The components of the MITRE ATT&CK for ICS framework reflect the distinction between IT and OT environments in accordance with the Purdue Reference Model. The framework focuses on operational technology (OT), which includes devices like PLCs, actuators, and sensors. These assets include valves and motors, and power lines and water treatment plants, which have strict safety and reliability requirements.
The framework consists of 11 categories of adversarial tactics that make up the entire attack chain. The table below provides an overview of the MITRE ATT&CK for ICS tactics.
Tactics | Description |
Initial Access | How an adversary gains their initial foothold within a victim’s ICS environment, such as drive-by compromise, engineering workstation compromise, external remote services, and the exploitation of public-facing applications. |
Execution | Techniques that allow an adversary to run and control malicious code on a targeted system or device. |
Persistence | How an adversary maintains their initial foothold within a compromised ICS environment despite potential disruptions such as restarts and credential changes. |
Evasion | Methods for avoiding detection by human operators and technical defenses during an attack. |
Discovery | Methods used by adversaries to orient themselves and gather knowledge about an ICS environment’s internal network, devices, and processes in order to inform targeting and subsequent tactics. |
Lateral Movement | Describes how an adversary moves throughout a compromised ICS environment, possibly gaining access to additional assets and privileges. |
Collection | How an adversary gathers data and domain knowledge to help inform their objectives within an ICS environment. |
Command and Control | Describes the technique an adversary uses to communicate, and control compromised ICS systems, devices, and platforms through vectors such as ports, connection proxies, and standard application layer protocol. |
Inhibit Response Function | Techniques an adversary may use to prevent an organization from responding to failures, disruptions, and other anomalies within a targeted ICS environment. |
Impair Process Control | Methods of disabling, manipulating, or damaging physical control processes. |
Impact | Techniques for disrupting, manipulating, or destroying the integrity or availability of ICS systems, data, and their environment. |
ATT&CK for ICS vs. ATT&CK for Enterprises
ATT&CK for ICS builds on the foundation of the globally renowned ATT&CK for Enterprise knowledge base. However, the knowledge base cannot be effectively integrated with the OT environment for several reasons.
First, the OT technology overall is different from IT. The strategies to mitigate cyber-attacks against ICS systems must consider the safety and reliability of processes. The OT environment is very resistant to policy changes that might impact operational processes.
Secondly, the stages and life cycles of a cyber-attack are different. The ICS environment is focused on operation and safety factors. Hence, the main goal of the adversary is to disrupt operational processes, involving additional stages to manipulate operational and safety factors.
Finally, the motivation and the objectives are different. The main goal of an attacker in an OT environment is to access and impair physical processes that are controlled by specialized hardware. To impact the industrial process, existing safety controls require the employment of a different set of tactics, methods, and tools by the adversary.
Despite their differences, the two MITRE frameworks can work hand in hand to secure industries. The best approach is to use the ATT&CK for Enterprises on the upper two levels of the Purdue model for ICS (historians, workstations, etc), and the framework for ICS for the lower three levels of the model (PLC, actuators, sensors, etc). This way, industries can leverage the knowledge base from both frameworks to prevent cyber-attacks against both the IT and the OT side of operations.
Final considerations
When implementing the MITRE ATT&CK for ICS framework, industries should not consider it as a panacea against all potential adversarial actions. Instead, they should augment their security strategies with a robust physical security policy to prevent the tampering of the physical perimetry by proximity. Adversaries may use mobile phones or even hard to detect drones to capture information or for surveillance.
As technology evolves, so do the tactics used by attackers. Attackers act and defenders counteract. The low amount of publicly available information about cyber-attacks due to the nature of industrial businesses is also a disadvantage. Due to this information asymmetry, industries should always look for ways to improve their cybersecurity policies and practices beyond the MITRE frameworks. The frameworks should act as the baseline to build stronger and more efficient countermeasures to deter adversaries.
Cybersecurity risk is real. While industries cannot protect against all attacks, a risk-based approach based on vulnerability assessments and controls to measure and manage security health is the way to mitigate business-critical risks. ITEGRITI can help. Visit our website to learn more.
Other blogs in our MITRE ATT&CK Series:
MITRE ATT&CK Framework: Part 1 What is the MITRE ATT&CK Framework and Why is it Important?
MITRE ATT&CK Framework: Part 2 MITRE’s PRE-ATT&CK Tactics