Security Experts:

Connect with us

Hi, what are you looking for?



MITRE Releases ATT&CK Knowledge Base for Industrial Control Systems

MITRE on Tuesday announced the initial release of a version of its ATT&CK knowledge base that covers the tactics and techniques used by malicious actors when targeting industrial control systems (ICS).

MITRE on Tuesday announced the initial release of a version of its ATT&CK knowledge base that covers the tactics and techniques used by malicious actors when targeting industrial control systems (ICS).

MITRE’s ATT&CK framework has been widely used by cybersecurity professionals to describe and classify attacker behavior and assess an organization’s risks. The new ATT&CK for ICS knowledge base builds upon it in an effort to help critical infrastructure and other organizations whose environments house ICS.MITRE releases ICS version of ATT&CK

In addition to a matrix that provides an overview of the tactics and techniques used by adversaries, ATT&CK for ICS covers attack techniques in more detail, the malware used by threat actors, and the threat groups known to have launched ICS-related attacks. It also includes an Assets category in order to help organizations understand which techniques can be applied to their environment.

The knowledge base currently describes 81 attack techniques, 17 pieces of malware, 10 threat groups, and 7 types of assets.

According to MITRE, the framework shows which of the ICS-specific applications and protocols — typically used by operators to interact with physical equipment — can be abused by adversaries.

Learn More About Assessing Risk in Industrial Environments at SecurityWeek’s 2020 ICS Cyber Security Conference

“The knowledge base can play several key roles for defenders, including helping establish a standard language for security practitioners to use as they report incidents,” MITRE said. “With expertise in this domain in short supply, it can also help with the development of incident response playbooks, prioritizing defenses as well as finding gaps, reporting threat intelligence, analyst training and development, and emulating adversaries during exercises.”

ATT&CK for ICS was developed with help from over 100 individuals representing 39 organizations, including security and threat intelligence companies focusing on ICS, national labs, industrial product manufacturers, universities, research institutes, government agencies, and Information Sharing and Analysis Centers (ISACs).

“Asset owners and defenders want deep knowledge of the tradecraft and technology that adversaries use in affecting industrial control systems to help inform their defenses,” said Otis Alexander, a lead cybersecurity engineer focusing on ICS security at MITRE. “Adversaries may try to interrupt critical service delivery by disrupting industrial processes. They may also try to cause physical damage to equipment. With MITRE ATT&CK for ICS, we can help mitigate the catastrophic failures that affect property or human life.”

Austin Scott, principal ICS security analyst at Dragos, commented, “[ATT&CK for ICS] is a huge win for the front-line ICS network defenders who now have a common lexicon for categorizing ICS specific techniques to support reporting and further analysis.”

Related: MITRE ATT&CK Used for Cybersecurity Skills Development

Related: MITRE Uses ATT&CK Framework to Evaluate Enterprise Security Products

Related: MITRE Publishes New List of Most Dangerous Software Weaknesses

Related: Where To Begin With MITRE ATT&CK Matrix

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Twenty-one cybersecurity-related M&A deals were announced in December 2022.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.