We have seen a lot of interest in ATT&CK for Industrial Control Systems (ICS) over the last couple of years. The sheer amount of curiosity surrounding how the ATT&CK structure and methodology apply to the ICS technology domain has been amazing to see. With this curiosity comes many questions, however.
So — let’s take this opportunity to address one of the more pressing questions, “When will the ATT&CK for ICS knowledge base be made publicly available?”. We’re happy to announce that it is available now!
As you start perusing this knowledge base and analyze the core behaviors of adversaries that interact with ICS environments, you’ll undoubtedly have questions centered around the purpose, focus, structure and future direction of ATT&CK for ICS. We believe we can answer some of the more common questions surrounding these topics in this post leveraging our experience from the ATT&CK for ICS review process and lessons learned from ATT&CK.
Finally, please keep in mind, ATT&CK for ICS is a work in progress. It relies heavily on collectible and observable data about adversary behavior. The intent of releasing this knowledge base is to drive the community of ICS practitioners to validate and more importantly contribute data to help to rapidly mature this knowledge base. Please visit our contribute page to learn how you can best contribute to this effort.
Why ATT&CK for ICS?
Simply put, ATT&CK for ICS was created out of a need to better understand, concentrate, and disseminate knowledge about adversary behavior in the ICS technology domain.
A very practical means of addressing the question, “Why ATT&CK for ICS?”, would be to analyze a couple of ICS incidents from start to finish using the Enterprise knowledge base looking for gaps. A good starting point would be to look at Industroyer or Triton incident reports. In both incidents, IT infrastructure was leveraged as a conduit to gain access to the adversaries’ ultimate target — control systems. For instance, Industroyer utilizes Remote System Discovery (T1018) and Network Service Scanning (T1046) to map the network and find computers relevant to the attack.
It’s straightforward enough to categorize the initial stages of these attacks using tactics and techniques from the Enterprise knowledge base. Adversary behavior in the later stages of these attacks, however, is not specifically addressed by ATT&CK for Enterprise. The adversary’s targets, technical goals, and techniques significantly differ between the Enterprise and ICS domains. For example, Industroyer has the capability to issue Unauthorized Command Messages to change the state of electrical substation switches and circuit breakers directly. This activity is out of scope for ATT&CK for Enterprise but is now represented as T855 in ATT&CK for ICS.
In order to create ATT&CK for ICS, the team went through public incident reports, research papers, conference presentations, blogs, and more to identify and to verify the existence of techniques in the wild. We also worked closely with our contributors and reviewers to validate and improve our content. Our goal is to provide a resource that fills a gap and addresses the unique concerns of the ICS technology domain.
What is ICS?
This question can be answered a couple of ways, although it all depends on your experience in this area. At the heart of things, we’re referring to Industrial Control Systems; ICS for short, which are the systems that are often used to monitor and control industrial processes. We’re aware that not everyone is a fan of the term ICS, but we’ve found that when we use this simple acronym, most people who are even vaguely familiar with this domain know what we’re talking about.
In general, these are the systems that enable efficient (and most of the time, safe) automation of the physical processes that we all rely on. For instance, electric power delivery from generation to load, water and wastewater management, manufacturing, and other similar cyber-physical processes. A little research into the types of automation that drive these critical systems can be very helpful for understanding ICS.
Why stop here, though? Let’s dive a bit deeper to answer this question. From the standpoint of ATT&CK for ICS, we presently focus on the following as the key systems that adversaries act upon in this technology domain:
Basic Process Control Systems
o Process Control
o Operator Interface & Monitoring
o Real-Time & Historical Data
Safety Instrumented Systems and Protection Systems
Engineering and Maintenance Systems
You might notice that each technique in ATT&CK for ICS has an asset field associated with it. These broad asset classes represent the functional components of the systems listed above and constitute a higher level of abstraction than the platform tags used in ATT&CK. While it’s not always clear which operating system platform is associated with an asset, the function of the asset usually remains consistent. Thus, we endeavor to highlight how techniques are used by adversaries to affect the functional components or assets in the systems listed above.
For instance, Human Machine Interface (HMI) applications can run on top of many platforms, Windows, Linux, Android, etc. Regardless of the underlying platform, however, HMI’s are expected to provide operators an interface to monitor and, in many cases, control the industrial process. HMI’s constitute one asset class in this knowledge base. Scoping in on this asset class allows readers to understand which techniques may be leveraged against assets which function as an HMI.
What’s different about ATT&CK for ICS?
Let’s make this clear right now: Enterprise IT is not the focus of the ATT&CK for ICS knowledge base. ATT&CK for Enterprise has already spent years of work covering adversary behavior associated with the Windows and Linux platforms (Are Macs a thing in ICS environments?). ATT&CK for ICS seeks to leverage this work by utilizing ATT&CK for Enterprise to categorize adversary behavior as they traverse the “IT conduit” to their ultimate target.
However, IT platforms form a significant foundation for ICS so we can’t completely ignore them. ATT&CK for ICS attempts to only include ATT&CK for Enterprise techniques used against systems that are leveraged in the final stages leading up to an adversary induced impact, targeted or un-targeted, against an industrial process. For instance, the Enterprise technique Hooking (T1179) has been leveraged to modify DLLs associated with engineering applications used to interface directly with PLCs. The use of this technique in the ICS domain brings about new considerations and unique concerns due to unique ICS-specific functions engineering applications enable. Therefore, Hooking (T874) was also added to the ICS knowledge base to help highlight the use of this technique in a different context.
