Introduction
MITRE ATT&CK for ICS is the most comprehensive public knowledge base of adversary techniques targeting industrial control systems. It catalogs the tactics, techniques, and procedures used by threat actors who have attacked or researched attacks against OT environments — organized into a matrix that supports structured analysis, gap assessment, and detection development.
For OT security practitioners, ATT&CK for ICS provides something that was previously unavailable: a common language for describing OT threats that is grounded in observed attacker behavior rather than theoretical vulnerability analysis. A security engineer who says "we need to detect T0843 — Program Download from unauthorized sources" is communicating a specific, well-defined threat to anyone familiar with the framework. That shared language enables clearer gap analysis, more precise vendor conversations, and more effective communication with leadership.
This guide is a practitioner's implementation reference — not a conceptual overview of the framework, but a working guide to applying it in an OT security program. It covers the matrix structure, technique-level analysis, detection capability mapping, gap analysis methodology, detection rule development, and integration with the broader security program.
ATT&CK for ICS Matrix Structure
ATT&CK for ICS organizes adversary behavior into twelve tactics — the high-level objectives an adversary pursues during an ICS-targeted attack. Within each tactic, techniques describe the specific methods used to achieve the objective.
The Twelve ICS Tactics
| Tactic | ID | Description |
|---|---|---|
| Initial Access | TA0108 | How the adversary gains access to the ICS network |
| Execution | TA0104 | How the adversary runs code or commands |
| Persistence | TA0110 | How the adversary maintains access after initial compromise |
| Privilege Escalation | TA0111 | How the adversary gains higher-level permissions |
| Evasion | TA0103 | How the adversary avoids detection |
| Discovery | TA0102 | How the adversary explores the ICS environment |
| Lateral Movement | TA0109 | How the adversary moves between systems |
| Collection | TA0100 | How the adversary gathers ICS data |
| Command and Control | TA0101 | How the adversary communicates with compromised systems |
| Inhibit Response Function | TA0107 | How the adversary disrupts protective functions |
| Impair Process Control | TA0106 | How the adversary degrades or manipulates the process |
| Impact | TA0105 | The ultimate effect the adversary achieves |
The distinction between the last three tactics — Inhibit Response Function, Impair Process Control, and Impact — is unique to the ICS matrix and reflects the physical process dimension of OT attacks. An adversary does not simply exfiltrate data; they degrade safety systems, manipulate process parameters, and ultimately cause physical effects.
Key Techniques for OT Security Practitioners
Rather than covering all 80+ techniques, this guide focuses on the techniques most relevant for building a practical OT detection and defense program.
T0840 — Network Connection Enumeration (Discovery): The adversary scans the OT network to map devices and communication relationships. This is frequently the first active step after gaining access. Detection: alert on scanning activity (ICMP sweeps, SYN scans, Modbus broadcast queries, ENIP broadcast discovery) from any source other than authorized asset discovery systems.
T0841 — Network Service Scanning (Discovery): Port and service scanning of OT devices to identify accessible services. Detection: alert on connection attempts to multiple ports across multiple OT devices in short timeframes.
T0843 — Program Download (Execution): The adversary downloads modified logic to a PLC or controller. This is the core technique used by Stuxnet, CHERNOVITE, and most sophisticated OT attackers. Detection: alert on any logic download event (OT monitoring platform alert on EtherNet/IP CIP download, Modbus write to program address space) from a source other than authorized engineering workstations, and on any logic download outside of authorized maintenance windows.
T0845 — Program Upload (Collection): The adversary uploads the current PLC program, presumably to analyze it for manipulation opportunities. Detection: alert on program upload (read) requests from sources other than authorized engineering workstations.
T0855 — Unauthorized Command Message (Impair Process Control): The adversary sends control commands (Modbus write, DNP3 operate) from an unauthorized source. Detection: alert on control commands from any source other than the authorized SCADA servers and engineering workstations.
T0856 — Spoof Reporting Message (Impact): The adversary sends false process data to the SCADA system to deceive operators about the actual process state. This is one of the most dangerous techniques — operators take actions based on the false data, potentially causing physical harm. Detection: cross-validate sensor readings against independent measurements or physical process models; alert on statistically anomalous sensor value patterns.
