Professional Documents
Culture Documents
urity September 2016),(Citation: Karen Scarfone; Paul Hoffman September 2009),(Citation: Keith Stouffer May 2015)
Antti Tikkanen June 2014),
tion Sharing and Analysis Center; SANS Industrial Control Systems March 2016),
tion Sharing and Analysis Center; SANS Industrial Control Systems March 2016),
2014),(Citation: Department of Homeland Security September 2016),(Citation: Karen Scarfone; Paul Hoffman September 2009),(Citation: K
Hendrik Schwartke March 2016),(Citation: Dragos-Pipedream),(Citation: Wylie-22),(Citation: Department of Homeland Security September
am O Murchu, Eric Chien February 2011),(Citation: Dragos October 2018),
n February 2011),(Citation: Gardiner, J., Cova, M., Nagaraja, S February 2014)
, Cova, M., Nagaraja, S February 2014)
G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004)
ragos-Pipedream),(Citation: Brubaker-Incontroller),(Citation: Wylie-22),(Citation: National Institute of Standards and Technology April 201
on: ESET),(Citation: Keith Stouffer May 2015),(Citation: National Institute of Standards and Technology April 2013)
meland Security October 2009),(Citation: M. Rentschler and H. Heine),(Citation: National Institute of Standards and Technology April 2013
Maik Brggemann, and Hendrik Schwartke March 2016),(Citation: ICS-CERT August 2018),
meland Security October 2009),(Citation: M. Rentschler and H. Heine),(Citation: National Institute of Standards and Technology April 2013
tion Sharing and Analysis Center; SANS Industrial Control Systems March 2016),(Citation: Department of Homeland Security September 20
May 2018),(Citation: Chris Bing May 2018),(Citation: Orkhan Mamedov, Fedor Sinitsyn, Anton Ivanov October 2017),
McCarthy, J et al. July 2018)
Citation: Karen Scarfone; Paul Hoffman September 2009),(Citation: National Institute of Standards and Technology April 2013),(Citation: K
tation: The Office of Nuclear Reactor Regulation),(Citation: Schneider Electric January 2018),(Citation: Wikipedia),(Citation: Dan Goodin M
a),(Citation: Dan Goodin March 2017),(Citation: Microsoft Security Response Center August 2017)
Eric Chien February 2011),(Citation: Wikipedia),(Citation: Dan Goodin March 2017),(Citation: Microsoft Security Response Center August 2
(Citation: ICS-CERT February 2016),(Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 20
y Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016),
tion: Wylie-22),
chu, Eric Chien February 2011),
n: Keith Stouffer May 2015),(Citation: National Institute of Standards and Technology April 2013)
Chien February 2011),(Citation: Dragos October 2018),(Citation: Joe Slowik April 2019),(Citation: Wylie-22),(Citation: Gardiner, J., Cova, M
Security October 2009),(Citation: M. Rentschler and H. Heine),(Citation: National Institute of Standards and Technology April 2013)
Kevin Beaumont),(Citation: Department of Homeland Security October 2009),(Citation: M. Rentschler and H. Heine),(Citation: National Insti
o),(Citation: Kevin Beaumont),(Citation: Davey Winder June 2020),(Citation: David Voreacos, Katherine Chinglinsky, Riley Griffin December
ubaker, Christopher Glyer December 2017),(Citation: A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004)
Booz Allen Hamilton),(Citation: Kevin Beaumont),(Citation: Department of Homeland Security October 2009),(Citation: M. Rentschler and H
ch 2016),(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011),
eriffs Office February 2021),(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011),(Citation: Department of Homeland Secu
vember 2013),(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011),(Citation: Department of Homeland Security October 2
),(Citation: FireEye TRITON),(Citation: Dragos Threat Intelligence February 2020),(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien Febr
