In This Issue
Winter Issue of The Bridge on Frontiers of Engineering
December 25, 2021 Volume 51 Issue 4
The NAE’s Frontiers of Engineering symposium series forged ahead despite the challenges of the pandemic, with virtual and hybrid events in 2021. This issue features selected papers from early-career engineers reporting on new developments in a variety of areas.

Threat-Informed Defenses for Industrial Control Systems

Tuesday, January 4, 2022

Author: Adam Hahn, Otis Alexander, and Marie Collins

A knowledge base of known adversarial behaviors can help organizations prepare for, mitigate, and prevent threats to industrial control systems.

Industrial control systems (ICS), the foundation of the nation’s critical infrastructure, are increasingly the target of sophisticated cyber threats. Recent US intelligence reports have claimed that multiple state actors maintain the ability to “launch cyber attacks that cause localized, temporary disruptive effects on critical infrastructure” (e.g., Coats 2019, p. 5).

While cyber threats to more traditional information technology (IT) environments have been observed for many years, only in the past decade or so have sophisticated attacks been identified targeting the critical ICS environments. For example, in 2010 the Stuxnet malware was discovered targeting programmable logic controllers (PLCs) used to operate an ­Iranian uranium enrichment facility (Falliere et al. 2010); attacks targeting Ukraine’s electric grid were identified in 2015 and 2016 (Cherepanov 2017; E-ISAC 2016); and in 2017 the Triton malware was identified manipulating the safety instrumented systems used to protect critical processes at an oil refinery (Johnson et al. 2017).

These scenarios highlight risks to ICS, but there remains a lack of systematized knowledge of how these threats could impact the spectrum of critical ICS facilities and technologies. Better understanding of these threats is paramount to the development of effective ICS defenses.

Threat-Informed Defenses Using ATT&CK for ICS

To address these challenges, MITRE has developed the ATT&CK for ICS knowledge base, which maps adversarial tactics and techniques observed across many real-world attacks to help better understand how cyber adversaries target critical infrastructure and to identify defenses that are tailored to these techniques.

The knowledge base systematizes the different technical procedures adversaries have used across the observed ICS attacks. These procedures are grouped into common techniques if they use similar methods across different technologies or environments. Techniques are then categorized into tactics that represent the adversary’s technical goal, such as how the adversary gains initial access, how they maintain persistence on systems, how they achieve lateral movement to access their target, and how they evade detection mechanisms.

Most importantly for ICS, the tactics also highlight how attackers can (i) impair process control to manipulate the underlying physical infrastructure and (ii) inhibit response functions to prevent normal operator responses from detecting and responding to the manipulation. 

Table 1 provides an overview of ATT&CK for ICS, showing tactics (top row) and associated techniques (cells). Shading designates techniques observed in different attacks: yellow for Stuxnet (2010), green for Industroyer (2016), blue for Triton (2017), and orange for techniques observed across multiple attacks.

 Table 1

Known Adversary Techniques

The knowledge base highlights the multidisciplinary elements of ICS security. Some adversary techniques heavily overlap with those long observed in typical IT environments, such as the reuse of valid credentials to gain access to systems or the use of network sniffing to obtain data from existing communications.

Most of the identified adversary techniques are highly tailored to ICS processes and technologies. For example, techniques like program upload are needed for adversaries to extract the plant-specific application ­logic deployed on the PLC, while brute force input/­output (I/O) can be used to directly trigger a control function through the PLC. Understanding how adversaries could perform such actions requires a strong technical understanding of various PLC architectures and the operational processes they support.

Detection, Mitigation, and Prevention

In addition to categorization of the technical methods needed to execute an attack, ATT&CK for ICS defines mitigations and data sources that can be used to detect and prevent adversarial behavior. These mitigations span broad sets of technologies and procedures that can both prevent adversary access and minimize the impact of a successful attack.

While traditional cybersecurity mitigations, like network segmentation and multifactor authentication, can help prevent many adversary techniques, they can also negatively impact the performance of ICS environments. Therefore, mitigations need to be designed and verified to work within the unique requirements of these environments, including long device lifecycles, resource-constrained hardware, real-time performance expectations, and communication protocols.

Mitigations can also include mechanical protections and safety instrumented systems that both minimize dependencies on vulnerable cyber infrastructure and ensure redundancies in core devices and systems. For example, Triton was the first malware developed to intentionally compromise critical safety controllers used to protect hazardous processes. Organizations must assume similar compromises are feasible and ensure that the industrial plant remains safe if they occur.

