Program Download

Adversaries may perform a program download to transfer a user program to a controller.

Variations of program download, such as online edit and program append, allow a controller to continue running during the transfer and reconfiguration process without interruption to process control. However, before starting a full program download (i.e., download all) a controller may need to go into a stop state. This can have negative consequences on the physical process, especially if the controller is not able to fulfill a time-sensitive action. Adversaries may choose to avoid a download all in favor of an online edit or program append to avoid disrupting the physical process. An adversary may need to use the technique Detect Operating Mode or Change Operating Mode to make sure the controller is in the proper mode to accept a program download.

The granularity of control to transfer a user program in whole or parts is dictated by the management protocol (e.g., S7CommPlus, TriStation) and underlying controller API. Thus, program download is a high-level term for the suite of vendor-specific API calls used to configure a controllers user program memory space.

Modify Controller Tasking and Modify Program represent the configuration changes that are transferred to a controller via a program download.

ID: T0843
Sub-techniques:  No sub-techniques
Platforms: None
Version: 1.1
Created: 21 May 2020
Last Modified: 13 October 2023

Procedure Examples

ID Name Description
S1045 INCONTROLLER

INCONTROLLER can use the CODESYS protocol to download programs to Schneider PLCs.[1][2]

INCONTROLLER can modified program logic on Omron PLCs using either the program download or backup transfer functions available through the HTTP server.[1]

S1006 PLC-Blaster

PLC-Blaster utilizes the PLC communication and management API to load executable Program Organization Units. [3]

S0603 Stuxnet

Stuxnet's infection sequence consists of code blocks and data blocks that will be downloaded to the PLC to alter its behavior. [4]

S1009 Triton

Triton leveraged the TriStation protocol to download programs onto Triconex Safety Instrumented System. [5]

C0030 Triton Safety Instrumented System Attack

In the Triton Safety Instrumented System Attack, TEMP.Veles downloaded multiple rounds of control logic to the Safety Instrumented System (SIS) controllers through a program append operation.[6]

Targeted Assets

ID Asset
A0003 Programmable Logic Controller (PLC)
A0010 Safety Controller

Mitigations

ID Mitigation Description
M0801 Access Management

Authenticate all access to field controllers before authorizing access to, or modification of, a device's state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS.

M0947 Audit

Provide the ability to verify the integrity of programs downloaded on a controller. While techniques like CRCs and checksums are commonly used, they are not cryptographically secure and can be vulnerable to collisions. Preferably cryptographic hash functions (e.g., SHA-2, SHA-3) should be used. [7]

M0800 Authorization Enforcement

All field controllers should restrict the download of programs, including online edits and program appends, to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism.

M0945 Code Signing

Utilize code signatures to verify the integrity and authenticity of programs downloaded to the device.

M0802 Communication Authenticity

Protocols used for device management should authenticate all network messages to prevent unauthorized system changes.

M0937 Filter Network Traffic

Filter for protocols and payloads associated with program download activity to prevent unauthorized device configurations.

M0804 Human User Authentication

All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support Account Use Policies, Password Policies, and User Account Management.

M0807 Network Allowlists

Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. [8]

M0930 Network Segmentation

Segment operational network and systems to restrict access to critical system functions to predetermined management systems. [8]

M0813 Software Process and Device Authentication

Authenticate connections from software and devices to prevent unauthorized systems from accessing protected management functions.

Detection

ID Data Source Data Component Detects
DS0015 Application Log Application Log Content

Monitor devices configuration logs which may contain alerts that indicate whether a program download has occurred. Devices may maintain application logs that indicate whether a full program download, online edit, or program append function has occurred.

DS0039 Asset Asset Inventory

Consult asset management systems to understand expected program versions.

DS0029 Network Traffic Network Traffic Content

Monitor for protocol functions related to program download or modification. Program downloads may be observable in ICS automation protocols and remote management protocols.

DS0040 Operational Databases Device Alarm

Monitor device alarms for program downloads, although not all devices produce such alarms.

References