What is MITRE ATT&CK for ICS and how is it transforming ICS cyber security?

By the Radiflow Cybersecurity team

August 3, 2021

Cyber threats have always gone hand-in-hand with increased technology usage; it’s an upsetting fact but coming to terms with it opens up the possibility of handling the problem more effectively. In the early days of the internet, cyber security was essentially a private affair, with companies investing in anti-virus software and implementing firewalls. Over time, the threat grew, but more importantly, cyber criminals became a lot more adaptable and sophisticated. A non-unified approach to the growing problem meant that the criminals were always several steps ahead of cyber security measures. In the early 2010s, it was becoming clear that a new approach was needed, and as a result of MITRE’s Fort Meade Experiment, MITRE ATT&CK was born.

MITRE ATT&CK Approaching an old problem in a new way

MITRE ATT&CK is a knowledge base for logging and searching all types of cyber threats. ATT&CK stands for Adversarial Tactics, Techniques, and Common Knowledge, referring to the innovative approach MITRE took when looking for a real and workable solution to what had become an enormous problem.

The unique part of the MITRE threat matrix is the way in which categories are used: threats are listed according to tactics, the layout is somewhat like the periodic table, grouping categories with matching criteria together. This format makes it possible to see the ways in which criminals are working and how they are developing breach strategies, giving corporations a much better chance to defend their systems.

The second half of the 2010s saw a huge increase in the numbers of attacks on industrial systems due to IT/OT convergence, leading to a corresponding increase in the number of reports in the MITRE ATT&CK matrix. The problem was that despite the overlap, there is still a big difference between traditional IT systems and industrial systems.

The vocabulary and designations are not always the same, and the approaches being used by cyber criminals are also very different. This led to the creation of MITRE ATT&CK for ICS Matrix in January 2020. This provides a matrix specific to the needs of the ICS threat landscape.

12 Categories of Industrial Breach Tactics

The innovative approach used in the original MITRE ATT&CK, which took the emphasis off the malware itself and placed in on the ways in which criminals interact with networks and their underlying motivations, really comes into its own with the MITRE ATT&CK for ICS matrix. The ICS focus allowed cyber security experts to gain unprecedented insight into the ways in which threats are being developed, and enabled a more accurate ICS security risk assessment.

MITRE ATT&CK ICS designates 12 different categories for possible industrial breach tactics:

Name Description
Collection The adversary is trying to gather data of interest and domain knowledge on your ICS environment to inform their goal.
Command and Control The adversary is trying to communicate with and control compromised systems, controllers, and platforms with access to your ICS environment.
Discovery The adversary is trying to figure out your ICS environment.
Evasion The adversary is trying to avoid being detected.
Execution The adversary is trying to run code or manipulate system functions, parameters, and data in an unauthorized way.
Impact The adversary is trying to manipulate, interrupt, or destroy your ICS systems, data, and their surrounding environment.
Impair Process Control The adversary is trying to manipulate, disable, or damage physical control processes.
Inhibit Response Function The adversary is trying to prevent your safety, protection, quality assurance, and operator intervention functions from responding to a failure, hazard, or unsafe state.
Initial Access The adversary is trying to get into your ICS environment.
Lateral Movement The adversary is trying to move through your ICS environment.
Persistence The adversary is trying to maintain their foothold in your ICS environment.
Privilege Escalation The adversary is trying to gain higher-level permissions.

© 2021, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation

Deriving usable knowledge

Using the matrix in conjunction with a digital imaging system like Radiflow iSID results in a virtual map of the entire industrial system where each entry-point is flagged according to the category of threat that may be present. Knowledge is the first step toward improved OT and ICS SCADA security, empowering the facility to close any previously unnoticed “back doors” and strengthen security measures around weak spots. 

Radiflow’s CIARA system for ICS risk assessment uses machine learning to bring all of these advanced technologies together, simplifying the process of industrial cyber security, ensuring systems remain online and are continually functional.

To find out how Radiflow’s risk analysis and digital imaging can transform your OT and industrial cyber security, contact us today.

If you’ve found this article interesting, please visit and follow Radiflow on LinkedIn, where you’ll find a wealth of exclusive content.