Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T0843.002: Online Edit

Adversaries may execute an online edit of a PLC to update parts of an existing program. It does not require stopping the PLC which allows it to continue running during transfer and reconfiguration without interruption to process control. Adversaries may leverage this approach to minimize downtime and evade detection.

The ability to perform an online edit to the PLC typically relies on access to a workstation with the vendor-specific PLC programming software installed.

ICST0843.002Sub-techniqueObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Online Edit is an ICS behavior where changes are made to controller logic while the controller continues running. That makes it operationally sensitive: a change may not create obvious downtime, yet it can alter how a PLC, PAC, DCS controller, or safety controller behaves. For leaders, the key issue is not only whether program changes are allowed, but whether the organization can prove who made them, from where, under what authorization, and whether the controller logic still matches an approved state.

Executive priority

Prioritize this as an operational resilience and change-control risk. Because online edits can occur without stopping process control, normal outage-based indicators may not be enough to notice unauthorized or unapproved logic changes. Executives and risk owners should ask whether engineering workstations, vendor-specific PLC programming software, controller access paths, and controller logic integrity checks are governed by enforceable authorization, authentication, segmentation, audit, and approval processes.

Technical view

SOC, OT security, and incident response teams should validate visibility around controller programming activity, especially online edits associated with PLCs, PACs, DCS controllers, and safety controllers. The ATT&CK object does not provide official detection text, but it is related to DET0915, Detection of Online Edit. Defensive validation should focus on whether programming workstations and controller communications produce usable evidence of online logic modification, whether that evidence can be tied to authenticated users and approved change windows, and whether controller programs/configurations can be compared against known-valid baselines after edits.

Likely telemetry

  • Engineering workstation activity, especially use of vendor-specific PLC programming software
  • Authentication and authorization records for users accessing programming workstations or controller management functions
  • Network traffic between engineering workstations, gateways, and controllers, including controller programming or automation protocol activity where visible
  • Controller audit logs or event records showing online edits, program transfers, configuration changes, or logic changes where supported
  • Change-management records identifying approved edit windows, authorized personnel, and expected controller targets

Detection direction

  • Validate whether DET0915-style detection is possible in the local environment; the supplied ATT&CK object confirms a detection strategy relationship but does not provide detection logic.
  • Tune monitoring to distinguish approved engineering changes from unexpected online edits by correlating controller edit activity with change tickets, approved maintenance windows, authenticated user identity, and source workstation.
  • Pay special attention to blind spots where field devices or legacy ICS protocols do not provide strong user identity, detailed audit logs, or cryptographic integrity verification.
  • Monitor access from systems that should not perform controller programming, especially where segmentation, allowlists, or access-management gateways are expected to restrict controller access.
  • Treat absence of process interruption as a weak signal; online edits are specifically notable because the controller may continue running during transfer and reconfiguration.

Mitigation priorities

  • Enforce authorization for controller read, manipulate, and execute privileges using role-based access where feasible, aligned to M0800 Authorization Enforcement.
  • Strengthen access management and human user authentication for engineering workstations, gateways, and controller programming functions, aligned to M0801 Access Management and M0804 Human User Authentication.
  • Restrict network paths to controllers through segmentation, network allowlists, and traffic filtering, aligned to M0930 Network Segmentation, M0807 Network Allowlists, and M0937 Filter Network Traffic.
  • Require communication, device, and software-process authentication where supported, aligned to M0802 Communication Authenticity and M0813 Software Process and Device Authentication.
  • Use code signing and integrity validation where available, and perform audits or periodic checks of controller programs and configurations against known-valid states, aligned to M0945 Code Signing and M0947 Audit.
Analyst notes and limits

This object is a sub-technique of Program Download and targets embedded controller assets including PLCs, safety controllers, DCS controllers, and PACs. Its business significance comes from the ability to alter running controller logic without stopping the process, which can reduce obvious operational signals and make change-control evidence especially important.

ATT&CK does not specify platforms or tactics for this object and provides no official detection text. The relationship to DET0915 indicates a detection strategy exists, but no detection details were supplied here. Local controller models, programming software, protocol visibility, logging capability, and change-management maturity determine what can actually be detected or enforced.

Official MITRE ATT&CK definition

Online Edit

Adversaries may execute an online edit of a PLC to update parts of an existing program. It does not require stopping the PLC which allows it to continue running during transfer and reconfiguration without interruption to process control. Adversaries may leverage this approach to minimize downtime and evade detection.

