MITRE ATT&CK for ICS knowledge base



ATT&CK for ICS is a knowledge base useful for describing the actions an adversary may take while operating within an ICS network. The knowledge base can be used to better characterize and describe post-compromise adversary behavior.

ICS, which includes supervisory control and data acquisition (SCADA) systems and other control system configurations, are found in industries such as electric, water and wastewater, oil and natural gas, transportation, chemical, pharmaceutical, pulp and paper, food and beverage, and discrete manufacturing (e.g., automotive, aerospace, and durable goods.) While ICS are increasingly adopting information technology (IT) solutions to promote enterprise systems connectivity and remote access capabilities, they still retain unique characteristics. Logic executing in ICS has a direct effect on the physical world. The consequences associated with this logic executing in an improper way include significant risk to the health and safety of human lives and serious damage to the environment, as well as serious financial consequences such as production losses, negative impact to a nation’s economy, and compromise of proprietary information.

ATT&CK for ICS seeks to characterize and describe the actions of an adversary who seeks to cause such consequences. Enterprise networks can be used as an entry point for adversaries targeting ICS networks. ATT&CK for Enterprise describes the tactics, techniques and procedures (TTP) adversaries use to operate within these networks. Likewise, ATT&CK for Enterprise can describe adversary TTPs in Level 2 of Purdue Model. This level can house specialized ICS applications running on Windows and Linux platforms. We consider this point an interface between the ATT&CK for Enterprise and ATT&CK for ICS.

See also (Common Vulnerabilities and Exposures (CVE®) is a list of common identifiers for publicly known cybersecurity vulnerabilities)


Not specified (see website if available) or see associated project