Detect Operating Mode (T0868)

View on ATT&CK

In Playbook

Technique & Subtechniques

  • Detect Operating Mode

Associated Tactics

  • Collection

Collection (TA0100)

The adversary is trying to gather data of interest and domain knowledge on your ICS environment to inform their goal. Collection consists of techniques adversaries use to gather domain knowledge and obtain contextual feedback in an ICS environment. This tactic is often performed as part of [Discovery](https://attack.mitre.org/tactics/TA0102), to compile data on control systems and targets of interest that may be used to follow through on the adversary’s objective. Examples of these techniques include observing operation states, capturing screenshots, identifying unique device roles, and gathering system and diagram schematics. Collection of this data can play a key role in planning, executing, and even revising an ICS-targeted attack. Methods of collection depend on the categories of data being targeted, which can include protocol specific, device specific, and process specific configurations and functionality. Information collected may pertain to a combination of system, supervisory, device, and network related data, which conceptually fall under high, medium, and low levels of plan operations. For example, information repositories on plant data at a high level or device specific programs at a low level. Sensitive floor plans, vendor device manuals, and other references may also be at risk and exposed on the internet or otherwise publicly accessible.

View on ATT&CK

Procedure Examples

Description Source(s)
Machine Information Systems 2007 How PLCs Work Retrieved. 2021/01/28 Machine Information Systems 2007
N.A. 2017, October What are the different operating modes in PLC? Retrieved. 2021/01/28 N.A. October 2017
Omron Machine Information Systems 2007 How PLCs Work Retrieved. 2021/01/28 PLC Different Operating Modes Retrieved. 2021/01/28 Omron
PLCgurus 2021 PLC Basics Modes Of Operation Retrieved. 2021/01/28 PLCgurus 2021