The ability to perform an online edit to the PLC typically relies on access to a workstation with the vendor-specific PLC programming software installed.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
ICS T0843 Program Download This object subtechnique of Program Download.
Relationship explorer

All related ATT&CK context

targets · ICS Asset A0017: Distributed Control System (DCS) Controller ICS mitigates · Mitigation M0804: Human User Authentication ICS targets · ICS Asset A0003: Programmable Logic Controller (PLC) ICS mitigates · Mitigation M0802: Communication Authenticity ICS mitigates · Mitigation M0930: Network Segmentation ICS targets · ICS Asset A0018: Programmable Automation Controller (PAC) ICS targets · ICS Asset A0010: Safety Controller ICS mitigates · Mitigation M0807: Network Allowlists ICS mitigates · Mitigation M0800: Authorization Enforcement ICS mitigates · Mitigation M0801: Access Management ICS subtechnique of · Technique T0843: Program Download ICS mitigates · Mitigation M0937: Filter Network Traffic ICS mitigates · Mitigation M0947: Audit ICS mitigates · Mitigation M0813: Software Process and Device Authentication ICS detects · Detection Strategy DET0915: Detection of Online Edit ICS mitigates · Mitigation M0945: Code Signing ICS
Mitigations

Mitigation direction

Mitigation ICS

M0804: Human User Authentication

Require user authentication before allowing access to data or accepting commands to a device. While strong multi-factor authentication is preferable, it is not always feasible within ICS environments. Performing strong user authentication also requires additional security controls and processes which are often the target of related adversarial techniques (e.g., Valid Accounts, Default Credentials). Therefore, associated ATT&CK mitigations should be considered in addition to this, including Multi-factor Authentication, Account Use Policies, Password Policies, User Account Management, Privileged Account Management, and User Account Control.

Mitigation ICS

M0802: Communication Authenticity

When communicating over an untrusted network, utilize secure network protocols that both authenticate the message sender and can verify its integrity. This can be done either through message authentication codes (MACs) or digital signatures, to detect spoofed network messages and unauthorized connections.

Mitigation ICS

M0930: Network Segmentation

Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Restrict network access to only required systems and services. In addition, prevent systems from other networks or business functions (e.g., enterprise) from accessing critical process control systems. For example, in IEC 62443, systems within the same secure level should be grouped into a zone, and access to that zone is restricted by a conduit, or mechanism to restrict data flows between zones by segmenting the network. [1] [2]

Mitigation ICS

M0807: Network Allowlists

Network allowlists can be implemented through either host-based files or system hosts files to specify what connections (e.g., IP address, MAC address, port, protocol) can be made from a device. Allowlist techniques that operate at the application layer (e.g., DNP3, Modbus, HTTP) are addressed in Filter Network Traffic mitigation.

Mitigation ICS

M0800: Authorization Enforcement

The device or system should restrict read, manipulate, or execute privileges to only authenticated users who require access based on approved security policies. Role-based Access Control (RBAC) schemes can help reduce the overhead of assigning permissions to the large number of devices within an ICS. For example, IEC 62351 provides examples of roles used to support common system operations within the electric power sector [1], while IEEE 1686 defines standard permissions for users of IEDs. [2]

Mitigation ICS

M0801: Access Management

Access Management technologies can be used to enforce authorization polices and decisions, especially when existing field devices do not provide sufficient capabilities to support user identification and authentication. [1] These technologies typically utilize an in-line network device or gateway system to prevent access to unauthenticated users, while also integrating with an authentication service to first verify user credentials. [2]

Mitigation ICS

M0937: Filter Network Traffic

Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic. Perform inline allow/denylisting of network messages based on the application layer (OSI Layer 7) protocol, especially for automation protocols. Application allowlists are beneficial when there are well-defined communication sequences, types, rates, or patterns needed during expected system operations. Application denylists may be needed if all acceptable communication sequences cannot be defined, but instead a set of known malicious uses can be denied (e.g., excessive communication attempts, shutdown messages, invalid commands). Devices performing these functions are often referred to as deep-packet inspection (DPI) firewalls, context-aware firewalls, or firewalls blocking specific automation/SCADA protocol aware firewalls. [1]

Mitigation ICS

M0947: Audit

Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses. Perform periodic integrity checks of the device to validate the correctness of the firmware, software, programs, and configurations. Integrity checks, which typically include cryptographic hashes or digital signatures, should be compared to those obtained at known valid states, especially after events like device reboots, program downloads, or program restarts.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
3c3fb1c2cf101ce9...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 3c3fb1c2cf10…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack T0843.002
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use