mann, and Hendrik Schwartke March 2016),(Citation: Jos Wetzels January 2018),(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien Feb
alliere, Liam O Murchu, Eric Chien February 2011),(Citation: Wylie-22),(Citation: IEC February 2019)
ch 2016),(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011),(Citation: IEC February 2019)
ntel),(Citation: ESET Research Whitepapers September 2018),(Citation: N/A)
am O Murchu, Eric Chien February 2011),
ch 2016),(Citation: Jos Wetzels January 2018),(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011),
ed Gutierrez July 2020),
ation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011),(Citation: Wylie-22),(Citation: Keith Stouffer May 2015),(Citation: Nationa
August 2018),(Citation: CISA-AA22-103A),(Citation: Dwight Anderson 2014),(Citation: Department of Homeland Security September 2016),
chu, Eric Chien February 2011),(Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016),(Citation: Brubaker-Inco
2),(Citation: Department of Homeland Security September 2016)
tion: National Institute of Standards and Technology April 2013)
October 2018),(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011),(Citation: Dragos-Pipedream),(Citation: Max Heinemey
ulian Rrushi, Hassan Farhangi, Clay Howey, Kelly Carmichael, Joey Dabell December 2015),(Citation: Anton Cherepanov, ESET June 2017),(C
e 2014),(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011),(Citation: ESET Industroyer),(Citation: ICS-CERT August 2018)
Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011),(Citation: Catalin Cimpanu April 2016),
urity September 2016),(Citation: Karen Scarfone; Paul Hoffman September 2009),(Citation: Keith Stouffer May 2015)
Smith 2004)
(Citation: M. Rentschler and H. Heine),(Citation: National Institute of Standards and Technology April 2013)
am),(Citation: Max Heinemeyer February 2020),(Citation: Dragos December 2017),(Citation: Brubaker-Incontroller),(Citation: Wylie-22),(C
herepanov, ESET June 2017),(Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016),(Citation: Dragos-Pipedrea
tation: ICS-CERT August 2018),(Citation: Wylie-22),(Citation: Aditya K Sood July 2019),(Citation: Colin Gray),(Citation: D. Parsons and D. Wy
2016),(Citation: Dragos),
tion: Anton Cherepanov, ESET June 2017),(Citation: McAfee Labs October 2019),(Citation: Department of Homeland Security September 20
May 2016),(Citation: Andy Greenburg June 2019),(Citation: UNITED STATES DISTRICT COURT WESTERN DISTRICT OF PENNSYLVANIA Octobe
tion: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011),(Citation: Robert Falcone, Bryan Lee May 2016),
: Robert A. Martin January 2021)
urity September 2016),(Citation: Intel),(Citation: ESET Research Whitepapers September 2018),(Citation: N/A)
uffer May 2015),(Citation: National Institute of Standards and Technology April 2013)
ecurity Agency February 2016)
Citation: Dwight Anderson 2014),(Citation: Department of Homeland Security September 2016),(Citation: Karen Scarfone; Paul Hoffman S
hoit),(Citation: Orkhan Mamedov, Fedor Sinitsyn, Anton Ivanov October 2017),
s October 2018),(Citation: Dragos December 2017),(Citation: Dragos),(Citation: Wylie-22),(Citation: Schweitzer Engineering Laboratories A
eith Stouffer May 2015)
er 2017),(Citation: Catalin Cimpanu April 2016),(Citation: Department of Homeland Security October 2009)
uffer May 2015)
ent of Homeland Security September 2016)
aren Scarfone; Paul Hoffman September 2009),(Citation: Keith Stouffer May 2015)
er Engineering Laboratories August 2015),(Citation: Microsoft August 2018),(Citation: CISA June 2013),(Citation: Microsoft May 2017),(Cita
),(Citation: D. Parsons and D. Wylie September 2019),(Citation: Langner November 2018),(Citation: Josh Rinaldi April 2016)
April 2016)
tion: Microsoft May 2017),(Citation: Keith Stouffer May 2015),(Citation: Microsoft February 2019)
