This document summarizes recent updates and future plans for ATT&CK for ICS, which provides threat modeling for industrial control systems. Key points include: new mitigation techniques have been added and mapped to standards; ATT&CK for ICS is now represented in STIX and the ATT&CK Navigator; additional ICS data sources will be profiled; and real-world ICS attacks will be mapped to enterprise attack techniques. Feedback is sought on how to improve ATT&CK for ICS and its use of mitigations and characterization of data sources.

1. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-17
What’s New with ATT&CK® for ICS?
Otis Alexander
https://attack.mitre.org/ics
@ojalexander

2. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-17

3. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-17

4. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-17
ATT&CK for ICS Mitigations
https://collaborate.mitre.org/attackics/index.php/Mitigations
• M0800-M0816 are new to ATT&CK for ICS
• Each mitigation has mappings to IEC 62443 and NIST SP 800-53
• Mitigations target the following stakeholders:
• Asset owner/operators
• Integrators
• Device vendors
• Security vendors
• There is a significant focus on protecting operational and
management interfaces of embedded controllers

5. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-17
STIX and Navigator Integration
•As part of ATT&CK v8, we released ATT&CK for ICS in
STIX
https://github.com/mitre/cti/tree/master/ics-attack
•A new version of ATT&CK Navigator was released as
well where you can pick the ICS domain
https://mitre-attack.github.io/attack-navigator/

6. What’s on the Horizon?

7. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-17
Updates to Data Sources
• Maintaining visibility into ICS networks is essential for
quickly detecting and remediating cyber threats.
• Understanding the various data sources that are available in
ICS networks is key to this endeavor. Network traffic is a
popular source of data in ICS networks but there are other
valuable sources of data that are often overlooked.
• Embedded device logs
• Application logs
• Operational databases

8. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-17
Data Sources
Configuration
• Firmware
version
• System settings
• Control logic
• Parameters
Performance and
Statistics
• CPU, memory,
disk, ethernet,
etc.
• Network
connection
information
Process
Information
• I/O values
associated with
tags
• Alarms and
faults (e.g.,
digital fault
recorder)
• Events (e.g.,
command
execution)
• Process quality
(e.g., phasor
measurement
unit)
Asset
Management
• Condition-based
monitoring
• Predictive
maintenance
• Work order
system
Physical
• Physical sensors
(e.g., tamper
detection)

9. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-17
ICS Attacks Mapped to Enterprise
• We’re currently working on mapping the following ICS attacks:
• Stuxnet
• Ukraine 2015
• Industroyer
• Triton
• Adversaries do not respect theoretical boundaries (i.e., IT/ICS)
so it is important to have a deep understanding of how IT
platforms are leveraged to access and impact ICS.

10. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-17
We Need Your Help!
•How can we improve ATT&CK for ICS?
•How are you currently using mitigations?
•Do you have any opinions on our data
source focus?

11. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-17
attack@mitre.org
@MITREattack
Otis Alexander
@ojalexander