MITRE ATT&CK for ICS shines light on industrial attack tactics

MITRE, known for its MITRE ATT&CK framework, which many use to enhance their cybersecurity posture and cyber resilience, has launched a dedicated knowledge base for security in the world of industrial control systems: ATT&CK for ICS.

With the advent of Industry 4.0 and Industrial IoT, the convergence of IT and OT, and the digital transformation of industrial environments, attacks on industrial control systems (ICS) and other operational technology (OT) have been rising for several years.

Moreover, despite the increase in threats and attacks, industrial cybersecurity is behind (and we have a real standards issue with IoT technology), compared with enterprise IT security, and the stakes are high, certainly when critical services are involved or “harm to human life and the surrounding environment” can be the result of attacks.

ATTACK for ICS concept

ATT&CK for ICS: inventorizing the behavior of adversaries in industrial control system attacks

Like the well-known MITRE ATT&CK knowledgebase and its related MITRE ATT&CK Matrix for Enterprise, ATT&CK for ICS looks at adversaries’ tactics and techniques when they launch and run an attack. The difference: ATT&CK for ICS shines a light on attacks (with an impact) on industrial control systems and – thus – potentially critical infrastructure.

Although with IT (enterprise IT) and OT (operational technology such as ICS), we are often still de facto in two rather separate worlds, both are increasingly overlapping. It’s the essence of the so-called industrial transformation, although there’s still much work ahead.

So, then why is it necessary to have a “separate” MITRE framework and matrix for industrial control systems with ATT&CK for ICS if the (far) future spells integration?

For starters, you can’t separate both worlds entirely. Some aspects of the ATT&CK knowledge base for enterprise IT systems apply to industrial control systems, and, as you no doubt know, enterprise IT systems often also form an access door to ICS systems for adversaries.

There is also an increase in OT malware and attacks (with Stuxnet still the most often mentioned example) and in the number of IT cyber attacks impacting OT environments.

Additionally, the digital transformation in OT-intensive industries also drives the adoption and usage of ‘intelligent’ technologies such as Industrial IoT, artificial intelligence and third platform foundations such as cloud and big data (analytics).

Yet, significant differences remain between your traditional enterprise IT and OT environment. There are many unique aspects to the specialized applications and protocols that ICS system operators typically use to interface with physical devices. And, of course, adversaries take advantage of these as well.

With ATT&CK for ICS, MITRE added the behavior adversaries use within ICS environments in the context of attacks.

The resulting matrix, the MITRE ATT&CK for ICS Matrix, provides an overview of the tactics and techniques contained in the ATT&CK for ICS knowledge base. While the MITRE ATT&CK Matrix for Enterprise includes fourteen tactics, the MITRE ATT&CK for ICS Matrix includes twelve:

  • Initial Access
  • Execution
  • Persistence
  • Privilege
  • Escalation
  • Evasion
  • Discovery
  • Lateral Movement
  • Collection
  • Command and Control
  • Inhibit Response Function
  • Impair Process Control
  • Impact

The ‘use cases’ for which one can leverage ATT&CK for ICS are otherwise similar to those of MITRE ATT&CK in general.

More about these use cases and ATT&CK for ICS here.