aldi April 2016)
source name
source type
mapping typetarget IDtarget nametargetmapping
type description
source ID
Oldsmar Trcampaign uses T0823 Graphical Utechnique During the C0009
Oldsmar Trcampaign uses T0831 Manipulatitechnique During the C0009
Oldsmar Trcampaign uses T0836 Modify Partechnique During the C0009
Oldsmar Trcampaign uses T0886 Remote Sertechnique During the C0009
ALLANITE group uses T0817 Drive-by C technique [ALLANITE](G1000
ALLANITE group uses T0852 Screen Captechnique [ALLANITE](G1000
ALLANITE group uses T0865 Spearphishtechnique [ALLANITE](G1000
ALLANITE group uses T0859 Valid Acco technique [ALLANITE](G1000
APT33 group uses T0852 Screen Captechnique [APT33](httG0064
APT33 group uses T0853 Scripting technique [APT33](httG0064
APT33 group uses T0865 Spearphishtechnique [APT33](httG0064
Dragonfly group uses T0817 Drive-by C technique [Dragonfly]G0035
Dragonfly group uses T0862 Supply Chatechnique [Dragonfly]G0035
Lazarus Gr group uses T0865 Spearphishtechnique [Lazarus G G0032
OilRig group uses T0817 Drive-by C technique [OilRig](ht G0049
OilRig group uses T0853 Scripting technique [OilRig](h G0049
OilRig group uses T0865 Spearphishtechnique [OilRig](ht G0049
OilRig group uses T0869 Standard Aptechnique [OilRig](h G0049
OilRig group uses T0859 Valid Acco technique [OilRig](ht G0049
Sandwormgroup uses T0803 Block Com technique In the Ukr G0034
Sandwormgroup uses T0804 Block Repotechnique In the UkraG0034
Sandwormgroup uses T0807 Command-Li technique [SandwormG0034
Sandwormgroup uses T0884 Connectiontechnique [SandwormG0034T
Sandwormgroup uses T0816 Device Restechnique In the 2015G0034
Sandwormgroup uses T0819 Exploit Pubtechnique [SandwormG0034
Sandwormgroup uses T0822 External R technique In the UkraG0034
Sandwormgroup uses T0823 Graphical Utechnique In the UkraG0034
Sandwormgroup uses T0867 Lateral Tootechnique [SandwormG0034
T
Sandwormgroup uses T0849 Masqueradtechnique [SandwormG0034 T
Sandwormgroup uses T0886 Remote Sertechnique [SandwormG0034
Sandwormgroup uses T0853 Scripting technique [SandwormG0034
Sandwormgroup uses T0865 Spearphishtechnique In the Ukr G0034
Sandwormgroup uses T0857 System Fi technique In the Ukr G0034
Sandwormgroup uses T0855 Unauthori technique In the UkraG0034
Sandwormgroup uses T0859 Valid Acco technique [SandwormG0034
T
TEMP.Velegroup uses T0817 Drive-by C technique [TEMP.Veles G0088
TEMP.Velegroup uses T0886 Remote Sertechnique [TEMP.VeleG0088
TEMP.Velegroup uses T0862 Supply Chatechnique [TEMP.Veles G0088
TEMP.Velegroup uses T0859 Valid Acco technique [TEMP.Vele G0088
[ACAD/Medre.A](https://attack.mitre.org/software/S1000) co
ACAD/Medr software uses T0811 Data from technique [ACAD/Medre.A](https://attack.mitre.org/software/S1000)
S1000 ca
ACAD/Medr software uses T0882 Theft of Optechnique S1000
Backdoor.Osoftware uses T0802 Automatedtechnique Using OPC,S0093
Backdoor.Osoftware uses T0814 Denial of Stechnique The [Backdo S0093
Backdoor.Osoftware uses T0861 Point & Tagtechnique The [Backdo S0093
Backdoor.Osoftware uses T0846 Remote Systechnique The [Backdo S0093
Backdoor.Osoftware uses T0888 Remote Systechnique The [Backdo S0093
Backdoor.Osoftware uses T0865 Spearphishtechnique The [Backdo S0093
Backdoor.Osoftware uses T0862 Supply Chatechnique The [Backdo S0093
Backdoor.Osoftware uses T0863 User Executechnique Execution oS0093
Bad Rabbitsoftware uses T0817 Drive-by C technique [Bad RabbitS0606
Bad Rabbitsoftware uses T0866 Exploitatiotechnique [Bad RabbitS0606
Bad Rabbitsoftware uses T0867 Lateral Tootechnique [Bad RabbitS0606
Bad Rabbitsoftware uses T0828 Loss of Pr technique Several traS0606
Bad Rabbitsoftware uses T0863 User Executechnique [Bad RabbitS0606
[BlackEnergy](https://attack.mitre.org/software/S0089) targe
