A0003: Programmable Logic Controller (PLC)
A Programmable Logic Controller (PLC) is an embedded programmable control device. PLCs typically utilize a modular architecture with separate modules used to support its processing capabilities, communication mediums, and I/O interfaces. PLCs allow for the deployment of customized programs/logic to control or monitor an operational process. This logic is defined using industry specific programming languages, such as IEC 61131 [1], which define the set of tasks and program organizational units (POUs) included in the device’s programs. PLCs also typically have distinct operating modes (e.g., Remote, Run, Program, Stop) which are used to determine when the device can be programmed or whether it should execute the custom logic.
Analyst context for executives and security teams
A PLC is the embedded controller that runs customized logic for an operational process. In practical risk terms, it is often where cyber access can become a physical or production-impacting event. The related ATT&CK techniques show why PLC coverage matters: adversaries may monitor process state, upload or download programs, modify tasking, parameters, alarms, or I/O behavior, force restart/shutdown, or disrupt device functionality.
Executive priority
Treat PLCs as critical operational assets, not just network endpoints. Leadership should ask whether the organization has a current inventory of PLCs, approved logic/configuration baselines, controlled engineering access, recoverable backups, and evidence that unauthorized program, mode, parameter, alarm, and I/O changes would be noticed. This is material for business continuity, OT incident response readiness, vulnerability prioritization, and compliance evidence around change control and safety-relevant operations.
Technical view
SOC, OT engineering, and IR teams should validate visibility around the PLC lifecycle: engineering workstation access, vendor programming activity, program upload/download events, online edits, program append activity, controller mode changes, firmware update mode activation, restart/shutdown events, parameter and alarm changes, and unusual I/O point changes. Because ATT&CK provides no official detection for this asset, coverage should be proven locally against the specific PLC models, programming tools, control protocols, historian/OPC sources, and network paths in use.
Likely telemetry
- PLC asset inventory, firmware/software version, operating mode, and role in the process
- Engineering workstation and jump host authentication, process execution, and vendor programming software usage logs
- PLC program upload, download, online edit, program append, tasking, and configuration change records where available
- Network traffic to and from PLCs, including native control protocol activity and OPC-related collection where present
- Historian, OPC tag, and process state data used to detect unexpected reads or value changes
Detection direction
- Build detections around deviations from approved maintenance windows, known engineering hosts, and authorized users rather than treating all PLC programming activity as malicious.
- Compare running PLC logic, task associations, parameters, alarm settings, and configuration against approved baselines after maintenance and during investigations.
- Alert on program download/upload, online edit, program append, mode changes, firmware update mode, restart/shutdown, and repeated I/O value changes when they occur outside expected procedures.
- Correlate network discovery, port scan, broadcast discovery, sniffing indicators, and process-state monitoring with later PLC programming or configuration activity.
- Account for false positives from legitimate engineering work, commissioning, testing, and emergency maintenance; require operational context before escalation decisions.
Mitigation priorities
- Maintain an authoritative PLC inventory mapped to process criticality and recovery priority.
- Restrict and monitor access to engineering workstations, jump hosts, vendor programming software, and interfaces capable of PLC program or configuration changes.
- Enforce formal change control for PLC logic, tasking, parameters, alarm settings, firmware update mode, operating mode, and I/O overrides.
- Keep offline, tested backups of PLC programs and configurations to support rapid validation and recovery.
- Segment and monitor PLC network paths so discovery, collection, and programming activity are limited to expected systems and procedures.
Analyst notes and limits
This take is based on the ATT&CK ICS asset A0003 and its relationships to PLC-targeting techniques including program upload/download, online edit, program append, modify controller tasking, manipulate I/O image, modify parameter, modify alarm settings, process-state monitoring, discovery, DoS, restart/shutdown, firmware update mode, and exploitation for evasion. The IEC 61131-3 reference supports the importance of tasks, programs, and programming languages in PLC logic governance.
MITRE does not provide an official detection section for this asset, and the supplied object does not specify particular vendors, protocols beyond examples in related descriptions, tactics, or active threat activity. Local PLC models, engineering workflows, logging capabilities, network architecture, and safety/process context are required to determine actual detection and control coverage.
