What to expect from MITRE’s ATT&CK Framework for Industrial Control Systems?

  • It highlights the unique aspects of the specialized applications and protocols that ICS system operators typically use.
  • It can also help with the development of incident response playbooks, prioritizing defenses as well as finding gaps.

Recently, MITRE released an ATT&CK knowledge-base of the tactics and techniques that adversaries use while attacking the Industrial Control Systems (ICS) worldwide. The outcome of such attacks can range from interruption in operations like power outage to serious harm to human life and the surrounding environment.

Why do we need ATT&CK for ICS?

Indeed, ICS is a part of nation’s most critical infrastructure including energy transmission and distribution plants, oil refineries, wastewater treatment facilities, transportation systems, and more.

Talking of threats to ICS systems, the first-ever notable incident aimed at power grids took place in Ukraine in 2015. But, it didn’t stop there. The “NotPetya” campaign in 2017 incurred $10 billion in damage to Ukrainian energy firms as well as airports, banks, other major companies, and government agencies.

Similarly, a former employee of a firm caused pumping station failures which spilled more than 200,000 gallons of raw sewage into parks, waterways, and the grounds of a resort. What followed was dying marine life, contaminated waters, and a terrible stench everywhere it spread.

However, when not considering ATT&CK for ICS, the existing ATT&CK knowledge-base for enterprise IT systems is still applicable to ICS, and in many cases may represent an entry point into those ICS systems for adversaries.

What to expect from ATT&CK for ICS?

According to Otis Alexander, lead cybersecurity engineer at MITRE, asset owners and defenders that MITRE ATT&CK for ICS can help mitigate the catastrophic failures that affect property or human life.

  • ATT&CK for ICS mentions adversaries’ behavior within ICS environments.
  • The framework highlights the unique aspects of the specialized applications and protocols that system operators typically use, and of which adversaries can take advantage.
  • The knowledgebase is recommended to defenders who would want to establish a standard language for security practitioners for reporting incidents.
  • One can also get help in developing incident response playbooks, prioritizing defenses as well as finding gaps.
  • Also, reporting threat intelligence, analyst training and development, and emulating adversaries during exercises becomes easier.

More than 100 participants from 39 organizations reviewed, provided comments, or contributed to ATT&CK for ICS prior to launch.

What analysts and user have to say?

Dragos’ principal ICS security analyst Austin Scott said "ATT&CK for ICS shines a light into the unique threat behaviors leveraged by adversaries targeting Industrial Control System environments. We understand the critical importance ICS threat behaviors play in an effective cybersecurity strategy and we’re proud to contribute to this program and community resource. It is a huge win for the front-line ICS network defenders who now have a common lexicon for categorizing ICS specific techniques to support reporting and further analysis."

Chief security architect at FireEye Christopher Glyer said “The ATT&CK framework has been instrumental for cyber defense teams in codifying a lexicon describing how cyberattacks are conducted as well as centralizing examples of research and threat intelligence reports regarding real-world use of attacker techniques. The ICS ATT&CK framework creates a forum for establishing how ICS intrusions are unique/different from enterprise IT intrusions and will enable ICS operations and security teams to better protect these mission-critical systems.”

Cyware Publisher