Published in


Announcing the ATT&CK Evaluations for ICS Fall 2020 Cohort

(Updated November 19, 2020)

In May, MITRE Engenuity announced an expansion of its ATT&CK Evaluations program to include an evaluation centered around anomaly and threat detection capabilities for industrial control systems (ICS). Today, we’re very excited to announce that our initial participants will include:

  • Armis
  • Claroty
  • CyberX, a Microsoft company
  • Dragos
  • The Institute for Information Industry
  • Kaspersky

MITRE Engenuity, along with our forward-leaning, enterprising evaluation partners, will help bring clarity for both users and vendors around capabilities of various ICS security solutions. The publicly available results from ATT&CK Evaluations for ICS will improve the practice of ICS threat detection by empowering users to analyze how these products respond to real-world attacks. This, in turn, will lead to more threat-informed decisions about ICS security investments and allow them to better harness current capabilities. These results will also provide unbiased, measurable feedback to vendors, allowing them to better understand their capabilities and advance solutions to bolster security and make the world a safer place.

ATT&CK Evaluations for ICS will provide each vendor with an assessment of their product’s efficacy to detect specific adversarial tactics and techniques, as captured in the ATT&CK for ICS knowledge base. The initial evaluations will extract and emulate the behaviors of TRITON, a destructive malware framework designed to manipulate industrial safety systems, most notably used in an attack against a petrochemical and refinery complex in Saudi Arabia in 2017.

We continue to welcome vendors who wish to participate in the TRITON round of ATT&CK Evaluations for ICS. Due to the impact the ongoing COVID-19 epidemic, we are extending the call for participation until October 30th, 2020. These signups will be listed on the ATT&CK Evaluations website alongside current participants. Please reach out to to sign up or with any questions.

Update November 19, 2020: The call for participation is now closed. Claroty joined the cohort for the initial round of ATT&CK Evaluations based on the TRITON malware.

© 2020 MITRE Engenuity. Approved for public release. Document number AT0004