BlackEnergsoftware uses T0865 Spearphishtechnique [BlackEnergy](https://attack.mitre.org/software/S0089)
S0089 uses
BlackEnergsoftware uses T0869 Standard Aptechnique [BlackEnergy](https://attack.mitre.org/software/S0089)
S0089 utiliz
BlackEnergsoftware uses T0859 Valid Acco technique S0089
Conficker software uses T0826 Loss of Avaitechnique A [ConfickeS0608
Conficker software uses T0828 Loss of Pr technique A [ConfickeS0608
Conficker software uses T0847 Replicatio technique [Conficker]S0608
Duqu software uses T0811 Data from technique [Duqu](httpS0038
Duqu software uses T0882 Theft of Optechnique [Duqu](httpS0038
EKANS software uses T0828 Loss of Pr technique [EKANS](httS0605
EKANS software uses T0849 Masqueradtechnique [EKANS](htS0605
EKANS software uses T0840 Network Cotechnique [EKANS](httS0605
EKANS software uses T0881 Service Stotechnique Before encrS0605
Flame software uses T0811 Data from technique [Flame](ht S0143
Flame software uses T0882 Theft of Optechnique [Flame](httS0143
INCONTROsoftware uses T0858 Change Optechnique [INCONTROL S1045
INCONTROsoftware uses T0884 Connectiontechnique The [INCONT S1045
INCONTROsoftware uses T0809 Data Destrtechnique [INCONTROL S1045
INCONTROsoftware uses T0890 Exploitatiotechnique [INCONTROLL S1045
INCONTROsoftware uses T0891 Hardcodedtechnique [INCONTROL S1045
INCONTROsoftware uses T0867 Lateral Tootechnique [INCONTROL S1045
INCONTROsoftware uses T0836 Modify Partechnique [INCONTROL S1045
INCONTROsoftware uses T0842 Network Sntechnique [INCONTROLL S1045
INCONTROsoftware uses T0861 Point & Tagtechnique [INCONTROL S1045
INCONTROsoftware uses T0843 Program Dtechnique [INCONTROLLER](https://attack.mitre.org/software/S1045)
S1045 ca
INCONTROsoftware uses T0845 Program Utechnique [INCONTROLLER](https://attack.mitre.org/software/S1045)
S1045 c
INCONTROsoftware uses T0886 Remote Sertechnique [INCONTROLLER](https://attack.mitre.org/software/S1045)
S1045 ca
INCONTROsoftware uses T0846 Remote Systechnique [INCONTROLLER](https://attack.mitre.org/software/S1045)
S1045 h
INCONTROsoftware uses T0888 Remote Systechnique [INCONTROLL S1045
INCONTROsoftware uses T0869 Standard Aptechnique [INCONTROL S1045
INCONTROsoftware uses T0855 Unauthori technique [INCONTROLLER](https://attack.mitre.org/software/S1045)
S1045 ca
INCONTROsoftware uses T0859 Valid Acco technique [INCONTROLLER](https://attack.mitre.org/software/S1045)
S1045 c
Industroyesoftware uses T0800 Activate F technique The [IndustS0604
Industroyesoftware uses T0802 Automatedtechnique [IndustroyeS0604
Industroyesoftware uses T0803 Block Com technique In [Industr S0604
Industroyesoftware uses T0804 Block Repotechnique [IndustroyeS0604
Industroyesoftware uses T0805 Block Seri technique In [Industr S0604
Industroyesoftware uses T0806 Brute Forcetechnique The [IndustS0604
Industroyesoftware uses T0807 Command-Li technique The name oS0604
Industroyesoftware uses T0884 Connectiontechnique [IndustroyeS0604
Industroyesoftware uses T0809 Data Destrtechnique [IndustroyeS0604
Industroyesoftware uses T0813 Denial of Ctechnique [IndustroyeS0604
Industroyesoftware uses T0814 Denial of Stechnique The [IndustS0604
Industroyesoftware uses T0815 Denial of technique [IndustroyeS0604
Industroyesoftware uses T0816 Device Restechnique The [IndustS0604
Industroyesoftware uses T0827 Loss of Contechnique [IndustroyeS0604
Industroyesoftware uses T0837 Loss of Protechnique [IndustroyeS0604
Industroyesoftware uses T0829 Loss of Vietechnique [IndustroyeS0604
Industroyesoftware uses T0831 Manipulatitechnique [IndustroyeS0604
Industroyesoftware uses T0832 Manipulatitechnique [IndustroyeS0604
Industroyesoftware uses T0801 Monitor Prtechnique [IndustroyeS0604
Industroyesoftware uses T0840 Network Cotechnique [Industroy S0604
Industroyesoftware uses T0846 Remote Systechnique [Industroyer](https://attack.mitre.org/software/S0604)
S0604 conta