T0800 — Activate Firmware Update Mode (Execution): The adversary triggers firmware update mode on a controller, potentially to load modified firmware. Detection: alert on firmware update mode activation or firmware upload commands outside of maintenance windows.
T0836 — Modify Parameter (Impair Process Control): The adversary changes process parameters — setpoints, limits, control loop coefficients — to disrupt or damage the process. Detection: alert on parameter modifications from unauthorized sources, or on parameter values that deviate significantly from established operating ranges.
T0838 — Modify Alarm Settings (Inhibit Response Function): The adversary modifies alarm thresholds or disables alarms to prevent operators from detecting a developing hazardous condition. Detection: alert on any alarm configuration changes outside of authorized maintenance windows.
T0816 — Device Restart/Shutdown (Impact): The adversary causes controllers to restart or shut down, disrupting process control. Detection: alert on unexpected controller restart events (OT monitoring platform; most PLCs generate a syslog or event when rebooting).
T0807 — Command-Line Interface (Execution): The adversary uses command-line interfaces on Windows-based OT systems (engineering workstations, SCADA servers) for execution. Detection: PowerShell execution monitoring, process creation logging, unusual command-line patterns on OT Windows systems.
T0812 — Default Credentials (Initial Access): The adversary uses default or weak credentials on OT devices. Mitigation: change all default credentials on every device as part of initial deployment.
T0822 — External Remote Services (Initial Access): The adversary exploits remote access infrastructure (VPN, RDP, TeamViewer) to gain initial access. Mitigation: implement MFA on all remote access, remove unnecessary remote access tools.
Mapping Detection Capabilities to ATT&CK for ICS
The most valuable use of ATT&CK for ICS in most OT security programs is as a gap analysis tool: systematically assessing which techniques you can currently detect, which you cannot, and building a prioritized roadmap to close the most important gaps.
Detection Coverage Assessment
For each ATT&CK for ICS technique relevant to your environment, assess your current detection capability:
| Level | Definition |
|---|---|
| None | No data source, no detection rule, technique would succeed undetected |
| Partial | Relevant data source exists but no detection rule; technique might be visible in raw logs but requires manual analysis |
| Procedural | A detection rule exists but requires manual investigation; no automated alerting |
| Automated | An automated alert fires when the technique is used; analyst investigation determines true or false positive |
A detection capability map that identifies which techniques fall into each category is the foundation for prioritized detection engineering work. Techniques for which detection coverage is "None" against the most relevant threat actors should be the highest-priority development targets.
Building the Technique-to-Data Source Matrix
For each technique, identify the data sources that would contain observable evidence of the technique's execution:
| Technique | Data Sources |
|---|---|
| T0843 Program Download | OT monitoring platform alerts; EtherNet/IP/Modbus firewall logs; engineering workstation process creation logs |
| T0855 Unauthorized Command Message | OT monitoring platform alerts; Modbus firewall DPI logs; DNP3 logs |
| T0836 Modify Parameter | OT monitoring platform alerts; process historian (parameter value changes); SCADA audit logs |
| T0807 CLI on OT Windows System | Windows event logs (4688 Process Creation); PowerShell logging; Sysmon |
| T0822 External Remote Services | VPN authentication logs; jump server session logs; remote access platform logs |
The technique-to-data source matrix reveals which data sources must be collected and forwarded to the SIEM or OT monitoring platform to support detection coverage. Data sources not currently collected represent both detection gaps and logging capability gaps.
Threat Actor Technique Mapping
Publicly available intelligence on ICS threat actor techniques allows organizations to build actor-specific detection coverage assessments — prioritizing detection of the techniques used by the adversaries most likely to target their specific sector.
CHERNOVITE / PIPEDREAM Technique Coverage
Based on published technical analysis of PIPEDREAM, the framework uses techniques including:
- T0840 Network Connection Enumeration: PIPEDREAM scans for Modicon and OMRON devices using protocol-native queries
- T0843 Program Download: Uploads modified logic to controllers after gaining access
- T0814 Denial of Service: Sends malformed protocol traffic to cause controller crashes
- T0800 Activate Firmware Update Mode: Triggers firmware update mode on target controllers
- T0855 Unauthorized Command Message: Sends unauthorized control commands via Modbus and EtherNet/IP
For organizations with Schneider Modicon or OMRON controllers (the primary PIPEDREAM targets), detecting these specific techniques in the context of those devices is the highest-priority detection development work.
