About MITRE Att&ck for Industrial Control Systems (ICS)

Read More About MITRE

MITRE Att&ck, which stands for Adversarial Tactics, Techniques and Common Knowledge, is a knowledge base of adversary tactics and techniques that help inform the cybersecurity industry. MITRE recently released an Att&ck knowledge base specifically designed for industrial control systems (ICS). ICS are found in industries such as electric, water, wastewater, oil and natural gas, transportation, chemical, pharmaceutical, and various manufacturing sectors. These systems enable the regular automation of key processes that everyone relies on, and any compromise on their operation could impact the health and safety of humans.

According to the MITRE Att&ck document, adversary TTPs associated with ATT&CK for ICS fall under the following broad categories:

• Blocked or delayed flow of information through ICS networks, which could disrupt ICS operation.
• Unauthorized changes to instructions, commands, or alarm thresholds, which could damage, disable, or shut down equipment, create environmental impacts, and/or endanger human life.
• Inaccurate information sent to system operators, either to disguise unauthorized changes, or to cause the operators to initiate inappropriate actions, which could have broad negative effects.
• ICS software or configuration settings modified, or ICS software infected with malware, which could have broad negative effects.
• Interference with the operation of equipment protection systems, which could endanger costly and difficult-to-replace equipment.
• Interference with the operation of safety systems, which could endanger human life.


Next in this blog series, we will go through Supply Chain Compromise. The aim is to help you understand the MITRE Att&ck walk-through, and their mitigation techniques, as well as offer our own insight.

Supply Chain Compromise (T862):

How It’s Done:

Supply Chain Compromise is utilized by adversaries to gain access to control systems via infected products, software, and workflows. The idea is to infect products or mechanisms before they reach the end consumer in order to compromise the data or system. This compromise can occur at any stage in the supply chain. Adversaries may choose to execute altering software on third party or vendor websites. If you possess assets in IT and OT, a supply chain compromise targeting IT could pose a risk to OT.

Recommended Mitigation Techniques:

Since MITRE does not list any mitigation techniques for this topic, we’d like to offer our solutions.

  • Never let untrusted devices find systems: Routing traffic through Dispel Virtual Desktops ensures that all access to the target network is done with fresh computers that cannot directly access ICS networks.
  • Reduce risk of malware: Dispel Virtual Desktops can be employed to ensure that all unauthorized media is blocked.
  • Monitor Console Actions: Deploying Dispel virtual desktops ensures that all actions are screen recorded, securely stored, and can be played back by an administrator at any time.
  • Provide third parties access without letting them find your network: Dispel ensures that vendors and third parties can’t locate your network. Dispel doesn’t rely on static VPNs that are easy targets. Instead, we launch a single-tenant network of virtual machines that spans to one or more existing cloud providers. Given that these networks are deployed and destroyed around the clock, an adversary would not only have to determine your entry and exit points into the network but be able to hack into it before it relocates. You can still give the right people access, and while they have access ensure they aren’t infecting your systems
  • Segment your networks: Because Dispel’s networks are built upon cloud providers, pathways can be segmented and reconfigured as often as you would like.
  • Don’t let vendors cross your corporate network: With Dispel, there’s no crossing over the corporate network since paths are built temporarily, making this an ideal concept for vendors and third parties.
  • Use strong encryption: Our networks are encrypted with two layers of AES-256 with independent 4096-bit keys used at the initial key exchange.
  • Multi-Factor authentication: Dispel comes with multi-factor authentication and supports temporary one-time passwords (e.g. Google Auth, Authy) and hardware tokens (e.g. Yubikey).
  • Monitor access privileges: Ensure users only have need-based access with Dispel’s four levels of users (Owner, Admin, User, and VDI-User), which can be altered by an administrator at any point.
  • Keep tabs on the network: Monitor the network and enforce access control practices; e.g. whitelisting