ICS organizations can use ATT&CK for ICS to improve their cyber preparedness. By identifying adversary techniques most relevant to the operational technologies and processes in their environment, organizations can develop feasible attack scenarios and use them to structure their security programs. They can then use the associated mitigations and data sources from the relevant adversary techniques to prioritize future investments in new defensive technologies. Further, by better understanding relevant adversary techniques, organizations can improve their preparedness by developing both incident response plans tailored to these threats and tabletop exercises to assess their maturity.

ATT&CK for ICS also helps vendors better align the security features of their devices. Many devices are considered “insecure by design” as they fail to implement basic security protections against known adversary techniques (Peterson 2018), raising serious questions about what security protections are adequate. A recent review of ICS vulnerability advisories found that 64 percent of ICS patches don’t properly mitigate a risk because of a lack of device security protections (Dragos 2018). The same report also found that such advisories typically lack effective mitigation recommendations for environments where patches cannot be immediately deployed. 

This problem has spurred the development of multiple standards (e.g., IEC 62443, IEEE 1686) to define the security capabilities needed for ICS devices. While there’s a strong need for improved security capabilities in ICS devices, these can also increase long-term device management costs, especially when scaled to the potentially thousands of devices deployed in an ICS (Dolezilek 2020). The challenges with ICS security mitigations won’t be easily overcome, though ATT&CK for ICS strives to help device vendors develop ICS products with greater security capabilities and produce more effective vulnerability advisories when problems are discovered.

Challenges of Limited Information

While ATT&CK for ICS improves knowledge of threats to and defenses for critical infrastructure, obtaining accurate information about recent events is a con­tinual challenge. Accurately mapping adversarial tactics and techniques depends heavily on open-source threat intelligence from each observed incident. It is difficult to maintain up-to-date resources as this information is often unavailable or considered too confidential to share publicly.

One problem is that many organizations lack sufficient security monitoring capabilities to even detect these attacks. For example, in February 2021 an attacker gained access to a water treatment facility in Oldsmar, FL, and attempted to manipulate the level of sodium hydroxide used in the treatment process. But few forensic data are available, likely because of the organization’s limited ability to detect the activities.

Furthermore, private organizations may choose not to share incident details out of concern that it reflects negatively on their organization or may warrant additional industry regulation. The May 2021 Colonial Pipeline ransomware event provides an example, as very little public information was released from the incident although it was heavily investigated (Reeves 2021).

Unfortunately, the victims in these attacks are often heavily criticized in the media for their lax security practices or poor responses, which further incentivizes organizations to minimize the information they share. The problem of ICS threats and attacks is too serious, especially in matters of critical infrastructure, to play the blame game. Instead, organizations that take a leadership role in sharing information and helping others improve their security should be applauded.

Future Directions

The security of US critical infrastructure is directly tied to a better understanding among ICS operators, vendors, and policymakers of adversarial capabilities and motivations. Well-informed ICS organizations can better communicate these risks to executives and advocate for needed funding to support new technologies and programs. Such knowledge can help security engineers identify products that meet their security requirements and help vendors address deficiencies when products lack key protections.

In addition, organizations need better incentives to share incident details to support collaboration toward both improving understanding of threats and ensuring that defensive efforts are appropriately aligned.


Cherepanov A. 2017. Win32/Industroyer: A new threat for industrial control systems. Bratislava: ESET.

Coats DR. 2019. Worldwide Threat Assessment of the US Intelligence Community. Washington: Office of the Director of National Intelligence.

Dolezilek D, Gammel D, Fernandes W. 2020. Cybersecurity based on IEC 62351 and IEC 62443 for IEC 61850 systems. 15th Internatl Conf on Developments in Power System Protection, Mar 9–12, Liverpool.

Dragos, Inc. 2018. Industrial control vulnerabilities: 2017 in review. Hanover MD.

E-ISAC (Electricity Information Sharing and Analysis ­Center). 2016. Analysis of the Cyber Attack on the ­Ukrainian Power Grid: Defense Use Case. Joint report with SANS Industrial Control Systems. Washington.

Falliere N, Murchu LO, Chien E. 2010. W32.Stuxnet Dossier, version 1.3. Cupertino CA: Symantec Corporation.

Johnson B, Caban D, Krotofil M, Scali D, Brubaker N, ­Glyer C. 2017. Attackers deploy new ICS attack framework “TRITON” and cause operational disruption to critical infrastructure., Dec 14. Online at attacke rs-deploy-new-ics-attack-framework-triton.html.

Peterson D. 2011. PLCs: Insecure by design v. ­vulnerabilities. Online at­insecure- by-design-v-vulnerabilities.

Reeves J. 2021. Cyberattack forces a shutdown of a top US pipeline. New York Times, May 13.

About the Author:Adam Hahn and Otis Alexander are principal cyber security engineers, and Marie Collins is manager of the Mobile and Cyber-Physical Systems Technology department, all at the MITRE Corporation.