Not too many of us have directly experienced the unavailability of a critical service or infrastructure (e.g., power outages, unavailability of hospital data, etc.), but we as a security community have seen an explosive growth of cyberattacks targeting operational technology (OT) environments recently. The IBM X-Force Threat Intelligence Index 2020 found that OT attacks increased by 2,000 percent last year compared to 2018, and this trend is expected to continue in the coming years.

In security operations centers (SOCs), we have already realized the value that MITRE ATT&CK provides through its encyclopedia of mapped tactics, techniques and procedures (TTPs) based on real-world observations of adversaries. The knowledge base enables security teams to link adversarial TTPs when conducting a gap analysis and threat modeling.

Why Was ATT&CK for ICS Created?

OT and industrial control systems (ICS) technologies operate in a different manner than traditional IT systems. Likewise, attackers follow TTPs specific to the OT domain and the targeted industry. Most ICS environments have IT systems, controllers, supervisory control and data acquisition (SCADA) systems and human-machine interfaces (HMIs) that connect with industrial systems and special protocols.

Therefore, adversary goals are unique in these situations — human safety could be endangered when these systems and processes are not controlled properly. This has created an interest among OT security teams around the globe to have a standardized view and knowledge of TTPs related to ICS, which could help clarify questions such as:

  • What are the common attack kill chains?
  • How should they be prioritized?
  • What are the gaps in detection and prevention controls for each TTP?

In response, MITRE released ATT&CK for ICS in January 2020, which sourced information from more than 100 individuals representing 39 organizations.

The Structure of ATT&CK for ICS

The core of MITRE ATT&CK for ICS provides an overview of the TTPs associated with threat actors that have carried out attacks against ICS systems. ATT&CK for ICS is industry agnostic and is therefore meant to work equally well for ICS systems that support a wide range of industrial processes for effective threat intelligence and incident response activities. ATT&CK for ICS has been mapped to seven separate ICS asset categories to enable a variety of organizations to use it easily by selecting and prioritizing cybersecurity activities. The seven asset categories currently covered include:

  1. Control Server
  2. Data Historian
  3. Engineering Workstation
  4. Field Controller/RTU/PLC/IED
  5. Human-Machine Interface
  6. Input/Output Server
  7. Safety Instrumented System/Protection Relay

ATT&CK for ICS also has detailed information about 96 attack techniques mapped against 11 objectives or tactics of adversaries. The mapping of these attack techniques to the above asset categories in ICS environments, 10 threat groups known to have launched attacks on ICS and 17 pieces of malicious software used for attacks enables organizations to select the techniques that are relevant to their specific environment.

How Security Teams Can Utilize ATT&CK for ICS

The power of ATT&CK for ICS is in how we apply it to specific security roles. Some critical use cases for ATT&CK for ICS include:

  • Standard language and terminology for threats and adversaries
  • Identification of gaps in ICS security controls and creation of defensive strategies
  • Creation of ICS/OT use cases for the SOC
  • Effective ICS threat intelligence and ICS incident triage and response activities
  • Understanding of ICS threat behaviors
  • Adversary emulation; testing of security controls and defenses
  • Training of the OT security workforce

Contribute to the Evolution of ATT&CK for ICS

ATT&CK is regularly updated with new information about attack tactics. For example, ATT&CK for Enterprise has lately added multiple techniques to cover adversary behaviors against cloud-based platforms. Similarly, ATT&CK for ICS is also expected to be updated when new techniques are informed and validated by MITRE. However, ICS systems are not always fully isolated from IT, meaning that TTPs for IT environments must also be considered by organizations that have both.

As the framework continues to evolve, organizations with ICS and OT infrastructure can give back by providing information to MITRE on emerging ICS attack techniques, refining current content and developing additional use cases for ATT&CK for ICS.

Download the IBM X-Force Threat Intelligence Index 2020

More from Intelligence & Analytics

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Web injections are back on the rise: 40+ banks affected by new malware campaign

8 min read - Web injections, a favored technique employed by various banking trojans, have been a persistent threat in the realm of cyberattacks. These malicious injections enable cyber criminals to manipulate data exchanges between users and web browsers, potentially compromising sensitive information. In March 2023, security researchers at IBM Security Trusteer uncovered a new malware campaign using JavaScript web injections. This new campaign is widespread and particularly evasive, with historical indicators of compromise (IOCs) suggesting a possible connection to DanaBot — although we…

Accelerating security outcomes with a cloud-native SIEM

5 min read - As organizations modernize their IT infrastructure and increase adoption of cloud services, security teams face new challenges in terms of staffing, budgets and technologies. To keep pace, security programs must evolve to secure modern IT environments against fast-evolving threats with constrained resources. This will require rethinking traditional security strategies and focusing investments on capabilities like cloud security, AI-powered defense and skills development. The path forward calls on security teams to be agile, innovative and strategic amidst the changes in technology…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today