On January 6, MITRE released a new MITRE ATT&CK matrix. This tool is intended to help security practitioners understand the threats facing industrial control systems, or ICS.

For those of you who aren’t familiar with MITRE ATT&CK matrices, let me explain: The MITRE Corporation is a not-for-profit organization that works in the public interest across federal, state and local governments, as well as industry and academia. In 2015, MITRE released the first ATT&CK matrix. Each ATT&CK matrix is a knowledgebase of adversary tactics and techniques based on observations of real-world cyber attacks. Effectively, each ATT&CK matrix allows enterprise security practitioners to:

• Identify the most active and/or effective threat actors targeting their industry
• Understand the techniques used by the threat actors
• Prioritize each technique based on probability and potential impact to their business
• Assess current defenses, identify gaps, and plan improved defenses

Since its introduction in 2015, MITRE ATT&CK matrices have garnered a high degree of interest. They have proven to be very useful models of modern attacker behavior. These frameworks have allowed security practitioners to intelligently assess their security defenses and prioritize certain areas for additional data collection, analysis, and detection.

Yeah, but what’s new here?

A lot is new! The new ATT&CK matrix is focused on industrial control systems, or ICS devices. This is in stark contrast to the previous ATT&CK matrices which were focused on attacks against computers and expanded to mobile — normal devices, running familiar operating systems such as Windows, Linux, macOS, iOS, and Android, and able to accommodate standard security agents.

For better or worse, agents have traditionally been employed to monitor what is going on inside a computer (i.e. changes to processes, files, registries, etc.). But this simply doesn’t work for industrial control systems. Agents can’t be installed onto industrial control devices due to restrictions in compute, stability or proprietary operating systems. None of the traditional EDR systems that have worked so well to detect the previously published ATT&CK techniques are going to work in an ICS environment.

In order to detect cyberattack techniques on ICS devices, you need to do it “from the outside” by monitoring network traffic going into and coming out of ICS devices.

This is exactly what Armis was designed to do. Armis is an agentless device security platform that passively monitors network traffic to detect threats and compromises. Armis delivers comprehensive coverage of the cyber attack techniques listed in the new MITRE ATT&CK matrix.

Enterprise IoT is Also Important

Just as important, Armis can also detect attack techniques focused on enterprise IoT devices such as printers, video cameras, Smart TVs, VoIP phones etc. These devices are just as vulnerable as ICS devices, and they are present in vast numbers in all enterprise environments. Just like ICS devices, they can’t be monitored by agents. They are “un-agentable”. Many of the cyberattack techniques listed in MITRE ATT&CK for ICS also apply to these enterprise IoT devices and are defendable in the same manner.

If you want to secure the un-agentable devices in your industrial environment, it is important to also secure your un-agentable enterprise IoT devices. These devices frequently share the same airspace as ICS devices, but even if they do not, they are typically just one or two routers away from the networks that contain ICS devices.

To learn more about Armis’ support for the new MITRE ATT&CK for ICS matrix, and how important it is to secure both ICS and enterprise devices via a unified security architecture, see the following documents:

• Armis White Paper: “How Armis Supports MITRE ATT&CK for ICS” 
• Armis White Paper: “Securing IT and OT in Industrial and Manufacturing Environments”
• Gartner: “Market Guide to Operational Technology Security”