A0018: Programmable Automation Controller (PAC)
A Programmable Automation Controller (PAC) is an embedded programmable control device. PACs are designed to enable automation applications across integrated software applications, peer controllers (e.g., PLC), Human Machine Interfaces, and other systems. PACs often include advanced features for process control, motion control, drive control, and vision applications. PACs are programmed using traditional process automation programming languages (IEC-61131) and sometimes languages such as C and C++ to support more advanced controls.
Analyst context for executives and security teams
A Programmable Automation Controller is a high-value embedded control asset because it can coordinate automation across peer controllers, HMIs, software applications, and physical process functions such as process, motion, drive, and vision control. The ATT&CK relationships show many adversary behaviors targeting PACs, including program download/upload, controller tasking changes, I/O and parameter manipulation, alarm modification, discovery, network sniffing, denial of service, restart/shutdown, and firmware update mode abuse. For leaders, this means PAC security is not only an IT control issue; it is tied directly to process reliability, operator visibility, and safe response during abnormal conditions.
Executive priority
Treat PACs as operational resilience assets. Priority questions should include: which PACs support critical processes, who can program or modify them, whether program and parameter changes are approved and recoverable, and whether SOC/IR teams can distinguish legitimate engineering activity from suspicious controller interaction. Because ATT&CK provides no official detection text for this asset, organizations should not assume coverage from standard endpoint monitoring; evidence usually depends on OT network visibility, engineering workstation activity, controller state/change records, and process historian or alarm context.
Technical view
For SOC, detection engineering, and IR teams, validate monitoring around the behaviors ATT&CK relates to PACs: program upload/download, online edit, program append, tasking modification, parameter and I/O image changes, alarm setting changes, firmware update mode, restart/shutdown, DoS-like communication patterns, discovery, port/broadcast discovery, network sniffing indicators, and adversary-in-the-middle conditions. Since PACs are embedded assets and may be programmed with IEC-61131 languages and sometimes C/C++, coverage should focus on controller-facing communications, engineering tools/workstations, approved change windows, and deviations from normal process-control activity rather than relying only on host telemetry from the PAC itself.
Likely telemetry
- OT network traffic to and from PACs, peer controllers, HMIs, and related control software
- Engineering workstation and vendor programming software activity associated with upload, download, online edit, or append operations
- Controller program, tasking, configuration, parameter, and I/O change records where available
- PAC operating state indicators, including firmware update mode, stop/run states, restart, or shutdown events
- OPC tags, historian data, PLC/PAC block information, and process state values referenced by monitoring workflows
Detection direction
- Baseline legitimate engineering activity, including approved users, workstations, maintenance windows, and expected program-change workflows.
- Alert on PAC program transfers, online edits, append operations, tasking changes, parameter changes, I/O manipulation, alarm-setting changes, and firmware update mode outside authorized change context.
- Correlate controller-facing network activity with historian/process state and operator alarm context to reduce false positives from normal maintenance or commissioning work.
- Tune discovery detections for OT realities: some broadcast discovery and vendor-tool enumeration may be legitimate, but new sources, unusual timing, or broad targeting of PACs should be reviewed.
- Validate whether the SOC can see embedded-device communications at all; lack of endpoint telemetry on PACs is a common blind spot.
Mitigation priorities
- Maintain an accurate inventory of PACs, their critical process roles, peer systems, and authorized engineering paths.
- Restrict and review access to engineering workstations and software capable of PAC upload, download, online edit, append, tasking, parameter, I/O, alarm, restart, shutdown, or firmware-mode actions.
- Implement formal change control and recovery readiness for PAC programs and configurations, including the ability to compare approved logic and settings against current device state.
- Segment and monitor controller networks so PAC management and process-control traffic are limited to expected systems and observable to defenders.
- Prioritize resilience controls for PACs supporting safety- or production-critical functions, including procedures for abnormal controller states such as update mode, stop state, restart, or loss of communications.
Analyst notes and limits
This object is an ICS asset, not a technique. The strongest decision value comes from the techniques ATT&CK lists as targeting PACs, which collectively show that PAC compromise or misuse can affect visibility, logic, configuration, communications, and availability of physical process control. Local engineering practices, vendor tooling, network architecture, and process criticality are required to turn this into precise detections and controls.
MITRE provides no official detection guidance, tactics, aliases, or mitigations for this asset in the supplied fields. The take is therefore based on the official PAC description and the supplied relationship context only. It does not assert active exploitation, actor attribution, specific vendor exposure, or guaranteed detection coverage.
