1. Home
  2. Techniques
  3. ICS
  4. Modify Program

Modify Program

Adversaries may modify or add a program on a controller to affect how it interacts with the physical process, peripheral devices and other hosts on the network. Modification to controller programs can be accomplished using a Program Download in addition to other types of program modification such as online edit and program append.

Program modification encompasses the addition and modification of instructions and logic contained in Program Organization Units (POU) [1] and similar programming elements found on controllers. This can include, for example, adding new functions to a controller, modifying the logic in existing functions and making new calls from one function to another.

Some programs may allow an adversary to interact directly with the native API of the controller to take advantage of obscure features or vulnerabilities.

ID: T0889
Sub-techniques:  No sub-techniques
Tactic: Persistence
Platforms: None
Version: 1.2
Created: 13 April 2021
Last Modified: 15 April 2025
Version Permalink

Procedure Examples

ID Name Description
S1006 PLC-Blaster

PLC-Blaster copies itself to various Program Organization Units (POU) on the target device. The POUs include the Data Block, Function, and Function Block. [2]
S0603 Stuxnet

Stuxnet infects PLCs with different code depending on the characteristics of the target system. An infection sequence consists of code blocks and data blocks that will be downloaded to the PLC to alter its behavior. [3]

Targeted Assets

ID Asset
A0017 Distributed Control System (DCS) Controller
A0018 Programmable Automation Controller (PAC)
A0003 Programmable Logic Controller (PLC)
A0010 Safety Controller

Mitigations

ID Mitigation Description
M0947 Audit

Provide the ability to verify the integrity of control logic or programs loaded on a controller. While techniques like CRCs and checksums are commonly used, they are not cryptographically strong and can be vulnerable to collisions. Preferably cryptographic hash functions (e.g., SHA-2, SHA-3) should be used. [4]
M0800 Authorization Enforcement

All field controllers should restrict the modification of programs to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism.
M0945 Code Signing

Utilize code signatures to verify the integrity and authenticity of programs installed on safety or control assets.
M0804 Human User Authentication

All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support Account Use Policies, Password Policies, and User Account Management.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0783 Detection of Modify Program AN1915

Monitor device management protocols for functions that modify programs such as online edit and program append events.
Monitor device alarms that indicate the program has changed, although not all devices produce such alarms.
Engineering and asset management software will often maintain a copy of the expected program loaded on a controller and may also record any changes made to controller programs. Data from these platforms can be used to identify modified controller programs.
Monitor device application logs that indicate the program has changed, although not all devices produce such logs.

References

  1. IEC 2013, February 20 IEC 61131-3:2013 Programmable controllers - Part 3: Programming languages Retrieved. 2019/10/22
  2. Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke 2016, March 31 Plc-blaster: A worm living solely in the plc. Retrieved. 2017/09/19
  1. Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024.
  2. IEC 2019, February Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components Retrieved. 2020/09/25