This site has been deprecated in favor of https://attack.mitre.org and will remain in place until 11/1/22.
Modify Program
To visit this technique’s new page please go to and update your links to https://attack.mitre.org/techniques/T0889
Modify Program | |
---|---|
Technique | |
ID | T0889 |
Tactic | Persistence |
Data Sources | File: File Modification, Asset: Software/Firmware |
Asset | Field Controller/RTU/PLC/IED |
Description
Adversaries may modify or add a program on a controller to affect how it interacts with the physical process, peripheral devices and other hosts on the network. Modification to controller programs can be accomplished using a Program Download in addition to other types of program modification such as online edit and program append.
Program modification encompasses the addition and modification of instructions and logic contained in Program Organization Units (POU) 1 and similar programming elements found on controllers. This can include, for example, adding new functions to a controller, modifying the logic in existing functions and making new calls from one function to another.
Some programs may allow an adversary to interact directly with the native API of the controller to take advantage of obscure features or vulnerabilities.
Procedure Examples
- PLC-Blaster copies itself to various Program Organization Units (POU) on the target device. The POUs include the Data Block, Function, and Function Block.2
- Stuxnet infects PLCs with different code depending on the characteristics of the target system. An infection sequence consists of code blocks and data blocks that will be downloaded to the PLC to alter its behavior.3
Mitigations
- Audit - Provide the ability to verify the integrity of control logic or programs loaded on a controller. While techniques like CRCs and checksums are commonly used, they are not cryptographically strong and can be vulnerable to collisions. Preferably cryptographic hash functions (e.g., SHA-2, SHA-3) should be used.4
- Code Signing - Utilize code signatures to verify the integrity of the installed program on safety or control assets has not been changed.
References
- ^ Nicolas Falliere, Liam O Murchu, Eric Chien. (2011, February). W32.Stuxnet Dossier (Version 1.4). Retrieved September 22, 2017.
- ^ IEC. (2019, February). Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components. Retrieved September 25, 2020.
|