Industroyesoftware uses T0888 Remote Systechnique [Industroyer](https://attack.mitre.org/software/S0604)
S0604 IEC 60
Industroyesoftware uses T0881 Service Stotechnique [IndustroyeS0604
Industroyesoftware uses T0855 Unauthori technique Using its S0604
KillDisk software uses T0809 Data Destrtechnique [KillDisk]( S0607
KillDisk software uses T0872 Indicator technique [KillDisk]( S0607
KillDisk software uses T0829 Loss of Vietechnique [KillDisk]( S0607
KillDisk software uses T0881 Service Stotechnique [KillDisk]( S0607
LockerGogsoftware uses T0827 Loss of Contechnique Some of Nor S0372
LockerGogsoftware uses T0828 Loss of Pr technique While Norsk S0372
LockerGogsoftware uses T0829 Loss of Vietechnique Some of Nor S0372
NotPetya software uses T0866 Exploitatiotechnique [NotPetya](S0368
NotPetya software uses T0867 Lateral Tootechnique [NotPetya](S0368
NotPetya software uses T0828 Loss of Pr technique [NotPetya](S0368
PLC-Blastersoftware uses T0858 Change Optechnique [PLC-BlasteS1006
PLC-Blastersoftware uses T0814 Denial of Stechnique The executiS1006
PLC-Blastersoftware uses T0835 Manipulatetechnique [PLC-Blast S1006
PLC-Blastersoftware uses T0821 Modify Contechnique [PLC-BlasteS1006
PLC-Blastersoftware uses T0889 Modify Pr technique [PLC-BlasteS1006
PLC-Blastersoftware uses T0834 Native API technique [PLC-Blast S1006
PLC-Blastersoftware uses T0843 Program Dtechnique [PLC-Blast S1006
PLC-Blastersoftware uses T0846 Remote Systechnique [PLC-BlasteS1006
REvil software uses T0828 Loss of Pr technique The [REvil]S0496
REvil software uses T0849 Masqueradtechnique [REvil](htt S0496
REvil software uses T0886 Remote Sertechnique [REvil](htt S0496
REvil software uses T0853 Scripting technique [REvil](htt S0496
REvil software uses T0881 Service Stotechnique [REvil](htt S0496
REvil software uses T0869 Standard Aptechnique [REvil](ht S0496
REvil software uses T0882 Theft of Optechnique [REvil](htt S0496
REvil software uses T0863 User Executechnique [REvil](htt S0496
Ryuk software uses T0828 Loss of Pr technique An enterpriS0446
Stuxnet software uses T0807 Command-Li technique [Stuxnet](hS0603
Stuxnet software uses T0885 Commonlytechnique [Stuxnet](hS0603
Stuxnet software uses T0866 Exploitatiotechnique [Stuxnet]( S0603
Stuxnet software uses T0891 Hardcodedtechnique [Stuxnet](hS0603
Stuxnet software uses T0874 Hooking technique [Stuxnet](hS0603
Stuxnet software uses T0877 I/O Image technique [Stuxnet](hS0603
Stuxnet software uses T0867 Lateral Tootechnique [Stuxnet](hS0603
Stuxnet software uses T0835 Manipulatetechnique When the pe S0603
Stuxnet software uses T0831 Manipulatitechnique [Stuxnet](hS0603
Stuxnet software uses T0832 Manipulatitechnique [Stuxnet](hS0603
Stuxnet software uses T0849 Masqueradtechnique [Stuxnet](hS0603
Stuxnet software uses T0821 Modify Contechnique [Stuxnet](hS0603
Stuxnet software uses T0836 Modify Partechnique In states 3 S0603
Stuxnet software uses T0889 Modify Pr technique [Stuxnet](hS0603
Stuxnet software uses T0801 Monitor Prtechnique [Stuxnet](hS0603
Stuxnet software uses T0834 Native API technique [Stuxnet](hS0603
Stuxnet software uses T0842 Network Sntechnique DP_RECV isS0603
Stuxnet software uses T0843 Program Dtechnique [Stuxnet](hS0603
Stuxnet software uses T0873 Project Filetechnique [Stuxnet](hS0603
Stuxnet software uses T0886 Remote Sertechnique [Stuxnet]( S0603
Stuxnet software uses T0888 Remote Systechnique [Stuxnet](https://attack.mitre.org/software/S0603)
S0603 was spec
Stuxnet software uses T0847 Replicatio technique [Stuxnet](hS0603
Stuxnet software uses T0851 Rootkit technique One of [StuS0603
Stuxnet software uses T0869 Standard Ap technique [Stuxnet](hS0603
Stuxnet software uses T0863 User Executechnique [Stuxnet](hS0603
Triton software uses T0858 Change Optechnique [Triton](ht S1009
