From attackics
Jump to navigation Jump to search

Below is a list of all 51 mitigation in ATT&CK for ICS:

Access ManagementM0801Access Management technologies can be used to enforce authorization polices and decisions, especially when existing field devices do not provided sufficient capabilities to support user identification and authentication.1 These technologies typically utilize an in-line network device or gateway system to prevent access to unauthenticated users, while also integrating with an authentication service to first verify user credentials.2
Account Use PoliciesM0936Configure features related to account use like login attempt lockouts, specific login times, etc.
Active Directory ConfigurationM0915Configure Active Directory to prevent use of certain techniques; use security identifier (SID) Filtering, etc.
Antivirus/AntimalwareM0949Use signatures or heuristics to detect malicious software. Within industrial control environments, antivirus/antimalware installations should be limited to assets that are not involved in critical or real-time operations. To minimize the impact to system availability, all products should first be validated within a representative test environment before deployment to production systems.3
Application Developer GuidanceM0913This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of.
Application Isolation and SandboxingM0948Restrict the execution of code to a virtual environment on or in-transit to an endpoint system.
AuditM0947Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses. Perform periodic integrity checks of the device to validate the correctness of the firmware, software, programs, and configurations. Integrity checks, which typically include cryptographic hashes or digital signatures, should be compared to those obtained at known valid states, especially after events like device reboots, program downloads, or program restarts.
Authorization EnforcementM0800The device or system should restrict read, manipulate, or execute privileges to only authenticated users who require access based on approved security policies. Role-based Access Control (RBAC) schemes can help reduce the overhead of assigning permissions to the large number of devices within an ICS. For example, IEC 62351 provides examples of roles used to support common system operations within the electric power sector 4, while IEEE 1686 defines standard permissions for users of IEDs.5
Boot IntegrityM0946Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.
Code SigningM0945Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.
Communication AuthenticityM0802When communicating over an untrusted network, utilize secure network protocols that both authenticate the message sender and can verify its integrity. This can be done either through message authentication codes (MACs) or digital signatures, to detect spoofed network messages and unauthorized connections.
Data BackupM0953Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans 6, including the management of 'gold-copy' back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.
Data Loss PreventionM0803Data Loss Prevention (DLP) technologies can be used to help identify adversarial attempts to exfiltrate operational information, such as engineering plans, trade secrets, recipes, intellectual property, or process telemetry. DLP functionality may be built into other security products such as firewalls or standalone suites running on the network and host-based agents. DLP may be configured to prevent the transfer of information through corporate resources such as email, web, and physical media such as USB for host-based solutions.
Disable or Remove Feature or ProgramM0942Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.
Encrypt Network TrafficM0808Utilize strong cryptographic techniques and protocols to prevent eavesdropping on network communications.
Encrypt Sensitive InformationM0941Protect sensitive data-at-rest with strong encryption.
Execution PreventionM0938Block execution of code on a system through application control, and/or script blocking.
Exploit ProtectionM0950Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.
Filter Network TrafficM0937Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic. Perform inline allow/denylisting of network messages based on the application layer (OSI Layer 7) protocol, especially for automation protocols. Application allowlists are beneficial when there are well-defined communication sequences, types, rates, or patterns needed during expected system operations. Application denylists may be needed if all acceptable communication sequences cannot be defined, but instead a set of known malicious uses can be denied (e.g., excessive communication attempts, shutdown messages, invalid commands). Devices performing these functions are often referred to as deep-packet inspection (DPI) firewalls, context-aware firewalls, or firewalls blocking specific automation/SCADA protocol aware firewalls.7
Human User AuthenticationM0804Require user authentication before allowing access to data or accepting commands to a device. While strong multi-factor authentication is preferable, it is not always feasible within ICS environments. Performing strong user authentication also requires additional security controls and processes which are often the target of related adversarial techniques (e.g., Valid Accounts, Default Credentials). Therefore, associated ATT&CK mitigations should be considered in addition to this, including Multi-factor Authentication, Account Use Policies, Password Policies, User Account Management, Privileged Account Management, and User Account Control.
Limit Access to Resource Over NetworkM0935Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.
Limit Hardware InstallationM0934Block users or groups from installing or using unapproved hardware on systems, including USB devices.
Mechanical Protection LayersM0805Utilize a layered protection design based on physical or mechanical protection systems to prevent damage to property, equipment, human safety, or the environment. Examples include interlocks, rupture disk, release values, etc.8
Minimize Wireless Signal PropagationM0806Wireless signals frequently propagate outside of organizational boundaries, which provide opportunities for adversaries to monitor or gain unauthorized access to the wireless network.9 To minimize this threat, organizations should implement measures to detect, understand, and reduce unnecessary RF propagation.10
Mitigation Limited or Not EffectiveM0816This type of attack technique cannot be easily mitigated with preventative controls since it is based on the abuse of system features.
Multi-factor AuthenticationM0932Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator. Within industrial control environments assets such as low-level controllers, workstations, and HMIs have real-time operational control and safety requirements which may restrict the use of multi-factor.
Network AllowlistsM0807Network allowlists can be implemented through either host-based files or system hosts files to specify what connections (e.g., IP address, MAC address, port, protocol) can be made from a device. Allowlist techniques that operate at the application layer (e.g., DNP3, Modbus, HTTP) are addressed in Filter Network Traffic mitigation.
Network Intrusion PreventionM0931Use intrusion detection signatures to block traffic at network boundaries. In industrial control environments, network intrusion prevention should be configured so it will not disrupt protocols and communications responsible for real-time functions related to control or safety.
Network SegmentationM0930Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Restrict network access to only required systems and services. In addition, prevent systems from other networks or business functions (e.g., enterprise) from accessing critical process control systems. For example, in IEC 62443, systems within the same secure level should be grouped into a "zone", and access to that zone is restricted by a "conduit", or mechanism to restrict data flows between zones by segmenting the network.1112
Operating System ConfigurationM0928Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.
Operational Information ConfidentialityM0809Deploy mechanisms to protect the confidentiality of information related to operational processes, facility locations, device configurations, programs, or databases that may have information that can be used to infer organizational trade-secrets, recipes, and other intellectual property (IP).
Out-of-Band Communications ChannelM0810Have alternative methods to support communication requirements during communication failures and data integrity attacks.1314
Password PoliciesM0927Set and enforce secure password policies for accounts.
Privileged Account ManagementM0926Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.
Redundancy of ServiceM0811Redundancy could be provided for both critical ICS devices and services, such as back-up devices or hot-standbys.
Restrict File and Directory PermissionsM0922Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.
Restrict Library LoadingM0944Prevent abuse of library loading mechanisms in the operating system and software to load untrusted code by configuring appropriate library loading mechanisms and investigating potential vulnerable software.
Restrict Registry PermissionsM0924Restrict the ability to modify certain hives or keys in the Windows Registry.
Restrict Web-Based ContentM0921Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.
SSL/TLS InspectionM0920Break and inspect SSL/TLS sessions to look at encrypted web traffic for adversary activity.
Safety Instrumented SystemsM0812Utilize Safety Instrumented Systems (SIS) to provide an additional layer of protection to hazard scenarios that may cause property damage. A SIS will typically include sensors, logic solvers, and a final control element that can be used to automatically respond to an hazardous condition 8. Ensure that all SISs are segmented from operational networks to prevent them from being targeted by additional adversarial behavior.
Software ConfigurationM0954Implement configuration changes to software (other than the operating system) to mitigate security risks associated with how the software operates.
Software Process and Device AuthenticationM0813Require the authentication of devices and software processes where appropriate. Devices that connect remotely to other systems should require strong authentication to prevent spoofing of communications. Furthermore, software processes should also require authentication when accessing APIs.
Static Network ConfigurationM0814Configure hosts and devices to use static network configurations when possible, protocols that require dynamic discovery/addressing (e.g., ARP, DHCP, DNS) can be used to manipulate network message forwarding and enable various MitM attacks. This mitigation may not always be usable due to limited device features or challenges introduced with different network configurations.
Supply Chain ManagementM0817Implement a supply chain management program, including policies and procedures to ensure all devices and components originate from a trusted supplier and are tested to verify their integrity.
Threat Intelligence ProgramM0919A threat intelligence program helps an organization generate their own threat intelligence information and track trends to inform defensive priorities to mitigate risk.
Update SoftwareM0951Perform regular software updates to mitigate exploitation risk. Software updates may need to be scheduled around operational down times.
User Account ManagementM0918Manage the creation, modification, use, and permissions associated to user accounts.
User TrainingM0917Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.
Vulnerability ScanningM0916Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them.
Watchdog TimersM0815Utilize watchdog timers to ensure devices can quickly detect whether a system is unresponsive.


