Program Organization Units

From attackics
Jump to navigation Jump to search
Program Organization Units
ID T0844
Tactic Execution, Lateral Movement
Asset Safety Instrumented System/Protection Relay, Field Controller/RTU/PLC/IED


Program Organizational Units (POUs) are block structures used within PLC programming to create programs and projects.1 POUs can be used to hold user programs written in IEC 61131-3 languages: Structured text, Instruction list, Function block, and Ladder logic.2 They can also provide additional functionality, such as establishing connections between the PLC and other devices using TCON.3

Stuxnet uses a simple code-prepending infection technique to infect Organization Blocks (OB). For example, the following sequence of actions is performed when OB1 is infected 4:

  • Increase the size of the original block.
  • Write malicious code to the beginning of the block.
  • Insert the original OB1 code after the malicious code.

Procedure Examples

  • PLC-Blaster copies itself to various Program Organization Units (POU) on the target device. The POUs include the Organization Block, Data Block, Function, and Function Block.3
  • Stuxnet infects PLCs with different code depending on the characteristics of the target system. An infection sequence consists of code blocks and data blocks that will be downloaded to the PLC to alter its behavior.4


  • Audit - Provide the ability to verify the integrity of control logic or programs loaded on a controller. While techniques like CRCs and checksums are commonly used, they are not cryptographically strong and can be vulnerable to collisions. Preferably cryptographic hash functions (e.g., SHA-2, SHA-3) should be used.5