I/O Image

From attackics
Revision as of 16:15, 22 September 2020 by Jsteele (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
I/O Image
ID T0877
Tactic Collection
Data Sources Controller program
Asset Field Controller/RTU/PLC/IED


Adversaries may seek to capture process image values related to the inputs and outputs of a PLC. Within a PLC all input and output states are stored into an I/O image. This image is used by the user program instead of directly interacting with physical I/O.1

Procedure Examples

  • Stuxnet copies the input area of an I/O image into data blocks with a one second interval between copies, forming a 21 second recording of the input area. The input area contains information being passed to the PLC from a peripheral. For example, the current state of a valve or the temperature of a device.2


  • Mitigation Limited or Not Effective - This technique may not be effectively mitigated against, consider controls for assets and processes that lead to the use of this technique.