What starting position does this attack require?

The first step is Process disruption / physical impact (T1486) — a impact primitive. Assumed environment: foothold in corporate IT.

What is the final impact of this kill-chain?

The final step lands on Pivot to engineering workstation (OT-IT-OT-PIVOT), which falls under Lateral Movement. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

← RegistryDossier · 6 steps · 5 edges

Approved

Engineering workstation → push payload to PLC

Compromise the OT engineer's laptop (corporate-network adjacent, jumphost-reachable). Use legit engineering tools (TIA Portal / Studio 5000) to download attacker ladder logic to the PLC.

Filed by AD Knowledge BasePublished 2026-05-26

§ Kill-chainDrag · zoom · scroll

Impact

Process disruption / physical impact

T1486 · Data Encrypted for Impact

Initial Access

Foothold in corporate IT

T1078 · Valid Accounts

Impact

Download modified logic to PLC

OT-MODBUS-WRITE · Modbus TCP Write to PLC

Impact

Modify ladder logic / function block

OT-S7-SIEMENS · Siemens S7 Protocol Abuse

Lateral Movement

Use installed TIA Portal / Studio 5000

OT-ENG-WORKSTATION · Engineering Workstation Pivot

Lateral Movement

Pivot to engineering workstation

OT-IT-OT-PIVOT · IT → OT Network Pivot

§ Context

Assumed environment: foothold in corporate IT. Reach to the engineering workstation via shared-credential AD account / jump-host with weak segmentation. PLC programming software installed.

§ Steps

01
Process disruption / physical impactImpact
T1486— Data Encrypted for Impact
02
Foothold in corporate ITInitial Access
T1078— Valid Accounts
03
Download modified logic to PLCImpact
OT-MODBUS-WRITE— Modbus TCP Write to PLC
04
Modify ladder logic / function blockImpact
OT-S7-SIEMENS— Siemens S7 Protocol Abuse
05
Use installed TIA Portal / Studio 5000Lateral Movement
OT-ENG-WORKSTATION— Engineering Workstation Pivot
06
Pivot to engineering workstationLateral Movement
OT-IT-OT-PIVOT— IT → OT Network Pivot

§ References

T1486Data Encrypted for Impact
T1078Valid Accounts

§ Frequently asked

What is the "Engineering workstation → push payload to PLC" attack path?: Compromise the OT engineer's laptop (corporate-network adjacent, jumphost-reachable). Use legit engineering tools (TIA Portal / Studio 5000) to download attacker ladder logic to the PLC. It chains 6 steps drawn from real-world offensive-security techniques.
What starting position does this attack require?: The first step is Process disruption / physical impact (T1486) — a impact primitive. Assumed environment: foothold in corporate IT.
What is the final impact of this kill-chain?: The final step lands on Pivot to engineering workstation (OT-IT-OT-PIVOT), which falls under Lateral Movement. From here, an operator typically pivots into post-exploitation or maintains persistence.
How can defenders detect or prevent this attack?: Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

Engineering workstation → push payload to PLC

§ Context

§ Steps

§ References

§ Frequently asked

§ Related dossiers

TRITON-class SIS reprogram → disable safety shutdown

Leaked legacy VPN credential → ransomware (Colonial-class)

Reachable Modbus PLC → direct register override

HMI default credentials → operations disruption

Open MQTT broker → smart-estate takeover