Detect Program State

From attackics
Jump to navigation Jump to search
Detect Program State
ID T0870
Tactic Collection
Data Sources Network protocol analysis, Packet capture
Asset Field Controller/RTU/PLC/IED


Adversaries may seek to gather information about the current state of a program on a PLC. State information reveals information about the program, including whether it's running, halted, stopped, or has generated an exception. This information may be leveraged as a verification of malicious program execution or to determine if a PLC is ready to download a new program.

Procedure Examples

  • Triton contains a file named which contains default definitions for program state (TS_progstate). Program state is referenced in


  • Communication Authenticity - Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).
  • Network Allowlists - Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations.2
  • Access Management - Authenticate all access to field controllers before authorizing access to, or modification of, a device's state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS.
  • Network Segmentation - Segment operational network and systems to restrict access to critical system functions to predetermined management systems.2
  • Filter Network Traffic - Perform inline allowlisting of automation protocol commands to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid messages.
  • Authorization Enforcement - All field controllers should restrict program state information to required authenticated users (e.g., engineers, field technicians) only, preferably through implementing a role-based access mechanism.