|Tactic||Persistence, Inhibit Response Function, Impair Process Control|
|Data Sources||Sequential event recorder, Controller program, Network protocol analysis, Packet capture|
|External Contributors||Joe Slowik - Dragos|
|Asset||Field Controller/RTU/PLC/IED, Safety Instrumented System/Protection Relay|
Adversaries may perform a program download to load malicious or unintended program logic on a device as a method of persistence or to disrupt response functions or process control. Program download onto devices, such as PLCs, allows adversaries to implement custom logic. Malicious PLC programs may be used to disrupt physical processes or enable adversary persistence. The act of a program download will cause the PLC to enter a STOP operation state, which may prevent response functions from operating correctly.
- Stuxnet infects PLCs with different code depending on the characteristics of the target system. An infection sequence consists of code blocks and data blocks that will be downloaded to the PLC to alter its behavior.1
- Triton leveraged the TriStation protocol to download programs onto Triconex Safety Instrumented System.2