Using the MITRE ATT&CK Framework for ICS

By Sid Snitkin


A presentation at the 2021 ARC Industry Forum Americas demonstrated the many ways the MITRE ATT&CK Framework for ICS can help ICS cybersecurity teams.

MITRE ATT&CK is a framework for communicating and consuming intelligence about cyber threat actors, tactics, and techniques. It includes a curated knowledge base of real-world observations that defenders can leverage in understanding security risks, identifying security gaps, and selecting needed mitigations.

The enterprise version of ATT&CK framework was created by MITRE Corporation in 2013 and has become a popular tool used by IT security professionals in the private sector, government, and cybersecurity product and service community. The ICS version of ATT&CK was developed in 2019 to address the specific needs of industrial control system (ICS) cybersecurity defenders. It reflects the unique issues of attacks on equipment at Level 0-2 of the Purdue model.

Michael Hoffman, of Dragos, provided a great, impartial overview of the MITRE ATT&CK Framework for ICS at the 2021 ARC Industry Forum Americas. Mike has over 20 years of experience in the oil & gas industry and various certificates and degrees in cybersecurity from SANS. He also teaches cybersecurity courses at SANS. His talk demonstrated the comprehensiveness and power of MITRE ATT&CK for ICS and the many ways that users can leverage this information to protect critical control systems.


MITRE ATT&CK for ICS is organized around a matrix of tactics and techniques. Tactics are the individual steps that attackers might use to achieve their ultimate goals. They include actions like initial access, execution, persistence, evasion, etc. Techniques represent the different ways that tactical goals might be accomplished. For example, attackers could achieve initial access through techniques like data historian compromise, drive-by compromise, engineering workstation compromise, exploit public facing application, external remote access, etc.


This matrix structure provides a convenient platform for distributing threat intelligence about known attack groups, like Xenotime, and known malware campaigns, like Industroyer. The MITRE ATT&CK for ICS knowledge base has extensive information to help defenders identify attack groups and understand the malware campaigns that present the highest risks to their industries and control systems. As attack groups tend to use different tactics and techniques, the matrix can also be used to direct defender efforts towards vulnerable areas that deserve the most attention. A convenient graphical tool on the Dragos website shows the techniques used by the many threat groups they monitor.


ARC Advisory Group clients can view the complete report at   ARC Client Portal  

If you would like to buy this report or obtain information about how to become a client, please  Contact Us

Keywords: MITRE ATT&CK Framework, ARC 2021 Industry Forum Americas, ARC Advisory Group.

Engage with ARC Advisory Group