  1. ^  McCarthy, J et al.. (2018, July). NIST SP 1800-2 Identity and Access Management for Electric Utilities. Retrieved September 17, 2020.
  2. ^  Centre for the Protection of National Infrastructure. (2010, November). Configuring and Managing Remote Access for Industrial Control Systems. Retrieved September 25, 2020.
  3. ^  NCCIC. (2018, August 2). Recommended Practice: Updating Antivirus in an Industrial Control System. Retrieved September 17, 2020.
  4. ^  International Electrotechnical Commission. (2020, July 17). IEC 62351 - Power systems management and associated information exchange - Data and communications security. Retrieved September 17, 2020.
  5. ^  Institute of Electrical and Electronics Engineers. (2014, January). 1686-2013 - IEEE Standard for Intelligent Electronic Devices Cyber Security Capabilities. Retrieved September 17, 2020.
  6. ^  Department of Homeland Security. (2009, October). Developing an Industrial Control Systems Cybersecurity Incident Response Capability. Retrieved September 17, 2020.
  7. ^  Centre for the Protection of National Infrastructure. (2005, February). FIREWALL DEPLOYMENT FOR SCADA AND PROCESS CONTROL NETWORKS. Retrieved September 17, 2020.
  8. a b  A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith. (2004). APPLYING THE LATEST STANDARD FOR FUNCTIONAL SAFETY — IEC 61511. Retrieved September 17, 2020.
  9. ^  CISA. (2010, March). Securing Wireless Networks. Retrieved September 17, 2020.
  10. ^  DHS National Urban Security Technology Laboratory. (2019, April). Radio Frequency Detection, Spectrum Analysis, and Direction Finding Equipment. Retrieved September 17, 2020.
  11. ^  IEC. (2019, February). Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components. Retrieved September 25, 2020.
  12. ^  IEC. (2013, August). Industrial communication networks - Network and system security - Part 3-3: System security requirements and security levels. Retrieved September 25, 2020.
  13. ^  National Institute of Standards and Technology. (2013, April). Security and Privacy Controls for Federal Information Systems and Organizations. Retrieved September 17, 2020.
  14. ^  Defense Advanced Research Projects Agency. (n.d.). Rapid Attack Detection, Isolation and Characterization Systems (RADICS). Retrieved September 17, 2020.