Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1906: Analytic 1906

Collecting information from the I/O image requires analyzing the application program running on the PLC for specific data block reads. Detecting this requires obtaining and analyzing a PLC’s application program, either directly from the device or from asset management platforms.

ICSAN1906AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic is about validating whether a PLC application program reads specific data blocks from the I/O image. The business significance is that some meaningful ICS behavior may not be visible from network traffic or endpoint logs alone; it may require access to the PLC logic itself or an asset management copy of that logic. For leaders, the key question is whether the organization can obtain, preserve, and review controller programs quickly enough to support incident response, safety investigations, and compliance evidence.

Executive priority

Prioritize this where PLC logic integrity and visibility are material to operational resilience. The decision value is not a single alert, but whether engineering, security, and asset management processes can provide authoritative PLC application programs for analysis. Executives should ask who owns PLC program collection, how current those copies are, whether access is governed, and whether SOC/IR teams have a documented path to engineering support during an incident.

Technical view

MITRE states that detecting this behavior requires obtaining and analyzing the PLC application program, either directly from the device or from asset management platforms, to identify specific data block reads related to the I/O image. Because no platforms, tactics, relationships, or detailed detection logic are supplied, teams should treat this as a program-analysis requirement rather than a ready-to-run detection. Validate whether controller logic can be retrieved safely, whether asset management repositories contain current versions, and whether analysis procedures can identify relevant data block reads without disrupting operations.

Likely telemetry

  • PLC application program or logic retrieved directly from the controller
  • PLC application program copies stored in asset management platforms
  • Controller program version and change records where available
  • Engineering workstation or asset management records showing program retrieval or synchronization where locally collected
  • IR evidence packages containing PLC logic snapshots and associated asset context

Detection direction

  • Confirm that PLC application programs are actually collectible from the relevant environment through approved operational procedures.
  • Validate whether asset management platforms retain current and historical PLC program copies suitable for analysis.
  • Develop or document analysis criteria for identifying specific data block reads from the I/O image in PLC logic.
  • Account for a major blind spot: environments that rely only on network or host telemetry may miss behavior that is only evident in the controller application program.
  • Tune review workflows with engineering input, since legitimate control logic may include data block reads and local process context is required to judge significance.

Mitigation priorities

  • Establish governed access to PLC application programs for security and incident response purposes without bypassing operational safety controls.
  • Maintain current, authoritative backups or asset management copies of PLC programs where supported by the environment.
  • Define joint engineering/SOC/IR procedures for requesting, preserving, and reviewing PLC logic during investigations.
  • Use change management to track expected PLC program versions so analysis has a trusted baseline for comparison.
  • Document evidence handling so PLC program analysis can support incident review, audit, and compliance readiness.
Analyst notes and limits

The supplied ATT&CK object is an ICS detection analytic with a narrow description and no formal detection text. Its value is primarily in highlighting a visibility dependency: defenders may need access to PLC application logic, not just conventional security logs. Local controller types, engineering practices, asset management tooling, and safety constraints will determine how this can be operationalized.

No platforms, tactics, relationships, aliases, labels, or official detection logic were supplied. This take does not infer a specific PLC vendor, protocol, attack campaign, impact scenario, or guaranteed detection method. Environment-specific engineering validation is required.

Official MITRE ATT&CK definition

Analytic 1906

Collecting information from the I/O image requires analyzing the application program running on the PLC for specific data block reads. Detecting this requires obtaining and analyzing a PLC’s application program, either directly from the device or from asset management platforms.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
602e9fb2af3c4fcb...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 602e9fb2af3c…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1906
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use