Not too many of us have directly experienced the unavailability of a critical service or infrastructure (e.g., power outages, unavailability of hospital data, etc.), but we as a security community have seen an explosive growth of cyberattacks targeting operational technology (OT) environments recently. The IBM X-Force Threat Intelligence Index 2020 found that OT attacks increased by 2,000 percent last year compared to 2018, and this trend is expected to continue in the coming years.

In security operations centers (SOCs), we have already realized the value that MITRE ATT&CK provides through its encyclopedia of mapped tactics, techniques and procedures (TTPs) based on real-world observations of adversaries. The knowledge base enables security teams to link adversarial TTPs when conducting a gap analysis and threat modeling.

Why Was ATT&CK for ICS Created?

OT and industrial control systems (ICS) technologies operate in a different manner than traditional IT systems. Likewise, attackers follow TTPs specific to the OT domain and the targeted industry. Most ICS environments have IT systems, controllers, supervisory control and data acquisition (SCADA) systems and human-machine interfaces (HMIs) that connect with industrial systems and special protocols.

Therefore, adversary goals are unique in these situations — human safety could be endangered when these systems and processes are not controlled properly. This has created an interest among OT security teams around the globe to have a standardized view and knowledge of TTPs related to ICS, which could help clarify questions such as:

  • What are the common attack kill chains?
  • How should they be prioritized?
  • What are the gaps in detection and prevention controls for each TTP?

In response, MITRE released ATT&CK for ICS in January 2020, which sourced information from more than 100 individuals representing 39 organizations.

The Structure of ATT&CK for ICS

The core of MITRE ATT&CK for ICS provides an overview of the TTPs associated with threat actors that have carried out attacks against ICS systems. ATT&CK for ICS is industry agnostic and is therefore meant to work equally well for ICS systems that support a wide range of industrial processes for effective threat intelligence and incident response activities. ATT&CK for ICS has been mapped to seven separate ICS asset categories to enable a variety of organizations to use it easily by selecting and prioritizing cybersecurity activities. The seven asset categories currently covered include:

  1. Control Server
  2. Data Historian
  3. Engineering Workstation
  4. Field Controller/RTU/PLC/IED
  5. Human-Machine Interface
  6. Input/Output Server
  7. Safety Instrumented System/Protection Relay

ATT&CK for ICS also has detailed information about 96 attack techniques mapped against 11 objectives or tactics of adversaries. The mapping of these attack techniques to the above asset categories in ICS environments, 10 threat groups known to have launched attacks on ICS and 17 pieces of malicious software used for attacks enables organizations to select the techniques that are relevant to their specific environment.

How Security Teams Can Utilize ATT&CK for ICS

The power of ATT&CK for ICS is in how we apply it to specific security roles. Some critical use cases for ATT&CK for ICS include:

  • Standard language and terminology for threats and adversaries
  • Identification of gaps in ICS security controls and creation of defensive strategies
  • Creation of ICS/OT use cases for the SOC
  • Effective ICS threat intelligence and ICS incident triage and response activities
  • Understanding of ICS threat behaviors
  • Adversary emulation; testing of security controls and defenses
  • Training of the OT security workforce

Contribute to the Evolution of ATT&CK for ICS

ATT&CK is regularly updated with new information about attack tactics. For example, ATT&CK for Enterprise has lately added multiple techniques to cover adversary behaviors against cloud-based platforms. Similarly, ATT&CK for ICS is also expected to be updated when new techniques are informed and validated by MITRE. However, ICS systems are not always fully isolated from IT, meaning that TTPs for IT environments must also be considered by organizations that have both.

As the framework continues to evolve, organizations with ICS and OT infrastructure can give back by providing information to MITRE on emerging ICS attack techniques, refining current content and developing additional use cases for ATT&CK for ICS.

Download the IBM X-Force Threat Intelligence Index 2020

More from Intelligence & Analytics

What makes a trailblazer? Inspired by John Mulaney’s Dreamforce roast

4 min read - When you bring a comedian to offer a keynote address, you need to expect the unexpected.But it is a good bet that no one in the crowd at Salesforce’s Dreamforce conference expected John Mulaney to tell a crowd of thousands of tech trailblazers that they were, in fact, not trailblazers at all.“The fact that there are 45,000 ‘trailblazers’ here couldn’t devalue the title anymore,” Mulaney told the audience.Maybe it was meant as nothing more than a punch line, but Mulaney’s…

New report shows ongoing gender pay gap in cybersecurity

3 min read - The gender gap in cybersecurity isn’t a new issue. The lack of women in cybersecurity and IT has been making headlines for years — even decades. While progress has been made, there is still significant work to do, especially regarding salary.The recent  ISC2 Cybersecurity Workforce Study highlighted numerous cybersecurity issues regarding women in the field. In fact, only 17% of the 14,865 respondents to the survey were women.Pay gap between men and womenOne of the most concerning disparities revealed by…

Protecting your data and environment from unknown external risks

3 min read - Cybersecurity professionals always keep their eye out for trends and patterns to stay one step ahead of cyber criminals. The IBM X-Force does the same when working with customers. Over the past few years, clients have often asked the team about threats outside their internal environment, such as data leakage, brand impersonation, stolen credentials and phishing sites. To help customers overcome these often unknown and unexpected risks that are often outside of their control, the team created Cyber Exposure Insights…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today