I/O Image

Adversaries may seek to capture process values related to the inputs and outputs of a PLC. During the scan cycle, a PLC reads the status of all inputs and stores them in an image table. [1] The image table is the PLCs internal storage location where values of inputs/outputs for one scan are stored while it executes the user program. After the PLC has solved the entire logic program, it updates the output image table. The contents of this output image table are written to the corresponding output points in I/O Modules.

The Input and Output Image tables described above make up the I/O Image on a PLC. This image is used by the user program instead of directly interacting with physical I/O. [2]

Adversaries may collect the I/O Image state of a PLC by utilizing a devices Native API to access the memory regions directly. The collection of the PLCs I/O state could be used to replace values or inform future stages of an attack.

ID: T0877
Sub-techniques:  No sub-techniques
Tactic: Collection
Platforms: Field Controller/RTU/PLC/IED
Version: 1.1
Created: 21 May 2020
Last Modified: 27 September 2022

Procedure Examples

ID Name Description
S0603 Stuxnet

Stuxnet copies the input area of an I/O image into data blocks with a one second interval between copies, forming a 21 second recording of the input area. The input area contains information being passed to the PLC from a peripheral. For example, the current state of a valve or the temperature of a device. [3]


ID Mitigation Description
M0816 Mitigation Limited or Not Effective

This technique may not be effectively mitigated against, consider controls for assets and processes that lead to the use of this technique.


ID Data Source Data Component Detects
DS0039 Asset Software

Collecting information from the I/O image requires analyzing the application program running on the PLC for specific data block reads. Detecting this requires obtaining and analyzing a PLC’s application program, either directly from the device or from asset management platforms.