MITRE ATT&CK for ICS is a knowledge base that systematically documents adversary behaviors observed during cyberattacks against industrial control systems. It maps real-world threat actor actions to a matrix of tactics—such as Inhibit Response Function or Impair Process Control—and specific techniques, providing a common taxonomy for describing intrusions in operational technology environments.
Glossary
MITRE ATT&CK for ICS

What is MITRE ATT&CK for ICS?
A globally accessible knowledge base cataloging the specific tactics, techniques, and procedures (TTPs) used by threat actors targeting industrial control systems.
Unlike generic IT frameworks, this domain-specific matrix accounts for the unique safety and reliability requirements of critical infrastructure. It enables OT security architects to perform threat-informed defense, prioritizing detection engineering and red-team exercises against the exact techniques known to target SCADA and DCS assets.
Core Components of the Framework
The MITRE ATT&CK for ICS framework decomposes adversary behavior into a structured matrix of tactics and techniques, enabling security architects to map threats, assess defenses, and emulate realistic attack scenarios against industrial control environments.
Tactics: The Adversary's Objectives
Tactics represent the high-level technical goals an adversary seeks to achieve during an operation. In the ICS matrix, these are ordered chronologically from initial access to final impact.
- Initial Access: Gaining a foothold in the ICS network via spearphishing, exposed remote services, or compromised engineering workstations.
- Execution: Running malicious code on a controller or HMI, often through native scripting interpreters.
- Persistence: Maintaining long-term access despite reboots or credential changes by modifying firmware or implanting logic bombs.
- Evasion: Avoiding detection by masquerading as legitimate traffic or removing process indicators.
- Inhibit Response Function: Actively disabling safety instrumented systems or alarm management before causing physical damage.
- Impair Process Control: Manipulating setpoints, opening breakers, or issuing unauthorized stop commands to disrupt operations.
- Impact: The final consequence—destroying equipment, violating safety limits, or causing extended downtime.
Techniques & Sub-Techniques
Techniques describe the specific methods an adversary uses to achieve a tactical objective. Each technique is assigned a unique ID (e.g., T0885) and includes detailed procedural descriptions, mitigation guidance, and detection strategies.
- T0885 - Commonly Used Port: Adversaries communicate over standard ports (e.g., 502 for Modbus, 44818 for EtherNet/IP) to blend in with normal traffic.
- T0878 - Alarm Suppression: Disabling or silencing alarms on the HMI to prevent operators from noticing abnormal process conditions.
- T0831 - Manipulation of Control: Sending unauthorized commands to change controller setpoints, valve positions, or breaker states.
- T0817 - Drive-by Compromise: Infecting an engineering workstation when a user visits a compromised website, establishing a bridge into the air-gapped OT network.
Sub-techniques provide even finer granularity, such as distinguishing between manipulating a single device versus an entire control loop.
Mitigations & Detection Guidance
Every technique in the ATT&CK for ICS matrix is paired with actionable countermeasures, making it a prescriptive defense tool rather than just a threat catalog.
- M0937 - Network Segmentation: Physically or logically separating IT and OT networks using an Industrial Demilitarized Zone (IDMZ) to prevent lateral movement.
- M0930 - Application Allowlisting: Restricting execution on HMIs and engineering workstations to only authorized, digitally signed binaries.
- M0942 - Encrypt Network Traffic: Deploying VPNs or TLS-wrapped protocols to prevent credential sniffing and command injection.
- Detection Analytics: The framework maps techniques to specific data sources—such as Deep Packet Inspection (DPI) logs, historian data, and asset inventory—that security teams should monitor for anomalous behavior.
Threat Groups & Software Mappings
ATT&CK for ICS catalogs known adversary groups and the malware tools they deploy, linking each to the specific techniques they have been observed using in the wild.
- APT Groups: Entities like Sandworm (ELECTRUM) and XENOTIME are profiled with their associated campaigns, such as the 2015/2016 Ukraine grid attacks and the TRISIS/TRITON safety system intrusion.
