Modify Parameter

Adversaries may modify parameters used to instruct industrial control system devices. These devices operate via programs that dictate how and when to perform actions based on such parameters. Such parameters can determine the extent to which an action is performed and may specify additional options. For example, a program on a control system device dictating motor processes may take a parameter defining the total number of seconds to run that motor.

An adversary can potentially modify these parameters to produce an outcome outside of what was intended by the operators. By modifying system and process critical parameters, the adversary may cause Impact to equipment and/or control processes. Modified parameters may be turned into dangerous, out-of-bounds, or unexpected values from typical operations. For example, specifying that a process run for more or less time than it should, or dictating an unusually high, low, or invalid value as a parameter.

ID: T0836
Sub-techniques:  No sub-techniques
Platforms: Control Server, Field Controller/RTU/PLC/IED, Human-Machine Interface, Safety Instrumented System/Protection Relay
Version: 1.2
Created: 21 May 2020
Last Modified: 05 April 2023

Procedure Examples

ID Name Description

INCONTROLLER can use the HTTP CGI scripts on Omron PLCs to modify parameters on EtherCat connected servo drives.[1]

S1072 Industroyer2

Industroyer2 modifies specified Information Object Addresses (IOAs) for specified Application Service Data Unit (ASDU) addresses to either the ON or OFF state.[2][3]

C0020 Maroochy Water Breach

In the Maroochy Water Breach, the adversary gained remote computer access to the control system and altered data so that whatever function should have occurred at affected pumping stations did not occur or occurred in a different way. The software program installed in the laptop was one developed for changing configurations in the PDS computers. This ultimately led to 800,000 liters of raw sewage being spilled out into the community.[4]

C0009 Oldsmar Treatment Plant Intrusion

During the Oldsmar Treatment Plant Intrusion, the threat actors raised the sodium hydroxide setpoint value from 100 part-per-million (ppm) to 11,100 ppm, far beyond normal operating levels.[5]

S0603 Stuxnet

In states 3 and 4 Stuxnet sends two network bursts (done through the DP_SEND primitive). The data in the frames are instructions for the frequency converter drives. For example one of the frames contains records that change the maximum frequency (the speed at which the motor will operate). The frequency converter drives consist of parameters, which can be remotely configured via Profibus. One can write new values to these parameters changing the behavior of the device. [6]


ID Mitigation Description
M0947 Audit

Provide the ability to verify the integrity of control logic or programs loaded on a controller. While techniques like CRCs and checksums are commonly used, they are not cryptographically strong and can be vulnerable to collisions. Preferably cryptographic hash functions (e.g., SHA-2, SHA-3) should be used. [7]

M0800 Authorization Enforcement

All field controllers should restrict the modification of programs to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism.

M0818 Validate Program Inputs

Devices and programs should validate the content of any remote parameter changes, including those from HMIs, control servers, or engineering workstations.[8]


ID Data Source Data Component Detects
DS0015 Application Log Application Log Content

Monitor device application logs parameter changes, although not all devices will produce such logs.

DS0039 Asset Asset Inventory

Monitor asset management systems for device configuration changes which can be used to understand expected parameter settings.

DS0029 Network Traffic Network Traffic Content

Monitor ICS management protocols for parameter changes, including for unexpected values, changes far exceeding standard values, or for parameters being changed in an unexpected way (e.g., via a new function, at an unusual time).

DS0040 Operational Databases Device Alarm

Monitor for device alarms produced when parameters are changed, although not all devices will produce such alarms.