T0868: Detect Operating Mode
Adversaries may gather information about a PLCs or controllers current operating mode. Operating modes dictate what change or maintenance functions can be manipulated and are often controlled by a key switch on the PLC (e.g., run, prog [program], and remote). Knowledge of these states may be valuable to an adversary to determine if they are able to reprogram the PLC. Operating modes and the mechanisms by which they are selected often vary by vendor and product line. Some commonly implemented operating modes are described below:
* Program - This mode must be enabled before changes can be made to a devices program. This allows program uploads and downloads between the device and an engineering workstation. Often the PLCs logic Is halted, and all outputs may be forced off. [1] * Run - Execution of the devices program occurs in this mode. Input and output (values, points, tags, elements, etc.) are monitored and used according to the programs logic.Program Upload and Program Download are disabled while in this mode. [2] [3] [1] [4] * Remote - Allows for remote changes to a PLCs operation mode. [4] * Stop - The PLC and program is stopped, while in this mode, outputs are forced off. [3] * Reset - Conditions on the PLC are reset to their original states. Warm resets may retain some memory while cold resets will reset all I/O and data registers. [3] * Test / Monitor mode - Similar to run mode, I/O is processed, although this mode allows for monitoring, force set, resets, and more generally tuning or debugging of the system. Often monitor mode may be used as a trial for initialization. [2]
Analyst context for executives and security teams
Detect Operating Mode is an ICS behavior where an adversary gathers the current mode of controllers such as PLCs, PACs, DCS controllers, or safety controllers. This matters because controller mode often determines whether logic can be changed, downloaded, uploaded, monitored, forced, reset, or stopped. For business leaders, the key risk is not the mode query alone; it is that mode awareness can help an intruder decide whether a control-system change is currently possible and which access path may matter most.
Executive priority
Prioritize this as an OT visibility and access-control question: can the organization prove who can read controller state, from where, and under what conditions? The behavior is especially relevant to operational resilience and safety because the ATT&CK relationships include PLCs, PACs, DCS controllers, and safety controllers. Executives should ask whether engineering workstations, remote access paths, and controller networks have enforceable authentication, segmentation, allowlisting, and protocol filtering, and whether SOC/IR teams can distinguish normal engineering activity from unusual mode discovery.
Technical view
MITRE provides no official detection text and no platform value for the technique, but it does identify embedded ICS assets as targets and DET0768 as a related detection strategy. SOC and OT teams should validate vendor- and product-line-specific ways that operating mode is exposed or queried, then baseline legitimate engineering workstation, HMI, maintenance, and commissioning activity. Investigations should focus on mode reads or controller-state discovery from unexpected hosts, unauthenticated or poorly attributed sessions, remote paths, or sequences that precede program upload/download, force, reset, stop, or other maintenance-capable actions. The relationship to Triton should be treated as ATT&CK context that this behavior is relevant to safety-controller interaction, not as evidence of current activity in any environment.
Likely telemetry
- Controller or PLC/PAC/DCS/safety-controller communication logs where available
- OT network packet capture or protocol metadata capable of identifying controller status or mode queries
- Engineering workstation and maintenance laptop activity logs
- Remote access, jump host, access gateway, and authentication logs for OT access paths
- Asset inventory showing controller type, vendor/product line, current approved operating mode, and authorized engineering stations
Detection direction
- Map DET0768 to local telemetry and confirm whether mode-query behavior can actually be observed for each controller family in scope.
- Baseline normal mode monitoring by engineering tools and HMIs to reduce false positives during maintenance, commissioning, and troubleshooting windows.
- Alert on mode discovery from non-engineering hosts, unusual remote sessions, new source addresses, unexpected network segments, or activity outside approved change windows.
- Correlate mode queries with subsequent program upload, program download, reset, stop, force, or other maintenance-oriented operations when telemetry supports it.
- Treat lack of protocol visibility as a material blind spot; flow logs alone may show access but may not prove whether operating mode was queried.
Mitigation priorities
- Start with asset and access-path inventory for PLCs, PACs, DCS controllers, and safety controllers so defenders know where operating mode can be read or changed.
- Enforce least-privilege authorization for read, manipulate, and execute privileges using Authorization Enforcement where supported.
- Require Human User Authentication and Software Process and Device Authentication for access to controller data and commands where feasible in the ICS environment.
- Use Access Management technologies or gateways where field devices cannot natively provide sufficient user identification or authentication.
- Apply Network Segmentation, Network Allowlists, and protocol-aware Filter Network Traffic controls to restrict which systems can communicate with controllers and what application-layer actions are allowed.
Analyst notes and limits
Operating modes vary by vendor and product line. Program, run, remote, stop, reset, and test/monitor modes have different operational implications, and local engineering standards determine which mode reads are normal. The most useful defensive outcome is an evidence-backed list of authorized systems and users that can query or influence controller mode, plus SOC logic that distinguishes approved maintenance from unexpected discovery.
The supplied ATT&CK object does not specify tactics, platforms, or official detection logic. Detection and telemetry recommendations therefore require local validation against the organization’s controller vendors, protocols, engineering tools, and network architecture. No claim is made that this behavior is actively occurring or that any listed control guarantees detection or prevention.
Detect Operating Mode
Adversaries may gather information about a PLCs or controllers current operating mode. Operating modes dictate what change or maintenance functions can be manipulated and are often controlled by a key switch on the PLC (e.g., run, prog [program], and remote). Knowledge of these states may be valuable to an adversary to determine if they are able to reprogram the PLC. Operating modes and the mechanisms by which they are selected often vary by vendor and product line. Some commonly implemented operating modes are described below:
* Program - This mode must be enabled before changes can be made to a devices program. This allows program uploads and downloads between the device and an engineering workstation. Often the PLCs logic Is halted, and all outputs may be forced off. [1] * Run - Execution of the devices program occurs in this mode. Input and output (values, points, tags, elements, etc.) are monitored and used according to the programs logic.Program Upload and Program Download are disabled while in this mode. [2] [3] [1] [4] * Remote - Allows for remote changes to a PLCs operation mode. [4] * Stop - The PLC and program is stopped, while in this mode, outputs are forced off. [3] * Reset - Conditions on the PLC are reset to their original states. Warm resets may retain some memory while cold resets will reset all I/O and data registers. [3] * Test / Monitor mode - Similar to run mode, I/O is processed, although this mode allows for monitoring, force set, resets, and more generally tuning or debugging of the system. Often monitor mode may be used as a trial for initialization. [2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Groups, software, and campaigns
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 736eae98e64a… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
N.A. October 2017
N.A. 2017, October What are the different operating modes in PLC? Retrieved. 2021/01/28
Open source URL -
[2]
Omron
Omron Machine Information Systems 2007 How PLCs Work Retrieved. 2021/01/28 PLC Different Operating Modes Retrieved. 2021/01/28
Open source URL -
[3]
Machine Information Systems 2007
Machine Information Systems 2007 How PLCs Work Retrieved. 2021/01/28
Open source URL -
[4]
PLCgurus 2021
PLCgurus 2021 PLC Basics Modes Of Operation Retrieved. 2021/01/28
Open source URL -
[5]
mitre-attack T0868Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.