Change Program State

From attackics
Jump to navigation Jump to search
Change Program State
ID T0875
Tactic Execution, Impair Process Control
Data Sources Alarm history, Sequential event recorder, Network protocol analysis, Packet capture
Asset Field Controller/RTU/PLC/IED


Adversaries may attempt to change the state of the current program on a control device. Program state changes may be used to allow for another program to take over control or be loaded onto the device.

Procedure Examples

  • After PLC-Blaster is transferred to a PLC, the PLC begins execution of PLC-Blaster.1
  • Stuxnet halts the original PLC code and the malicious PLC code begins sending frames of data based on the recorded values during the DP_RECV monitor phase.2
  • Triton has the ability to halt or run a program through the TriStation protocol. contains instances of halt and run functions being executed.3


  • Authorization Enforcement - All field controllers should restrict program state changes to required authenticated users (e.g., engineers, field technicians) only, preferably through implementing a role-based access mechanism.
  • Communication Authenticity - Protocols used for device management should authenticate all network messages to prevent unauthorized system changes.
  • Network Allowlists - Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations.4
  • Access Management - All devices or systems changes, including all administrative functions, should require authentication. Consider using access management technologies to enforce authorization on all management interface access attempts, especially when the device does not inherently provide strong authentication and authorization functions.
  • Network Segmentation - Segment operational network and systems to restrict access to critical system functions to predetermined management systems.4
  • Filter Network Traffic - Utilize allow/denylists to prevent any unauthorized network messages used to change program state, including any messages that may change the programs running on a device.