ELECTRUM / Industroyer Technique Coverage
Industroyer/CrashOverride used techniques including:
- T0843 Program Download: Modified RTU and substation equipment configurations
- T0855 Unauthorized Command Message: Sent spoofed IEC 104, IEC 101, and IEC 61850 control commands
- T0838 Modify Alarm Settings: Disabled protective relays
- T0816 Device Restart/Shutdown: Caused breaker operations and substation shutdowns
For electric utilities, detecting anomalous IEC 104, IEC 101, and IEC 61850 command patterns is directly relevant to the Industroyer threat.
Building Actor-Specific Coverage Profiles
For your two or three highest-priority threat actors:
- Identify their documented techniques from threat intelligence reports
- Map those techniques to the ATT&CK for ICS matrix
- Assess your current detection coverage for each technique
- Prioritize detection engineering efforts around techniques used by those actors that you cannot currently detect
This approach produces a detection roadmap that is directly linked to the actual threat landscape facing your organization.
Building Detection Rules Aligned with ATT&CK for ICS
Detection Engineering Workflow
For each technique to be detected:
Step 1 — Define the behavior: What does the technique look like in your specific environment? T0843 (Program Download) on a Siemens S7-1500 via TIA Portal looks different from T0843 on a Rockwell ControlLogix via Studio 5000. Be specific.
Step 2 — Identify the data source: Which data source(s) will contain observable evidence of this specific behavior in your environment?
Step 3 — Define normal: What does normal activity look like in this data source? When do authorized Program Downloads occur? Who initiates them? At what frequency? From which source addresses?
Step 4 — Define the anomaly: What deviation from normal represents a potential T0843 execution? A Program Download from a source address that is not an authorized engineering workstation. A Program Download outside of authorized maintenance windows. A Program Download followed immediately by a Device Restart (T0816) — a combination that may indicate the attacker is testing their modified logic.
Step 5 — Write the detection rule: Implement the detection in the OT monitoring platform or SIEM. Include the ATT&CK technique reference in the rule name and description for traceability.
Step 6 — Tune the rule: Run the rule in an alerting-only mode for two weeks. Review every alert to distinguish true positives (actual anomalies worth investigating) from false positives (legitimate activities that match the rule). Adjust the rule to reduce false positives without losing true positive sensitivity.
Step 7 — Create the playbook: Write an investigation playbook for this detection (see TG-012 SOC Design for playbook structure). Analysts who receive the alert must know what to investigate and how.
Example Detection Rule: T0843 Program Download from Unauthorized Source
Platform: OT monitoring platform (Dragos / Claroty / Nozomi) + SIEM
Data source: OT monitoring platform detecting EtherNet/IP CIP downloads
Rule logic:
ALERT when:
Protocol = EtherNet/IP CIP
Service = Download (service code 0x16)
Destination = [PLC IP address range]
Source NOT IN [authorized_engineering_workstations_list]
OR
Protocol = EtherNet/IP CIP
Service = Download
Time NOT IN [authorized_maintenance_windows]
Alert severity: High (requires immediate investigation)
ATT&CK reference: T0843 Program Download
Investigation playbook: [link to T0843 investigation playbook]
Example Detection Rule: T0855 Modbus Write from Unauthorized Source
Platform: Industrial firewall DPI logs + SIEM
Data source: Industrial firewall with Modbus DPI logging write commands
Rule logic:
ALERT when:
Protocol = Modbus TCP
Function Code IN [0x05, 0x06, 0x0F, 0x10] (write functions)
Destination = [PLC IP address range]
Source NOT IN [authorized_scada_servers, authorized_engineering_workstations]
Alert severity: High
ATT&CK reference: T0855 Unauthorized Command Message
ATT&CK for ICS in Threat Modeling
Beyond detection, ATT&CK for ICS supports structured threat modeling for OT environments.