Programmable Logic Controller (PLC)
A Programmable Logic Controller (PLC) is an embedded programmable control device. PLCs typically utilize a modular architecture with separate modules used to support its processing capabilities, communication mediums, and I/O interfaces. PLCs allow for the deployment of customized programs/logic to control or monitor an operational process. This logic is defined using industry specific programming languages, such as IEC 61131 [1], which define the set of tasks and program organizational units (POUs) included in the device’s programs. PLCs also typically have distinct operating modes (e.g., Remote, Run, Program, Stop) which are used to determine when the device can be programmed or whether it should execute the custom logic.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| ICS | T0846.003 | Multicast Discovery Sub-technique | Multicast Discovery targets this object. |
| ICS | T0890 | Exploitation for Privilege Escalation | Exploitation for Privilege Escalation targets this object. |
| ICS | T0846 | Remote System Discovery | Remote System Discovery targets this object. |
| ICS | T1695 | Block Communications | Block Communications targets this object. |
| ICS | T1693.002 | Module Firmware Sub-technique | Module Firmware targets this object. |
| ICS | T1691 | Block Operational Technology Message | Block Operational Technology Message targets this object. |
| ICS | T1694 | Insecure Credentials | Insecure Credentials targets this object. |
| ICS | T0874 | Hooking | Hooking targets this object. |
| ICS | T0868 | Detect Operating Mode | Detect Operating Mode targets this object. |
| ICS | T0869 | Standard Application Layer Protocol | Standard Application Layer Protocol targets this object. |
| ICS | T1695.003 | Wi-Fi Sub-technique | Wi-Fi targets this object. |
| ICS | T1692 | Unauthorized Message | Unauthorized Message targets this object. |
| ICS | T0871 | Execution through API | Execution through API targets this object. |
| ICS | T0843.002 | Online Edit Sub-technique | Online Edit targets this object. |
| ICS | T1693 | Modify Firmware | Modify Firmware targets this object. |
| ICS | T0843 | Program Download | Program Download targets this object. |
| ICS | T1691.001 | Command Message Sub-technique | Command Message targets this object. |
| ICS | T0845 | Program Upload | Program Upload targets this object. |
| ICS | T0848 | Rogue Master | Rogue Master targets this object. |
| ICS | T0885 | Commonly Used Port | Commonly Used Port targets this object. |
| ICS | T0888 | Remote System Information Discovery | Remote System Information Discovery targets this object. |
| ICS | T0846.002 | Broadcast Discovery Sub-technique | Broadcast Discovery targets this object. |
| ICS | T1693.001 | System Firmware Sub-technique | System Firmware targets this object. |
| ICS | T1691.002 | Reporting Message Sub-technique | Reporting Message targets this object. |
| ICS | T0802 | Automated Collection | Automated Collection targets this object. |
| ICS | T0859 | Valid Accounts | Valid Accounts targets this object. |
| ICS | T0838 | Modify Alarm Settings | Modify Alarm Settings targets this object. |
| ICS | T0851 | Rootkit | Rootkit targets this object. |
| ICS | T0892 | Change Credential | Change Credential targets this object. |
| ICS | T0842 | Network Sniffing | Network Sniffing targets this object. |
| ICS | T0872 | Indicator Removal on Host | Indicator Removal on Host targets this object. |
| ICS | T0843.003 | Program Append Sub-technique | Program Append targets this object. |
| ICS | T0801 | Monitor Process State | Monitor Process State targets this object. |
| ICS | T0847 | Replication Through Removable Media | Replication Through Removable Media targets this object. |
| ICS | T0843.001 | Download All Sub-technique | Download All targets this object. |
| ICS | T1695.002 | Ethernet Sub-technique | Ethernet targets this object. |
| ICS | T0806 | Brute Force I/O | Brute Force I/O targets this object. |
| ICS | T0840 | Network Connection Enumeration | Network Connection Enumeration targets this object. |
| ICS | T0878 | Alarm Suppression | Alarm Suppression targets this object. |
| ICS | T0862 | Supply Chain Compromise | Supply Chain Compromise targets this object. |
| ICS | T0866 | Exploitation of Remote Services | Exploitation of Remote Services targets this object. |
| ICS | T0814 | Denial of Service | Denial of Service targets this object. |
| ICS | T1694.001 | Default Credentials Sub-technique | Default Credentials targets this object. |
| ICS | T0820 | Exploitation for Evasion | Exploitation for Evasion targets this object. |
| ICS | T0846.001 | Port Scan Sub-technique | Port Scan targets this object. |
| ICS | T1692.002 | Reporting Message Sub-technique | Reporting Message targets this object. |
| ICS | T0836 | Modify Parameter | Modify Parameter targets this object. |
| ICS | T1695.001 | Serial COM Sub-technique | Serial COM targets this object. |
| ICS | T0816 | Device Restart/Shutdown | Device Restart/Shutdown targets this object. |
| ICS | T0884 | Connection Proxy | Connection Proxy targets this object. |
| ICS | T0835 | Manipulate I/O Image | Manipulate I/O Image targets this object. |
| ICS | T0809 | Data Destruction | Data Destruction targets this object. |
| ICS | T0834 | Native API | Native API targets this object. |
| ICS | T0830 | Adversary-in-the-Middle | Adversary-in-the-Middle targets this object. |
| ICS | T0858 | Change Operating Mode | Change Operating Mode targets this object. |
| ICS | T0877 | I/O Image | I/O Image targets this object. |
| ICS | T0821 | Modify Controller Tasking | Modify Controller Tasking targets this object. |
| ICS | T0800 | Activate Firmware Update Mode | Activate Firmware Update Mode targets this object. |
| ICS | T1692.001 | Command Message Sub-technique | Command Message targets this object. |
| ICS | T0861 | Point & Tag Identification | Point & Tag Identification targets this object. |
| ICS | T0889 | Modify Program | Modify Program targets this object. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 4f64d12e9fb0… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
IEC February 2013
IEC 2013, February 20 IEC 61131-3:2013 Programmable controllers - Part 3: Programming languages Retrieved. 2019/10/22
Open source URL -
[2]
mitre-attack A0003Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.