On January 7, MITRE released the ATT&CK for ICS knowledge base, which mainly introduces the strategies and techniques used by cyber attackers when targeting industrial control systems (ICS), providing a reference for critical infrastructure and other organizations using industrial control systems to assess network risks.
Why ICS?
First, what is an industrial control system? It includes various control systems used in industrial production, such as Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and other smaller control systems like Programmable Logic Controllers (PLC), which are widely used in industrial sectors and critical infrastructure. Because industrial control systems often involve important infrastructure for a city or country, such as electricity, gas, and water supply, the consequences of a breach can be extremely severe.
In 2015 and 2016, Ukraine experienced two power outages in its grid, resulting in immeasurable losses.
Australia installed radio-controlled sewage treatment equipment, but due to a former employee of the installation company using a portable computer and radio transmitter, the pump station failed, causing sewage overflow that polluted water bodies and killed a large number of marine life.
It can be said that industrial control systems are interconnected, and as cybersecurity confrontations intensify, critical infrastructure has become a primary target for attackers, making the issue of industrial control security increasingly severe. While some aspects of the existing ATT&CK framework for enterprise systems are applicable to industrial control systems, its completeness and specificity are still lacking. Therefore, organizing the ATT&CK for ICS knowledge base is indeed an urgent task.
ATT&CK for ICS
It is understood that over 100 participants from 39 organizations contributed to the research that helped establish the ATT&CK for ICS knowledge base. These include cybersecurity and intelligence companies focusing on ICS, industrial product manufacturers, national laboratories, research institutions, universities, information sharing and analysis centers, and government agencies supporting public and private critical infrastructure.
Currently, the ATT&CK for ICS knowledge base covers four major dimensions: the ATT&CK for ICS technical framework, software used by ICS threat actors, threat groups, and assets. MITRE has already listed 10 threat groups, 81 attack techniques, 17 malware families, and 7 assets.
It can be said that the establishment of ATT&CK for ICS distinguishes ICS intrusions from regular enterprise IT intrusions. Firstly, the target is specific: attackers aim to disrupt industrial control processes, damage property, or cause temporary/permanent harm or death to humans by attacking industrial control systems. Secondly, since ICS system operators need to keep the systems in a secure operational state 24/7 and are the primary targets of attackers, this knowledge base emphasizes the characteristics of specialized applications and protocols commonly used by ICS system operators, as well as how adversaries exploit these characteristics to interact with physical devices.
The ATT&CK for ICS technical framework serves as the core of the entire knowledge base, providing an overview of the TTPs (Tactics, Techniques, and Procedures) related to threat actors who have attacked ICS systems. As shown in the figure:
Establishing targeted standards and language not only allows asset owners and maintainers to understand how adversaries attack industrial control systems, helping to enhance their defensive capabilities, but also has significant implications for security professionals in incident reporting, developing incident response manuals, determining defense priorities, and identifying vulnerabilities.
ATT&CK for ICS portal:
https://collaborate.mitre.org/attackics/index.php/Main_Page
*Author of this article: kirazhou, please cite from FreeBuf.COM
Recommended Highlights
