: Process History/Live Data, Operational Databases: Device Alarm
Asset Field Controller/RTU/PLC/IED


Adversaries may manipulate the I/O image of PLCs through various means to prevent them from functioning as expected. Methods of I/O image manipulation may include overriding the I/O table via direct memory manipulation or using the override function used for testing PLC programs.1 During the scan cycle, a PLC reads the status of all inputs and stores them in an image table.2 The image table is the PLC’s internal storage location where values of inputs/outputs for one scan are stored while it executes the user program. After the PLC has solved the entire logic program, it updates the output image table. The contents of this output image table are written to the corresponding output points in I/O Modules.

One of the unique characteristics of PLCs is their ability to override the status of a physical discrete input or to override the logic driving a physical output coil and force the output to a desired status.

Procedure Examples

  • PLC-Blaster may manipulate any outputs of the PLC. Using the POU POKE any value within the process image may be modified.3
  • When the peripheral output is written to, sequence C intercepts the output and ensures it is not written to the process image output. The output is the instructions the PLC sends to a device to change its operating behavior. By intercepting the peripheral output, Stuxnet prevents an operator from noticing unauthorized commands sent to the peripheral.4


  • Mitigation Limited or Not Effective - This technique may not be effectively mitigated against, consider controls for assets and processes that lead to the use of this technique.