Triton software uses T0885 Commonlytechnique [Triton](ht S1009
Triton software uses T0868 Detect Opetechnique [Triton](https://attack.mitre.org/software/S1009)
S1009 contains a
Triton software uses T0871 Execution technique [Triton](ht S1009
Triton software uses T0820 Exploitatiotechnique [Triton](ht S1009
Triton software uses T0890 Exploitatiotechnique [Triton](ht S1009
Triton software uses T0874 Hooking technique [Triton](ht S1009
Triton software uses T0872 Indicator technique [Triton](ht S1009
Triton software uses T0880 Loss of Saf technique [Triton](ht S1009
Triton software uses T0849 Masqueradtechnique [Triton](https://attack.mitre.org/software/S1009)
S1009 was configu
Triton software uses T0821 Modify Contechnique [Triton](ht S1009
Triton software uses T0834 Native API technique [Triton](ht S1009
Triton software uses T0843 Program Dtechnique [Triton](ht S1009
Triton software uses T0845 Program Utechnique [Triton](ht S1009
Triton software uses T0846 Remote Systechnique [Triton](ht S1009
Triton software uses T0853 Scripting technique [Triton](ht S1009
Triton software uses T0869 Standard Ap technique [Triton](ht S1009
Triton software uses T0857 System Fi technique [Triton](ht S1009
VPNFilter software uses T0830 Adversary-technique The [VPNFilS1010
VPNFilter software uses T0842 Network Sntechnique The [VPNFilS1010
WannaCry software uses T0866 Exploitatiotechnique [WannaCry](
S0366
WannaCry software uses T0867 Lateral Tootechnique [WannaCry](
S0366
source namesource type
mapping typetarget IDtarget nametargetmapping
type description
source ID
All devices or systems changes, including all administrative fu
Access Ma mitigation mitigates T0800 Activate F technique Authenticate M0801
all access to field controllers before authorizing
Access Ma mitigation mitigates T0858 Change Optechnique Ensure embeddedM0801 controls and network devices are protecte
Access Ma mitigation mitigates T0812 Default Cretechnique Authenticate M0801
all access to field controllers before authorizing
Access Ma mitigation mitigates T0868 Detect Opetechnique All devices M0801
or systems changes, including all administrative fu
Access Ma mitigation mitigates T0816 Device Restechnique Access Management
M0801 technologies can be used to enforce aut
Access Ma mitigation mitigates T0871 Execution technique M0801
Access Ma mitigation mitigates T0891 Hardcodedtechnique Ensure embM
All devices or0801
systems changes, including all administrative fu
Access Ma mitigation mitigates T0838 Modify Alatechnique All devices M0801
or systems changes, including all administrative fu
Access Ma mitigation mitigates T0839 Module Fi technique Authenticate M0801
all access to field controllers before authorizing
Access Ma mitigation mitigates T0861 Point & Tagtechnique Authenticate M0801
all access to field controllers before authorizing
Access Ma mitigation mitigates T0843 Program Dtechnique Authenticate M0801
all access to field controllers before authorizing
Access Ma mitigation mitigates T0845 Program Utechnique Access Management
M0801 technologies can help enforce authentic
Access Ma mitigation mitigates T0886 Remote Sertechnique All devices M0801
or systems changes, including all administrative fu
Access Ma mitigation mitigates T0857 System Fi technique Authenticate M0801
all access to field controllers before authorizing
Access Ma mitigation mitigates T0859 Valid Acco technique Configure features
M0801 related to account use like login attempt l
Account Usemitigation mitigates T0822 External R technique Configure features
M0936 related to account use like login attempt l
Account Usemitigation mitigates T0859 Valid Acco technique Consider configuration
M0936 and use of a network-wide authentica
Active Diremitigation mitigates T0859 Valid Acco technique Deploy anti-virus
M0915on all systems that support external email.
