You are here

MITRE ATT&CK for ICS – Practical Applications Series (Updated February 20, 2020)

MITRE ATT&CK for ICS – Practical Applications Series (Updated February 20, 2020)

Created: Thursday, February 20, 2020 - 10:56
Cyber Security, Resilience

Part Two: MITRE ATT&CK for ICS, Part 2 – Practical Applications for Change Program State

Continuing its Practical Application for the MITRE ATT&CK for ICS series, IoT cybersecurity firm Armis takes a look at the Change Program State technique from the Execution category of tactics. Read Part 2 at Armis


Part One: MITRE ATT&CK for ICS, Part 1 - Practical Applications for Internet Accessbile Device

IoT cybersecurity firm Armis is endeavoring to publish a blog series on practical applications with respect to the recently released MITRE ATT&CKTM for ICS. The series declares to include actionable advice on how ICS asset owners could bolster their defenses. The first post in the series discusses the technique of Internet Accessible Device from the Initial Access category of tactics.

If you are able to access something from the internet, chances increase that an adversary can too. Open source tools like Shodan make it trivial for unsecured internet accessible devices to be discovered by anyone with an internet connection and an interest in exploiting industrial control systems (or any unsecured system). While many defenders have segmented and secured access to internet accessible devices, Armis points out these defensive measures by themselves are error-prone and should be part of a layered security strategy, not the only strategy. The post references real-world examples and cites practical steps to overcome the risk posed from internet accessible devices, including strategies highlighted in WaterISAC’s 15 Cybersecurity Fundamentals. Armis discusses knowing your network (15 Cybersecurity Fundamentals, #1 – Perform Asset Inventories), and monitor and control connections (15 Cybersecurity Fundamentals, #3 – Minimize Control System Exposure, and #4 – Enforce User Access Controls, among others). Above all, cybersecurity is not one and done; controls and processes need to be regularly revisited and reevaluated for effectiveness. Read Part 1 at Armis

Please note: WaterISAC is not explicitly promoting Armis’ solutions, as used in its illustrations, but we do believe the no-nonsense practical approach to defense strategies in this series is a valuable resource and can be applied to other ICS defense products.