ICS ATT&CK Matrix

Industrial Control Systems / OT / SCADA

Adversary tactics and techniques targeting Industrial Control Systems (ICS), Operational Technology (OT), and SCADA environments in critical infrastructure.

Critical Infrastructure Alert: ICS attacks can cause physical damage, safety incidents, and disruption to essential services. Implement defense-in-depth strategies.

ICS Tactics

ICS Techniques

Asset Categories

Impact Categories

ICS/OT Attack Matrix

Click on any technique to view detailed information including detection and mitigation guidance.

TA0108

Initial Access

TA0104

Execution

TA0110

Persistence

TA0111

Privilege Escalation

TA0109

Evasion

TA0100

Discovery

TA0102

Lateral Movement

TA0103

Collection

TA0101

Command and Control

TA0105

Inhibit Response

TA0106

Impair Process Control

TA0107

Impact

T0817

Drive-by Compromise

T0819

Exploit Public-Facing Application

T0866

Exploitation of Remote Services

T0886

Remote Services

T0847

Replication Through Removable Media

T0865

Spearphishing Attachment

T0862

Supply Chain Compromise

T0860

Wireless Compromise

T0858

Change Operating Mode

T0807

Command-Line Interface

T0871

Execution through API

T0823

Graphical User Interface

T0874

Hooking

T0821

Modify Controller Tasking

T0834

Native API

T0853

Scripting

T0863

User Execution

T0889

Modify Program

T0839

Module Firmware

T0873

Project File Infection

T0857

System Firmware

T0859

Valid Accounts

T0890

Exploitation for Privilege Escalation

T0874

Hooking

T0858

Change Operating Mode

T0820

Exploitation for Evasion

T0872

Indicator Removal on Host

T0849

Masquerading

T0851

Rootkit

T0856

Spoof Reporting Message

T0840

Network Connection Enumeration

T0842

Network Sniffing

T0846

Remote System Discovery

T0888

Remote System Information Discovery

T0887

Wireless Sniffing

T0812

Default Credentials

T0866

Exploitation of Remote Services

T0867

Lateral Tool Transfer

T0843

Program Download

T0886

Remote Services

T0859

Valid Accounts

T0802

Automated Collection

T0811

Data from Information Repositories

T0868

Detect Operating Mode

T0877

I/O Image

T0801

Monitor Process State

T0861

Point & Tag Identification

T0845

Program Upload

T0852

Screen Capture

T0885

Commonly Used Port

T0884

Connection Proxy

T0869

Standard Application Layer Protocol

T0800

Activate Firmware Update Mode

T0878

Alarm Suppression

T0803

Block Command Message

T0804

Block Reporting Message

T0805

Block Serial COM

T0892

Change Credential

T0809

Data Destruction

T0814

Denial of Service

T0816

Device Restart/Shutdown

T0835

Manipulate I/O Image

T0838

Modify Alarm Settings

T0851

Rootkit

T0881

Service Stop

T0806

Brute Force I/O

T0836

Modify Parameter

T0839

Module Firmware

T0856

Spoof Reporting Message

T0855

Unauthorized Command Message

T0879

Damage to Property

T0813

Denial of Control

T0815

Denial of View

T0826

Loss of Availability

T0827

Loss of Control

T0828

Loss of Productivity and Revenue

T0837

Loss of Protection

T0880

Loss of Safety

T0829

Loss of View

T0831

Manipulation of Control

T0832

Manipulation of View

T0882

Theft of Operational Information

ICS Asset Categories

🖥️

Control Server

Servers hosting control system applications

📊

Data Historian

Systems that collect and store process data

💻

Engineering Workstation

Systems used to program and configure devices

🔧

Field Controller/RTU/PLC

Devices that directly control physical processes

📺

Human-Machine Interface

Operator interfaces for monitoring and control

🔌

Input/Output Server

Systems that interface with field devices

⚠️

Safety Instrumented System

Systems designed to prevent hazardous events

📡

Remote Terminal Unit

Field devices for remote monitoring

Potential Impact Categories

Loss of Safety

critical

Compromise of safety systems designed to prevent hazardous conditions

Loss of Control

critical

Inability to control physical processes or equipment

Loss of View

high

Inability to monitor the state of physical processes

Loss of Availability

high

Disruption of systems required for operations

Damage to Property

critical

Physical damage to equipment or facilities

Loss of Productivity

medium

Reduction in operational output and revenue

CIC-ATT&CK

ICS ATT&CK Matrix

ICS/OT Attack Matrix

ICS Asset Categories

Control Server

Data Historian

Engineering Workstation

Field Controller/RTU/PLC

Human-Machine Interface

Input/Output Server

Safety Instrumented System

Remote Terminal Unit

Potential Impact Categories

Loss of Safety

Loss of Control

Loss of View

Loss of Availability

Damage to Property

Loss of Productivity