Antivirus/ mitigation mitigates T0865 Spearphishtechnique Install anti-virus
M0949 software on all workstation and transient ass
Antivirus/ mitigation mitigates T0864 Transient technique Ensure anti-virus
M0949solution can detect malicious files that allow
Antivirus/ mitigation mitigates T0863 User Executechnique Ensure thatM0949
applications and devices do not store sensitive da
Applicatio mitigation mitigates T0859 Valid Acco technique Built-in browser
M0913 sandboxes and application isolation may be u
Applicationmitigation mitigates T0817 Drive-by C technique ApplicationM0948
isolation will limit the other processes and system
Applicationmitigation mitigates T0819 Exploit Pubtechnique Make it difficult
M0948 for adversaries to advance their operation th
Applicationmitigation mitigates T0820 Exploitatiotechnique Make it difficult
M0948 for adversaries to advance their operation th
Applicationmitigation mitigates T0890 Exploitatiotechnique Make it difficult
M0948 for adversaries to advance their operation th
Applicationmitigation mitigates T0866 Exploitatiotechnique Consider the M0948
use of application isolation and sandboxing to re
Applicationmitigation mitigates T0853 Scripting technique Limit accessM0948
to network infrastructure and resources that can
Audit mitigation mitigates T0830 Adversary-technique Consider periodic
M0947 reviews of accounts and privileges for critic
Audit mitigation mitigates T0811 Data from technique Perform auditsM0947or scans of systems, permissions, insecure soft
Audit mitigation mitigates T0874 Hooking technique Provide theM0947 ability to verify the integrity of control logic or pr
Audit mitigation mitigates T0821 Modify Contechnique Provide theM0947
ability to verify the integrity of control logic or pr
Audit mitigation mitigates T0836 Modify Partechnique Provide theM0947
ability to verify the integrity of control logic or pr
Audit mitigation mitigates T0889 Modify Pr technique Perform integrity
M0947checks of firmware before uploading it on a
Audit mitigation mitigates T0839 Module Fi technique Provide theM0947
ability to verify the integrity of control logic or pr
Audit mitigation mitigates T0843 Program Dtechnique Review theM0947integrity of project files to verify they have not be
Audit mitigation mitigates T0873 Project Filetechnique Audit the integrity
M0947 of PLC system and application code functio
Audit mitigation mitigates T0851 Rootkit technique Perform audits M0947or scans of systems, permissions, insecure soft
Audit mitigation mitigates T0862 Supply Chatechnique Perform integrity
M0947checks of firmware before uploading it on a
Audit mitigation mitigates T0857 System Fi technique Integrity checking
M0947 of transient assets can include performing
Audit mitigation mitigates T0864 Transient technique Routinely audit
M0947 source code, application configuration files, o
Audit mitigation mitigates T0859 Valid Acco technique Restrict configurations
M0947 changes and firmware updating abiliti
Authorizat mitigation mitigates T0800 Activate F technique All field controllers
M0800 should restrict operating mode changes to
Authorizat mitigation mitigates T0858 Change Optechnique M0800
All field controllers should restrict the modification of program
Authorizat mitigation mitigates T0868 Detect Opetechnique All field controllers
M0800 should restrict the modification of program
Authorizat mitigation mitigates T0816 Device Restechnique All APIs used M0800
to perform execution, especially those hosted o
Authorizat mitigation mitigates T0871 Execution technique Only authorized
M0800 personnel should be able to change settings
Authorizat mitigation mitigates T0838 Modify Alatechnique All field controllers
M0800 should restrict the modification of program
Authorizat mitigation mitigates T0836 Modify Partechnique Systems and M0800
devices should restrict access to any data with p
Authorizat mitigation mitigates T0861 Point & Tagtechnique All field controllers
M0800 should restrict the modification of program
Authorizat mitigation mitigates T0843 Program Dtechnique All field controllers
M0800 should restrict program uploads to only ce
Authorizat mitigation mitigates T0845 Program Utechnique Provide privileges
M0800 corresponding to the restriction of a GUI se
Authorizat mitigation mitigates T0886 Remote Sertechnique Check the integrity
M0800 of the existing BIOS or EFI to determine if
Boot Integrmitigation mitigates T0839 Module Fi technique Check the integrity
M0946 of the existing BIOS or EFI to determine if
Boot Integrmitigation mitigates T0857 System Fi technique Require signedM0946 binaries.
