MITRE ATT&CK for ICS Matrix: What It Is and How Its Used
by Erin Anderson
The original Enterprise MITRE ATT&CK Matrix became very popular among IT security practitioners because it provided a common nomenclature for security stakeholders to communicate about the threats they face. However, when the industrial world finally caught up with IT and started to focus heavily on threat detection, the Enterprise Matrix didn’t copy/paste well for industrial control systems (ICS). Given the extensive differences between ICS environments and traditional IT computing, the need for a common nomenclature system to use in this unique environment is what led to the creation of a MITRE ATT&CK for ICS Matrix.
This knowledge base provides ICS security practitioners, researchers and product vendors with better ways to communicate about the threats facing operational technology (OT) systems. It also helps teams develop incident response playbooks, prioritize defenses, report on threat intelligence, train analysts and conduct red teaming exercises.
None of the techniques in the MITRE ATT&CK for ICS Matrix are new to experienced individuals, but what is groundbreaking is the categorization and taxonomy of these techniques and helpful guidance like data sources for detection. By providing a framework that normalizes the cybersecurity discussion among various groups, security teams can make detection and response efforts, as well as the overall risk discussion, more meaningful.
Below we’ll discuss each of the 11 tactics in the MITRE ATT&CK for ICS Matrix and also highlight a few of the techniques an attacker might use within each.
1. Initial Access
This describes how an adversary gains access into your ICS environment. Techniques in this category can include:
These are techniques that describe how an adversary may try to run malicious code. Some of the techniques included within this tactic are:
This describes how an adversary maintains their foothold in your ICS environment. Some common techniques for Persistence include:
To avoid detection in the ICS environment, an adversary may use techniques like:
This category describes ways that adversaries try to understand your ICS environment. Some of the techniques within this tactic include:
6. Lateral Movement
This is how an adversary moves through the ICS environment. Techniques in this category include:
This is when the adversary is trying to gather important data and domain information about your ICS environment. They can achieve this by using techniques like:
8. Command and Control
This tactic describes ways that an adversary is trying to manipulate, disable, or damage physical control processes. Some of the techniques in this category include:
9. Inhibit Response Function
This tactic describes ways that attackers can prevent safety and intervention functions from responding to an event. Techniques to do this may include:
10. Impair Process Control
An adversary manipulates, disables, or damages physical control processes using these techniques, which include things like:
These techniques describe the potential consequences of an adversary successfully manipulating ICS systems or data. Impacts may include:
Whether you’re a CISO or a security contributor, the MITRE ATT&CK for ICS Matrix can help you assess cybersecurity technologies, as well as identify any potential gaps within these technologies. It can also guide your long-term risk discussions to determine how to allocate future cybersecurity investments.
Looking for more? Check out our infographic to see how Industrial Defender detects each technique in the MITRE ATT&CK for ICS Matrix using agent, agentless and passive methods.