The document discusses updates to the ATT&CK for ICS framework. It summarizes two recent incidents, the Colonial Pipeline ransomware attack and the Oldsmar water treatment plant hack, and highlights techniques used in each. It previews upcoming additions to ATT&CK for ICS in April 2022 and beyond, including new mapped mitigation objects, integration with other frameworks, mapping of ICS attacks to the enterprise ATT&CK, and the addition of detections for techniques. Future plans outlined include revisions to asset definitions based on ICS verticals and a blog series on technique sequences.

1. ICS ATT&CK Updates
Otis Alexander
ATT&CK for ICS Lead
@ojalexander
©2022 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 21-01255-5

2. ©2022 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 21-01255-5

3. Colonial Pipeline
• Operations impacted indirectly
• Business continuity issues
• Proactive management of risk
during incident response
• Loss of Availability (T0826)
• Loss of Productivity and
Revenue (T0828)
• Growing trend of ransomware
impacting ICS operations
©2022 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 21-01255-5

4. Oldsmar Incident
• Risks to water and
wastewater systems
• Unsecure remote access
connections
• Remote Services (T0886)
• Graphical User Interface
(T0823)
• Modify Parameter (T0836)
• Emphasis on importance
of safety and resilience
©2022 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 21-01255-5

5. Since the Last Time We Talked
©2022 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 21-01255-5
Technique Updates
New Mitigation Objects Mapped to Each Technique
NIST SP 800-53 and IEC 62443 to Mitigations
ATT&CK for ICS STIX Bundle
ATT&CK for ICS Integration into ATT&CK Navigator
ICS Attacks Mapped to Enterprise ATT&CK

6. What’s Coming in April
©2022 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 21-01255-5

7. On the Horizon
©2022 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 21-01255-5

8. Asset Revamp based on ICS Verticals
©2022 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 21-01255-5
What do you call cyber assets
in your vertical?

9. ATT&CK for ICS Detections!
• Highlighted strategies used
by major ICS vendors to
detect techniques
• Diverse set of data sources
from ICS applications and
operational databases
• Inclusion of detection
strategies for each technique
©2022 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 21-01255-5

10. Modify Controller Tasking (T0821)
Modify Program (T0889)
System Firmware (T0857)
Blog Series on Technique Sequences
©2022 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 21-01255-5
Drive-by Compromise (T0817)
Project File Infection (T0873)
Graphical User Interface (T0823)
Replication Through Removable Media (T0847)
Change Operating Mode (T0858)
Program Download (T0843)
Activate Firmware Update Mode (T0800)
Remote System Information Discovery (T0888)
Point and Tag Identification (T0861)
Program Upload (T0847)
OEM Website
Workstation
Controller
Host-based Technique
Network-based Technique
Controller
Supply Chain Compromise (T0862)

11. ©2022 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 21-01255-5
https://attack.mitre.org
attack@mitre.org
@mitreattack
Otis Alexander
@ojalexander