Programmable Automation Controller (PAC)
A Programmable Automation Controller (PAC) is an embedded programmable control device. PACs are designed to enable automation applications across integrated software applications, peer controllers (e.g., PLC), Human Machine Interfaces, and other systems. PACs often include advanced features for process control, motion control, drive control, and vision applications. PACs are programmed using traditional process automation programming languages (IEC-61131) and sometimes languages such as C and C++ to support more advanced controls.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| ICS | T0878 | Alarm Suppression | Alarm Suppression targets this object. |
| ICS | T0801 | Monitor Process State | Monitor Process State targets this object. |
| ICS | T1695.003 | Wi-Fi Sub-technique | Wi-Fi targets this object. |
| ICS | T0838 | Modify Alarm Settings | Modify Alarm Settings targets this object. |
| ICS | T0866 | Exploitation of Remote Services | Exploitation of Remote Services targets this object. |
| ICS | T0877 | I/O Image | I/O Image targets this object. |
| ICS | T0871 | Execution through API | Execution through API targets this object. |
| ICS | T0820 | Exploitation for Evasion | Exploitation for Evasion targets this object. |
| ICS | T0846.002 | Broadcast Discovery Sub-technique | Broadcast Discovery targets this object. |
| ICS | T0809 | Data Destruction | Data Destruction targets this object. |
| ICS | T1693 | Modify Firmware | Modify Firmware targets this object. |
| ICS | T0843 | Program Download | Program Download targets this object. |
| ICS | T1691.002 | Reporting Message Sub-technique | Reporting Message targets this object. |
| ICS | T1692.002 | Reporting Message Sub-technique | Reporting Message targets this object. |
| ICS | T0890 | Exploitation for Privilege Escalation | Exploitation for Privilege Escalation targets this object. |
| ICS | T0884 | Connection Proxy | Connection Proxy targets this object. |
| ICS | T0846 | Remote System Discovery | Remote System Discovery targets this object. |
| ICS | T1692.001 | Command Message Sub-technique | Command Message targets this object. |
| ICS | T1695.001 | Serial COM Sub-technique | Serial COM targets this object. |
| ICS | T0869 | Standard Application Layer Protocol | Standard Application Layer Protocol targets this object. |
| ICS | T0843.002 | Online Edit Sub-technique | Online Edit targets this object. |
| ICS | T0800 | Activate Firmware Update Mode | Activate Firmware Update Mode targets this object. |
| ICS | T0816 | Device Restart/Shutdown | Device Restart/Shutdown targets this object. |
| ICS | T0821 | Modify Controller Tasking | Modify Controller Tasking targets this object. |
| ICS | T1693.002 | Module Firmware Sub-technique | Module Firmware targets this object. |
| ICS | T1694 | Insecure Credentials | Insecure Credentials targets this object. |
| ICS | T0830 | Adversary-in-the-Middle | Adversary-in-the-Middle targets this object. |
| ICS | T0834 | Native API | Native API targets this object. |
| ICS | T1691 | Block Operational Technology Message | Block Operational Technology Message targets this object. |
| ICS | T0872 | Indicator Removal on Host | Indicator Removal on Host targets this object. |
| ICS | T0862 | Supply Chain Compromise | Supply Chain Compromise targets this object. |
| ICS | T0851 | Rootkit | Rootkit targets this object. |
| ICS | T0814 | Denial of Service | Denial of Service targets this object. |
| ICS | T1695.002 | Ethernet Sub-technique | Ethernet targets this object. |
| ICS | T0848 | Rogue Master | Rogue Master targets this object. |
| ICS | T0868 | Detect Operating Mode | Detect Operating Mode targets this object. |
| ICS | T1695 | Block Communications | Block Communications targets this object. |
| ICS | T1691.001 | Command Message Sub-technique | Command Message targets this object. |
| ICS | T0847 | Replication Through Removable Media | Replication Through Removable Media targets this object. |
| ICS | T0874 | Hooking | Hooking targets this object. |
| ICS | T0892 | Change Credential | Change Credential targets this object. |
| ICS | T0835 | Manipulate I/O Image | Manipulate I/O Image targets this object. |
| ICS | T0802 | Automated Collection | Automated Collection targets this object. |
| ICS | T0885 | Commonly Used Port | Commonly Used Port targets this object. |
| ICS | T1692 | Unauthorized Message | Unauthorized Message targets this object. |
| ICS | T0842 | Network Sniffing | Network Sniffing targets this object. |
| ICS | T0836 | Modify Parameter | Modify Parameter targets this object. |
| ICS | T0806 | Brute Force I/O | Brute Force I/O targets this object. |
| ICS | T0843.001 | Download All Sub-technique | Download All targets this object. |
| ICS | T0845 | Program Upload | Program Upload targets this object. |
| ICS | T0846.003 | Multicast Discovery Sub-technique | Multicast Discovery targets this object. |
| ICS | T0846.001 | Port Scan Sub-technique | Port Scan targets this object. |
| ICS | T0840 | Network Connection Enumeration | Network Connection Enumeration targets this object. |
| ICS | T1694.001 | Default Credentials Sub-technique | Default Credentials targets this object. |
| ICS | T0888 | Remote System Information Discovery | Remote System Information Discovery targets this object. |
| ICS | T0861 | Point & Tag Identification | Point & Tag Identification targets this object. |
| ICS | T0859 | Valid Accounts | Valid Accounts targets this object. |
| ICS | T0858 | Change Operating Mode | Change Operating Mode targets this object. |
| ICS | T0843.003 | Program Append Sub-technique | Program Append targets this object. |
| ICS | T0889 | Modify Program | Modify Program targets this object. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 83b28c79ca54… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack A0018Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.