Manipulate I/O Image

Adversaries may manipulate the I/O image of PLCs through various means to prevent them from functioning as expected. Methods of I/O image manipulation may include overriding the I/O table via direct memory manipulation or using the override function used for testing PLC programs. [1] During the scan cycle, a PLC reads the status of all inputs and stores them in an image table. [2] The image table is the PLCs internal storage location where values of inputs/outputs for one scan are stored while it executes the user program. After the PLC has solved the entire logic program, it updates the output image table. The contents of this output image table are written to the corresponding output points in I/O Modules.

One of the unique characteristics of PLCs is their ability to override the status of a physical discrete input or to override the logic driving a physical output coil and force the output to a desired status.

ID: T0835
Sub-techniques:  No sub-techniques
Platforms: None
Version: 1.1
Created: 21 May 2020
Last Modified: 13 October 2023

Procedure Examples

ID Name Description
S1006 PLC-Blaster

PLC-Blaster may manipulate any outputs of the PLC. Using the POU POKE any value within the process image may be modified. [3]

S0603 Stuxnet

When the peripheral output is written to, sequence C intercepts the output and ensures it is not written to the process image output. The output is the instructions the PLC sends to a device to change its operating behavior. By intercepting the peripheral output, Stuxnet prevents an operator from noticing unauthorized commands sent to the peripheral. [4]

Targeted Assets

ID Asset
A0003 Programmable Logic Controller (PLC)
A0010 Safety Controller

Mitigations

ID Mitigation Description
M0816 Mitigation Limited or Not Effective

This technique may not be effectively mitigated against, consider controls for assets and processes that lead to the use of this technique.

Detection

ID Data Source Data Component Detects
DS0039 Asset Software

A manipulated I/O image requires analyzing the application program running on the PLC for specific data block writes. Detecting this requires obtaining and analyzing a PLC’s application program, either directly from the device or from asset management platforms.

References