ATT&CK for Industrial Control Systems (ICS) is a knowledge base useful for describing the actions an adversary may take while operating within an ICS network. The knowledge base can be used to better characterize and describe post-compromise adversary behavior.
ICS, which includes supervisory control and data acquisition (SCADA) systems and other control system configurations, are found in industries such as electric, water and wastewater, oil and natural gas, transportation, chemical, pharmaceutical, pulp and paper, food and beverage, and discrete manufacturing (e.g., automotive, aerospace, and durable goods.)1
While ICS are increasingly adopting information technology (IT) solutions to promote enterprise systems connectivity and remote access capabilities, they still retain unique characteristics. Logic executing in ICS has a direct effect on the physical world. The consequences associated with this logic executing in an improper way include significant risk to the health and safety of human lives and serious damage to the environment, as well as serious financial consequences such as production losses, negative impact to a nation’s economy, and compromise of proprietary information.1 ATT&CK for ICS seeks to characterize and describe the actions of an adversary who seeks to cause such consequences.
Enterprise networks can be used as an entry point for adversaries targeting ICS networks. ATT&CK for Enterprise describes the tactics, techniques and procedures (TTP) adversaries use to operate within these networks. Likewise, ATT&CK for Enterprise can describe adversary TTPs in Level 2 of Purdue Model. This level can house specialized ICS applications running on Windows and Linux platforms. We consider this point an interface between the ATT&CK for Enterprise and ATT&CK for ICS.
The adversary TTPs associated with ATT&CK for ICS fall under the following broad categories:1
- Blocked or delayed flow of information through ICS networks, which could disrupt ICS operation.
- Unauthorized changes to instructions, commands, or alarm thresholds, which could damage, disable, or shut down equipment, create environmental impacts, and/or endanger human life.
- Inaccurate information sent to system operators, either to disguise unauthorized changes, or to cause the operators to initiate inappropriate actions, which could have broad negative effects.
- ICS software or configuration settings modified, or ICS software infected with malware, which could have broad negative effects.
- Interference with the operation of equipment protection systems, which could endanger costly and difficult-to-replace equipment.
- Interference with the operation of safety systems, which could endanger human life.
- ATT&CK for ICS focuses on adversaries who have a primary goal of disrupting an industrial control process, destroying property or causing temporary or permanent harm or death to humans by attacking industrial control systems. The tactic category, Impact has been added to reflect these adversary goals.
- ICS operators work to keep the system in a safe, working state 24/7 and are a key target for adversaries. The Inhibit Response Function tactic has been added to reflect the goal of adversaries to fool an operator into thinking everything in the system is OK or performing incorrect actions on the system.
- While the primary source of data comes from publicly available cyber incident reports, credible attacks published by academia and the broad ICS community are also used to augment ATT&CK for ICS content where appropriate.
- ICS networks are very heterogeneous environments. There are many software/hardware platforms, applications and protocols present in these environments. Because of this, ATT&CK for ICS techniques don't necessarily apply to all ICS assets. ATT&CK for ICS adds the organizational units of Levels, which are based on the Purdue Model, and Assets to aid ATT&CK for ICS users to understand which techniques are applicable to their environment.