Not too many of us have directly experienced the unavailability of a critical service or infrastructure (e.g., power outages, unavailability of hospital data, etc.), but we as a security community have seen an explosive growth of cyberattacks targeting operational technology (OT) environments recently. The IBM X-Force Threat Intelligence Index 2020 found that OT attacks increased by 2,000 percent last year compared to 2018, and this trend is expected to continue in the coming years.
In security operations centers (SOCs), we have already realized the value that MITRE ATT&CK provides through its encyclopedia of mapped tactics, techniques and procedures (TTPs) based on real-world observations of adversaries. The knowledge base enables security teams to link adversarial TTPs when conducting a gap analysis and threat modeling.
Why Was ATT&CK for ICS Created?
OT and industrial control systems (ICS) technologies operate in a different manner than traditional IT systems. Likewise, attackers follow TTPs specific to the OT domain and the targeted industry. Most ICS environments have IT systems, controllers, supervisory control and data acquisition (SCADA) systems and human-machine interfaces (HMIs) that connect with industrial systems and special protocols.
Therefore, adversary goals are unique in these situations — human safety could be endangered when these systems and processes are not controlled properly. This has created an interest among OT security teams around the globe to have a standardized view and knowledge of TTPs related to ICS, which could help clarify questions such as:
- What are the common attack kill chains?
- How should they be prioritized?
- What are the gaps in detection and prevention controls for each TTP?
In response, MITRE released ATT&CK for ICS in January 2020, which sourced information from more than 100 individuals representing 39 organizations.
The Structure of ATT&CK for ICS
The core of MITRE ATT&CK for ICS provides an overview of the TTPs associated with threat actors that have carried out attacks against ICS systems. ATT&CK for ICS is industry agnostic and is therefore meant to work equally well for ICS systems that support a wide range of industrial processes for effective threat intelligence and incident response activities. ATT&CK for ICS has been mapped to seven separate ICS asset categories to enable a variety of organizations to use it easily by selecting and prioritizing cybersecurity activities. The seven asset categories currently covered include:
- Control Server
- Data Historian
- Engineering Workstation
- Field Controller/RTU/PLC/IED
- Human-Machine Interface
- Input/Output Server
- Safety Instrumented System/Protection Relay
ATT&CK for ICS also has detailed information about 96 attack techniques mapped against 11 objectives or tactics of adversaries. The mapping of these attack techniques to the above asset categories in ICS environments, 10 threat groups known to have launched attacks on ICS and 17 pieces of malicious software used for attacks enables organizations to select the techniques that are relevant to their specific environment.
How Security Teams Can Utilize ATT&CK for ICS
The power of ATT&CK for ICS is in how we apply it to specific security roles. Some critical use cases for ATT&CK for ICS include:
- Standard language and terminology for threats and adversaries
- Identification of gaps in ICS security controls and creation of defensive strategies
- Creation of ICS/OT use cases for the SOC
- Effective ICS threat intelligence and ICS incident triage and response activities
- Understanding of ICS threat behaviors
- Adversary emulation; testing of security controls and defenses
- Training of the OT security workforce
Contribute to the Evolution of ATT&CK for ICS
ATT&CK is regularly updated with new information about attack tactics. For example, ATT&CK for Enterprise has lately added multiple techniques to cover adversary behaviors against cloud-based platforms. Similarly, ATT&CK for ICS is also expected to be updated when new techniques are informed and validated by MITRE. However, ICS systems are not always fully isolated from IT, meaning that TTPs for IT environments must also be considered by organizations that have both.
As the framework continues to evolve, organizations with ICS and OT infrastructure can give back by providing information to MITRE on emerging ICS attack techniques, refining current content and developing additional use cases for ATT&CK for ICS.