Modify Controller Tasking

Adversaries may modify the tasking of a controller to allow for the execution of their own programs. This can allow an adversary to manipulate the execution flow and behavior of a controller.

According to 61131-3, the association of a Task with a Program Organization Unit (POU) defines a task association. [1] An adversary may modify these associations or create new ones to manipulate the execution flow of a controller. Modification of controller tasking can be accomplished using a Program Download in addition to other types of program modification such as online edit and program append.

Tasks have properties, such as interval, frequency and priority to meet the requirements of program execution. Some controller vendors implement tasks with implicit, pre-defined properties whereas others allow for these properties to be formulated explicitly. An adversary may associate their program with tasks that have a higher priority or execute associated programs more frequently. For instance, to ensure cyclic execution of their program on a Siemens controller, an adversary may add their program to the task, Organization Block 1 (OB1).

ID: T0821
Sub-techniques:  No sub-techniques
Tactic: Execution
Platforms: None
Version: 1.2
Created: 13 April 2021
Last Modified: 13 October 2023

Procedure Examples

ID Name Description
S1006 PLC-Blaster

PLC-Blaster's code is stored in OB9999. The original code on the target is untouched. The OB is automatically detected by the PLC and executed. [2]

S0603 Stuxnet

Stuxnet infects OB1 so that its malicious code sequence is executed at the start of a cycle. It also infects OB35. OB35 acts as a watchdog, and on certain conditions, it can stop the execution of OB1. [3]

S1009 Triton

Triton's argument-setting and inject.bin shellcode are added to the program table on the Tricon so that they are executed by the firmware once each cycle. [4] [5]

Targeted Assets

ID Asset
A0003 Programmable Logic Controller (PLC)
A0010 Safety Controller

Mitigations

ID Mitigation Description
M0947 Audit

Provide the ability to verify the integrity of controller tasking. While techniques like CRCs and checksums are commonly used, they are not cryptographically secure and can be vulnerable to collisions. Preferably cryptographic hash functions (e.g., SHA-2, SHA-3) should be used. [6]

M0800 Authorization Enforcement

All field controllers should restrict the modification of controller tasks to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism.

M0945 Code Signing

Utilize code signatures to verify the integrity and authenticity of programs installed on safety or control assets, including the associated controller tasking.

M0804 Human User Authentication

All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support Account Use Policies, Password Policies, and User Account Management.

Detection

ID Data Source Data Component Detects
DS0015 Application Log Application Log Content

Monitor asset application logs for information that indicate task parameters have changed.

DS0039 Asset Software

Engineering and asset management software will often maintain a copy of the expected program loaded on a controller and may also record any changes made to controller programs and tasks. Data from these platforms can be used to identify modified controller tasking.

DS0040 Operational Databases Device Alarm

Monitor device alarms that indicate controller task parameters have changed, although not all devices produce such alarms.

Program Download may be used to enable this technique. Monitor for program downloads which may be noticeable via operational alarms. Asset management systems should be consulted to understand expected program versions.

References