It’s very clear that there’s a fair bit of overlap between the Enterprise and ICS technology domains. Nonetheless, ATT&CK for ICS has a primary focus on the actions that adversaries take against the non-IT based systems and functions of ICS. It seeks to capture and define distinctions in ICS environments, from tactics and techniques to domain specific assets and technology. It is this focus that defines ATT&CK for ICS as a unique and vital knowledge base in the ATT&CK ecosystem.
How can I use it?
One of the interesting aspects about applying the ATT&CK structure and methodology to a new technology domain is that many of the existing use cases are transferable. Some of the use cases we’ve considered as we’ve created ATT&CK for ICS include:
• Adversary Emulation
• Behavioral Analytics
• Cyber Threat Intelligence Enrichment
• Defensive Gap Assessment
• Red Teaming
• SOC Maturity Assessment
• Failure Scenario Development
• Cross-Domain Adversary Tracking
• Educational Resource
Let’s highlight one of the more unique use cases. The Failure Scenario Development use case involves identifying failures that are known to affect a system. The next step involves understanding whether the failure is cyber inducible. Since physical attacks are not within the scope of ATT&CK for ICS, there is a requirement that these failures have a cause that is traceable back to cyber. Once cyber inducible failures are identified, a sequence of ATT&CK techniques that could potentially lead up to this failure can be identified. These actions represent some of the initial work an adversary or red team would go through when targeting a control system. This can provide defenders with valuable information to better understand where to invest in defenses to disrupt an adversary’s path to inducing critical failures.
A good exercise to run through, especially during a tabletop exercise with the right mix of people (IT, OT, and Security folks), would be to start at the impact column and think about how the execution of each technique could affect your site(s). Try to think about which techniques would potentially get misidentified as human error or a fault.
For instance, in a geographically dispersed control system, mull over what the typical organizational response to a Denial of View (T815) condition is. To be thorough, take the time to ask an operator how they typically respond to this scenario. Is this something that would warrant rolling trucks out to a site or do these things happen often and typically resolve themselves? If it happens often, use the knowledge base to better understand how adversaries have traditionally caused and utilized this impact technique, and their purpose in doing so. In this particular case, adversary activity can look like a benign communication error. Read through the technique description and look over the associated examples to understand how you could potentially differentiate this event as malicious given the example indicators. Start to look at the adversary techniques that preceded the impact. This is a great method to understand how adversary induced impacts can easily be miscategorized as human error or a fault.
ATT&CK for ICS can also act as a critical resource in conjunction with other ATT&CK knowledge bases to enable the Cross-Domain Adversary Tracking use case. Adversaries rely on and exploit many platforms to negatively impact control systems. To gain the best understanding of adversaries who target control systems, we suggest tracking their behavior as it applies to the technology domain(s) that they target and/or utilize. If adversary actions associated with one technology domain are solely considered, key parts of the big picture will invariably be missed. Therefore, adversary behavior associated with multiple technology domains may need to be taken into account. The most obvious ATT&CK knowledge bases to inform Cross-Domain Adversary Tracking in ICS environments are the Enterprise and ICS knowledge bases. Utilizing these two knowledge bases together can allow you to track the behavior of adversaries as they move through the “IT conduit” to impact control systems. It can also highlight key system interfaces that are commonly abused.
Use cases such as Behavioral Analytics, Defensive Gap Assessment, and SOC Maturity Assessment are closely coupled with the ability to detect techniques. The initial release of ATT&CK for ICS does not include a Detection section within each technique and has instead focused on mitigations. We feel that there is a lot that can be done to more effectively build security into these environments. One way that this can be accomplished is through the implementation of preventative controls that do not conflict with the safety and availability of these critical systems. The addition of detections is in the future for ATT&CK for ICS, and we will solicit community input regarding detections over time. The level of detail that will be provided in the Detection sections in ATT&CK for ICS will be on par with the level of detail seen in ATT&CK for Enterprise — high level without getting into the implementation details of detection analytics.
What’s the ATT&CK for ICS roadmap?
ATT&CK for ICS should not be viewed as a static product from MITRE. Rather, as with the other ATT&CK knowledge bases, it is meant to grow based on community feedback and in response to observed adversary (including red team and researcher) activity. We’ve chosen to launch ATT&CK for ICS in a wiki separate from the general ATT&CK site to allow for a development cycle more tailored to the release of a new and very different domain. If you’ve been longing for that retro ATT&CK look and feel, then please do enjoy! As ATT&CK for ICS matures based on community feedback, we will be working to integrate it into the ATT&CK site and tools that the ATT&CK community has come to expect.
To help the community better understand the major ideas behind ATT&CK for ICS, its composition and future growth, we will be releasing a philosophy and design paper in the weeks to come. In addition, we will also provide an annotated presentation to give the community an introduction to ATT&CK for ICS.
More than 100 participants from 39 organizations reviewed, provided comments, and/or contributed to ATT&CK for ICS prior to the site’s launch. These organizations consisted of a wide range of private and public entities including cyber intelligence and security companies that focus on ICS, industrial product manufacturers, national labs, research institutes, universities, information sharing and analysis centers, and government agencies supporting public and private critical infrastructure.
This is a community effort and we’d like to thank each and every individual that took the time and effort to complete the paperwork, register, browse the site, provide comments, submit references, attend workshops, and promote this effort in public forums.
We look forward to more valuable contributions from the community!
©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19–01075–19.