- Software Inventory: Malware families including BlackEnergy 3, INDUSTROYER, and TRITON are documented with their full technique mappings, enabling defenders to understand exactly how each tool operates.
- Campaign Correlation: Analysts can pivot from a detected technique to identify which known groups use it, accelerating attribution and informing threat intelligence briefings.
This structured threat intelligence allows OT security teams to prioritize defenses against the TTPs most relevant to their sector.
Integration with NIST & IEC 62443
MITRE ATT&CK for ICS is designed to complement, not replace, established industrial security standards. It provides the threat-informed bridge between compliance frameworks and operational defense.
- NIST CSF Mapping: Techniques are cross-referenced to the NIST Cybersecurity Framework's Identify, Protect, Detect, Respond, and Recover functions, helping organizations align threat intelligence with governance requirements.
- IEC 62443 Alignment: The framework supports the zone-and-conduit model by identifying which techniques threaten specific levels of the Purdue Model, from Level 0 (physical process) to Level 3/4 (site operations and enterprise).
- Risk Assessment Input: By mapping TTPs to specific system components, ATT&CK provides concrete threat scenarios that enrich traditional HAZOP and LOPA safety analyses.
This interoperability ensures that threat-informed defense enhances, rather than conflicts with, regulatory compliance efforts.
Frequently Asked Questions
Clear, technically precise answers to the most common questions about applying the MITRE ATT&CK framework to industrial control system security.
MITRE ATT&CK for ICS is a specialized knowledge base of adversary tactics, techniques, and procedures (TTPs) observed in real-world attacks against industrial control systems, distinct from the Enterprise matrix in its focus on the cyber-physical kill chain. While the Enterprise matrix centers on IT network compromise and data exfiltration, the ICS matrix introduces the unique 'Impair Process Control' and 'Loss of Control' tactics that directly map to physical consequences like equipment damage or service disruption.
The framework is organized around a 12-tactic structure spanning the ICS attack lifecycle:
- Initial Access: Targeting engineering workstations via spearphishing or removable media
- Execution: Running malicious code on HMIs or PLCs
- Persistence: Modifying controller logic to survive reboots
- Evasion: Spoofing sensor telemetry to hide physical effects
- Discovery: Enumerating I/O tags and control loops
- Lateral Movement: Pivoting from IT to OT via Level 3/4 DMZ
- Collection: Harvesting operational data from historians
- Command and Control: Using native protocols like Modbus for C2
- Inhibit Response Function: Disabling safety instrumented systems
- Impair Process Control: Manipulating setpoints to cause physical damage
- Impact: Destroying equipment or causing loss of life
Each technique includes real-world examples, such as the CRASHOVERRIDE malware's use of IEC 61850 protocol abuse, making it a practical threat modeling tool for OT security architects.
ATT&CK for ICS vs. Other OT Security Frameworks
Comparative analysis of MITRE ATT&CK for ICS against other prominent operational technology security frameworks and standards.
| Capability | MITRE ATT&CK for ICS | IEC 62443 | NIST SP 800-82 |
|---|---|---|---|
Primary Focus | Adversary TTP knowledge base and behavioral mapping | System-level security requirements and lifecycle processes | General OT security guidance and risk management |
Threat Actor Attribution | |||
Specific ICS Protocol Coverage | DNP3, Modbus, IEC 61850, OPC UA | Abstract protocol requirements | Abstract protocol requirements |
Tactic-Level Categorization | 12 distinct ICS-specific tactics | ||
Technique-Level Granularity | 92+ specific techniques with sub-techniques | ||
Process-Aware Detection Mapping | |||
Mandatory Compliance Standard | |||
Adversary Emulation Planning |
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Master the core concepts that underpin the MITRE ATT&CK for ICS framework, from the foundational protocols being attacked to the advanced detection techniques used to hunt threats.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us