MITRE ATT&CK for ICS Matrix: What It Is and How Its Used

December 10, 2020

The original Enterprise MITRE ATT&CK Matrix became very popular among IT security practitioners because it provided a common nomenclature for security stakeholders to communicate about the threats they face. However, when the industrial world finally caught up with IT and started to focus heavily on threat detection, the Enterprise Matrix didn’t copy/paste well for industrial control systems (ICS). Given the extensive differences between ICS environments and traditional IT computing, the need for a common nomenclature system to use in this unique environment is what led to the creation of a MITRE ATT&CK for ICS Matrix.

This knowledge base provides ICS security practitioners, researchers and product vendors with better ways to communicate about the threats facing operational technology (OT) systems. It also helps teams develop incident response playbooks, prioritize defenses, report on threat intelligence, train analysts and conduct red teaming exercises.

None of the techniques in the MITRE ATT&CK for ICS Matrix are new to experienced individuals, but what is groundbreaking is the categorization and taxonomy of these techniques and helpful guidance like data sources for detection. By providing a framework that normalizes the cybersecurity discussion among various groups, security teams can make detection and response efforts, as well as the overall risk discussion, more meaningful.

Below we’ll discuss each of the 11 tactics in the MITRE ATT&CK for ICS Matrix and also highlight a few of the techniques an attacker might use within each.

1. Initial Access

This describes how an adversary gains access into your ICS environment. Techniques in this category can include:

Engineering Workstation Compromise
An attacker uses remote access or physical methods, like a person with administrative privileges or removable media, to enter a workstation.
Replication Through Removable Media
Malware is copied to removable media which is then inserted into an ICS environment, potentially by trusted third parties like contractors or vendors.
Supply Chain Compromise
The manipulation of products, software, and workflows before an end user receives them can result in a system compromise.

2. Execution

These are techniques that describe how an adversary may try to run malicious code. Some of the techniques included within this tactic are:

Change Program State
Changing the state of a current program on an ICS device can allow an attacker to take control of the device or load malicious code onto it.
Execution Through API
Application Program Interfaces (APIs) can be used by adversaries to engage specific functions on a device or other software.
Man in the Middle
Once an attacker has a foothold in the ICS environment, they can use this technique to block, log, modify, or inject traffic into a communication stream to carry out other exploits.

3. Persistence

This describes how an adversary maintains their foothold in your ICS environment. Some common techniques for Persistence include:

Hooking into an API function lets an adversary persist by exploiting tasks that require reusable system resources.
Program Download
Loading a malicious program onto a device allows an attacker to implement custom logic to persist.
System Firmware
Abusing the firmware update feature on accessible devices provides attackers with root access to a device.

4. Evasion

Indicator Removal on Host
Removing indicators of their presence, including covering up changes to devices, is a common technique for avoiding detection in ICS networks
Disguising their malicious applications or executables as legitimate functions can also help an adversary hide.
To hide the presence of malware, attackers may deploy rootkits that can intercept and modify API calls supplying system information.

5. Discovery

This category describes ways that adversaries try to understand your ICS environment. Some of the techniques within this tactic include:

I/O Module Discovery
To better understand related control processes, an adversary may use input/output (I/O) module discovery to learn about signals being sent from and received by a device.
Network Sniffing
Monitoring or capturing ICS network information can be used to learn important information about a target, including user credentials that may have been sent using an unencrypted protocol.
Remote System Discovery
A tool like Nmap can help identify and map out network hosts and their details, such as open ports and services, and is a relatively simple way for attackers to validate which devices are on a network.

6. Lateral Movement

This is how an adversary moves through the ICS environment. Techniques in this category include:

Default Credentials
Attackers may use manufacturers’ default credentials that have not been changed or modified to gain access to ICS devices.
Exploitation of Remote Services
Known or unknown software vulnerabilities can allow an attacker to access and abuse remote services.
Program Organizational Units
Adversaries can use these structures which are common in PLC coding to modify or create their own logic in those devices.

7. Collection

This is when the adversary is trying to gather important data and domain information about your ICS environment. They can achieve this by using techniques like:

Automated Collection
By abusing insecure native protocols in an ICS environment, an attacker can automate the collection of data about servers and devices.
Data from Information Repositories
Targeting information repositories containing things like specifications or diagrams of a control system can deliver an attacker critical data about the environment.
Program Upload
To learn how an industrial process works, an attacker may upload a program that gathers data via a vendor software program.

8. Command and Control

This tactic describes ways that an adversary is trying to manipulate, disable, or damage physical control processes. Some of the techniques in this category include:

Commonly Used Port
By communicating over a commonly used port, an adversary can blend in with normal network activity.
Connection Proxy
Using a connection proxy, adversaries can control the flow of network communications.
Standard Application Layer Protocol
Exploiting common protocols such as HTTPS, Telnet, DNP3, and Modbus allow attackers to disguise malicious activity as normal network traffic.

9. Inhibit Response Function

This tactic describes ways that attackers can prevent safety and intervention functions from responding to an event. Techniques to do this may include:

Alarm Suppression
Disabling alarms within the system prevents operators from receiving notifications about critical conditions.
Denial of Service
Denial of Service (DoS) attacks will temporarily render a device unresponsive so that it can’t provide an appropriate response function to events in the environment.
Device Restart/Shutdown
A forced restart or shutdown of an ICS device can prevent response functions from activating in a critical state.

10. Impair Process Control

An adversary manipulates, disables, or damages physical control processes using these techniques, which include things like:

Brute Force I/O
Using brute force I/O addresses on a device allows an attacker to manipulate a process function without having to target a specific interface.
Module Firmware
Uploading malicious firmware to a device allows an adversary to re-program it to do what they want it to.
Service Stop
By stopping or disabling critical services on a system, an attacker can prevent operators from responding to an incident, and thus open up the system to damage.

11. Impact

These techniques describe the potential consequences of an adversary successfully manipulating ICS systems or data. Impacts may include:

Damage to Property
Cyberattacks can ultimately result in the loss of equipment or damage to the surrounding environment. Examples of this range from bricked devices to a major oil spill in an ocean.
Loss of Availability
By disrupting critical processes, attackers can prevent businesses from delivering their products or services. Examples may include holding data for ransom on engineering workstations or deleting critical process information from an HMI.
Loss of Productivity and Revenue
This is the ultimate business consequence and results from one or both Impacts above. If a critical process isn’t functioning because a plant was physically damaged or data was deleted, a business can’t make money.

Whether you’re a CISO or a security contributor, the MITRE ATT&CK for ICS Matrix can help you assess cybersecurity technologies, as well as identify any potential gaps within these technologies. It can also guide your long-term risk discussions to determine how to allocate future cybersecurity investments.

Looking for more? Check out our infographic to see how Industrial Defender detects each technique in the MITRE ATT&CK for ICS Matrix using agent, agentless and passive methods.