From attackics
Jump to navigation Jump to search

ICS networks are very heterogeneous environments. There are many software/hardware platforms, applications and protocols present in these environments. Because of this, ATT&CK for ICS techniques don't necessarily apply to all functional levels of the Purdue Model. ATT&CK for ICS adds the organizational unit of Levels, which are based on the Purdue Model to aid ATT&CK for ICS users to understand which techniques are applicable to their environment.

Enterprise networks, associated with levels 3 and 4 of the Purdue Model, can be used as a starting point for adversaries targeting ICS networks. ATT&CK for Enterprise describes the tactics, techniques and procedures (TTP) adversaries use to operate within these networks. Likewise, even in Level 2 of ICS networks where specialized applications run on top of Windows and Linux platforms, ATT&CK for Enterprise can describe adversary TTPs. We consider this point the interface between the ATT&CK for Enterprise model and the ATT&CK for ICS model.

Here we list the functional levels of the Purdue Model that are the focus of ATT&CK for ICS. Each page details the functions, assets and techniques associated with the level.

Level 0The I/O network level includes the actual physical processes and sensors and actuators that are directly connected to process equipment.
Level 1The control network level includes the functions involved in sensing and manipulating physical processes. Typical devices at this level are programmable logic controllers (PLCs), distributed control systems, safety instrumented systems and remote terminal units (RTUs).
Level 2The supervisory control LAN level includes the functions involved in monitoring and controlling physical processes and the general deployment of systems such as human-machine interfaces (HMIs), engineering workstations and historians.