This site has been deprecated in favor of and will remain in place until 11/1/22.

I/O Image

From attackics
Jump to navigation Jump to search

To visit this technique’s new page please go to and update your links to

I/O Image
ID T0877
Tactic Collection
Data Sources Asset: Software/Firmware
Asset Field Controller/RTU/PLC/IED


Adversaries may seek to capture process values related to the inputs and outputs of a PLC. During the scan cycle, a PLC reads the status of all inputs and stores them in an image table.1 The image table is the PLC’s internal storage location where values of inputs/outputs for one scan are stored while it executes the user program. After the PLC has solved the entire logic program, it updates the output image table. The contents of this output image table are written to the corresponding output points in I/O Modules.

The Input and Output Image tables described above make up the I/O Image on a PLC. This image is used by the user program instead of directly interacting with physical I/O.2

Adversaries may collect the I/O Image state of a PLC by utilizing a device’s Native API to access the memory regions directly. The collection of the PLC’s I/O state could be used to replace values or inform future stages of an attack.

Procedure Examples

  • Stuxnet copies the input area of an I/O image into data blocks with a one second interval between copies, forming a 21 second recording of the input area. The input area contains information being passed to the PLC from a peripheral. For example, the current state of a valve or the temperature of a device.3


  • Mitigation Limited or Not Effective - This technique may not be effectively mitigated against, consider controls for assets and processes that lead to the use of this technique.