Attack Path Analysis
Choose a specific impact scenario — for example, T0826 Loss of Availability for a primary DCS controller in the process. Work backward through the tactic chain:
Impact: T0826 Loss of Availability (DCS controller offline) ↑ Impair Process Control: T0836 Modify Parameter → corrupt control loop causing equipment trip ↑ Execution: T0843 Program Download → deploy modified logic ↑ Lateral Movement: T0867 Lateral Tool Transfer → move from IT network to OT network after initial compromise ↑ Initial Access: T0822 External Remote Services → compromise vendor VPN credentials
This attack path analysis produces a chain of techniques. For each technique in the chain:
- What is the current detection capability?
- What is the current mitigation in place?
- At which point in the chain can the attack be most effectively disrupted?
Attack path analysis helps prioritize investment at the points in the attack chain where disruption is most achievable.
Purple Team Exercise Planning
ATT&CK for ICS provides the common language for planning purple team (collaborative adversary simulation) exercises in OT environments. The ATT&CK technique reference allows the blue team to communicate specifically which detections are being tested and allows the red team to describe specifically which techniques are being executed.
For OT environments where active exploitation during testing carries unacceptable process risk, tabletop-based purple team exercises are viable: the red team describes the actions they would take using ATT&CK technique references; the blue team assesses whether they have the data sources and detection rules that would have generated alerts. This provides detection coverage assessment without operational risk.
Using ATT&CK for ICS in Reporting
ATT&CK for ICS provides a framework for reporting OT security findings to both technical and executive audiences.
Technical Reporting
When documenting security assessment findings or incident reports, reference ATT&CK techniques explicitly:
"The assessment identified that the OT monitoring platform has no detection capability for T0843 Program Download from unauthorized sources. An adversary who gains access to the OT network via T0822 External Remote Services could download modified PLC logic without generating any alert in the current monitoring infrastructure."
This framing links the finding to a specific, documented technique and makes the risk concrete and reproducible.
Executive Reporting
For leadership communication, the tactic-level abstraction provides appropriate granularity:
"Our current OT monitoring has strong coverage against Discovery and Initial Access techniques, but limited coverage against Execution and Impair Process Control — the techniques used in later-stage attacks where adversaries directly manipulate the process. Our Q3 roadmap focuses on building detection capabilities for the techniques in these tactic categories."
The tactic-level framing communicates program maturity and roadmap direction without requiring executive audiences to understand specific protocol behaviors.
Integration with the Broader Security Program
ATT&CK for ICS is most valuable when it is integrated throughout the security program rather than used as a one-time analysis tool.
Integrate with risk assessment: When assessing the risk of a specific vulnerability, map the exploitation technique to ATT&CK for ICS. This helps communicate whether the vulnerability enables Discovery-phase techniques (reconnaissance) or Impair Process Control techniques (actual physical impact), which are very different risk categories.
Integrate with vendor evaluation: When evaluating OT security products (monitoring platforms, firewalls), ask vendors to provide an ATT&CK for ICS coverage matrix showing which techniques their product detects. This enables direct comparison across vendors.
Integrate with security awareness: Include ATT&CK technique descriptions in tabletop exercise scenarios so that exercises develop analysts' familiarity with the technique taxonomy alongside their incident response skills.
Keep it current: MITRE updates ATT&CK for ICS periodically as new adversary behavior is documented. Review updates annually and assess whether new techniques require new detection development.
Conclusion
ATT&CK for ICS transforms OT security from a compliance-oriented exercise into a threat-informed discipline. Organizations that use the framework as a working tool — mapping detection coverage, prioritizing against known adversaries, engineering detections for specific techniques, and communicating findings using the common language the framework provides — build fundamentally more defensible OT security programs than those that treat it as a reference document.
The investment in ATT&CK for ICS is an investment in precision: precise understanding of threats, precise assessment of gaps, and precise development of defenses. That precision is what separates a mature OT security program from a checklist compliance exercise.
Beacon Security provides ATT&CK for ICS mapping assessments, detection capability gap analysis, detection rule engineering, and purple team exercises for OT security programs. Contact us to assess your current ATT&CK for ICS detection coverage and build a roadmap for closing critical gaps.
