Earlier this year, MITRE–a not-for-profit organization that works in the public interest across federal, state, and local governments, as well as with industry and academia–officially released the long-awaited industrial control systems (ICS) version of its popular ATT&CK knowledge base. ICS ATT&CK is the group's response to the unique attack surface that industrial networks are trying to defend. Over the years there have been multiple public examples of attacks targeted specifically toward industrial environments. Stuxnet, Industroyer, and BlackEnergy are some of the more widely known pieces of malware found to be targeting these systems.
Many of the attacks that have been made public in the past relied on some type of bridge between information technology (IT) and operational technology (OT) systems. For example, Stuxnet executed on Windows operating systems before targeting industrial systems. Because of this, it is important to realize that ICS ATT&CK should be viewed as complementary information to Enterprise ATT&CK. The larger Enterprise ATT&CK knowledge base remains valuable as another layer of defense against the entire ecosystem protecting industrial systems.
Within ICS ATT&CK, the matrix is broken out into multiple tactics, such as Execution and Impair Process Control, with various techniques listed. Some of these tactic and technique names are shared with the Enterprise world. For example, Execution can be found in both Enterprise ATT&CK and ICS ATT&CK. However, other tactics, such as Impair Process Control, are unique to the ICS world.
There are also techniques that can be found across both versions of ATT&CK, for example, Valid Accounts. Even though the names are shared, and the overall theme of the technique is the same, there are specific examples or mitigations unique to industrial systems.
Some of the new elements within the techniques are Assets and Levels. Assets are the hardware and software that are unique to industrial systems. Instead of Platforms, such as Windows, ICS includes Engineering Workstations, Data Historians, and Human-Machine Interfaces.
Levels are mapped to the Purdue Enterprise Reference Architecture. Level 3 and above are specific to what is expected in typical IT environments. These are the levels that are heavily covered in Enterprise ATT&CK. Level 2 and below are specific to industrial systems and range from engineering workstations down to low-level relays controlling physical equipment. Similar to the Platforms information, Assets and Levels can help scope ICS ATT&CK to systems that users are attempting to analyze.
What made Enterprise ATT&CK so popular years ago, and what makes ICS ATT&CK so great today, is accessibility. All of the information the knowledge bases contain was already largely available online, but it was spread across vendor blogs or in recorded presentations from security conferences. Having all of this information collated into a single website reduces the cost of entry for anyone trying to break into ICS security.
As attacks focused on industrial systems increase, understanding the scope of the problem is the first step. ICS ATT&CK is that first step into creating a more secure industrial world. As a first release, it is still in its infancy. MITRE does an excellent job at curating the ATT&CK knowledge bases across Pre, Mobile, and Enterprise, but it needs help. Tripwire has contributed to these tools in the past. In fact, these knowledge bases aren't possible without the contributions from those within the industry.
All ICS users and administrators play a role in defending industrial environments. If something is observed to be missing or incorrect in the knowledge base, anyone should feel empowered to contact MITRE and let its team know. The shared experiences are a net gain for everyone trying to defend against some of the more well-funded adversaries on the internet.
–Travis Smith is a principal security researcher at Tripwire. He has more than 10 years of experience in security, holds a Master of Business Administration degree with a concentration in information security, and multiple certifications including CISSP, GIAC, and GPEN. He specializes in integrating various technologies and processes, with a passion for forensics and security analytics, and a goal of helping customers identify and mitigate real threats.