Code Signi mitigation mitigates T0849 Masqueradtechnique Utilize codeM0945signatures to verify the integrity of the installed p
Code Signi mitigation mitigates T0821 Modify Contechnique Utilize codeM0945
signatures to verify the integrity of the installed p
Code Signi mitigation mitigates T0889 Modify Pr technique Devices shouldM0945 verify that firmware has been properly signed
Code Signi mitigation mitigates T0839 Module Fi technique Utilize codeM0945
signatures to verify the integrity of the installed p
Code Signi mitigation mitigates T0843 Program Dtechnique Allow for code M0945 signing of any project files stored at rest to pre
Code Signi mitigation mitigates T0873 Project Filetechnique Digital signatures
M0945may be used to ensure application DLLs are
Code Signi mitigation mitigates T0851 Rootkit technique When available M0945 utilize hardware and software root-of-trust to
Code Signi mitigation mitigates T0862 Supply Chatechnique Devices shouldM0945 verify that firmware has been properly signed
Code Signi mitigation mitigates T0857 System Fi technique Prevent theM0945use of unsigned executables, such as installers an
Code Signi mitigation mitigates T0863 User Executechnique Protocols usedM0945 for device management should authenticate a
Communicat mitigation mitigates T0800 Activate F technique CommunicationM0802 authenticity will ensure that any messages ta
Communicat mitigation mitigates T0830 Adversary-technique Protocols usedM0802 for device management should authenticate a
Communicat mitigation mitigates T0858 Change Optechnique Protocols used M0802 for control functions should provide authentic
Communicat mitigation mitigates T0868 Detect Opetechnique Protocols usedM0802 for control functions should provide authentic
Communicat mitigation mitigates T0816 Device Restechnique Protocols usedM0802 for control functions should provide authentic
Communicat mitigation mitigates T0831 Manipulatitechnique Protocols usedM0802 for control functions should provide authentic
Communicat mitigation mitigates T0832 Manipulatitechnique Protocols usedM0802 for device management should authenticate a
Communicat mitigation mitigates T0839 Module Fi technique Protocols usedM0802 for control functions should provide authentic
Communicat mitigation mitigates T0861 Point & Tagtechnique Protocols used
M0802 for device management should authenticate a
Communicat mitigation mitigates T0843 Program Dtechnique Protocols used M0802 for device management should authenticate a
Communicat mitigation mitigates T0845 Program Utechnique Protocols used M0802 for control functions should provide authentic
Communicat mitigation mitigates T0848 Rogue Mastechnique Protocols used M0802 for control functions should provide authentic
Communicat mitigation mitigates T0856 Spoof Repotechnique Protocols usedM0802 for device management should authenticate a
Communicat mitigation mitigates T0857 System Fi technique Protocols usedM0802 for control functions should provide authentic
Communicat mitigation mitigates T0855 Unauthori technique Do not inherently
M0802 rely on the authenticity provided by the ne
Communicat mitigation mitigates T0860 Wireless technique Utilize centralM0802storage servers for critical operations where po
Data Backumitigation mitigates T0809 Data Destrtechnique Take and storeM0953 data backups from end user systems and critic
Data Backumitigation mitigates T0813 Denial of Ctechnique Take and store
M0953 data backups from end user systems and critic
Data Backumitigation mitigates T0815 Denial of technique Take and storeM0953 data backups from end user systems and critic
Data Backumitigation mitigates T0826 Loss of Avaitechnique Take and store
M0953 data backups from end user systems and critic
Data Backumitigation mitigates T0827 Loss of Contechnique Take and store
M0953 data backups from end user systems and critic
Data Backumitigation mitigates T0828 Loss of Pr technique Take and store
M0953 data backups from end user systems and critic
Data Backumitigation mitigates T0829 Loss of Vietechnique Take and store
M0953 data backups from end user systems and critic
Data Backumitigation mitigates T0831 Manipulatitechnique M0953
Take and store data backups from end user systems and critic
Data Backumitigation mitigates T0832 Manipulatitechnique Apply DLP to M0953
protect the confidentiality of information relate
Data Loss mitigation mitigates T0882 Theft of Optechnique Disable unnecessary
M0803 legacy network protocols that may be us
Disable or mitigation mitigates T0830 Adversary-technique Consider removing
M0942 or restricting features that are unnecessar
Disable or mitigation mitigates T0807 Command-Li technique Ensure thatM0942
unnecessary ports and services are closed to prev
Disable or mitigation mitigates T0885 Commonlytechnique Ensure remote M0942commands that enable device shutdown are d
Disable or mitigation mitigates T0816 Device Restechnique Ensure thatM0942
unnecessary ports and services are closed to prev
Disable or mitigation mitigates T0866 Exploitatiotechnique Consider removal
M0942 of remote services which are not regularly
Disable or mitigation mitigates T0822 External R technique Consider theM0942
disabling of features such as AutoRun.
Disable or mitigation mitigates T0847 Replicatio technique Consider removal
M0942 or disabling of programs and features whic
Disable or mitigation mitigates T0853 Scripting technique The encryption
M0942 of firmware should be considered to prevent
Encrypt Netmitigation mitigates T0839 Module Fi technique Ensure thatM0808
wired and/or wireless traffic is encrypted when fe
Encrypt Netmitigation mitigates T0842 Network Sntechnique The encryption
M0808 of firmware should be considered to prevent
Encrypt Netmitigation mitigates T0857 System Fi technique Utilize strong
M0808
cryptographic techniques and protocols to prev
Encrypt Netmitigation mitigates T0860 Wireless technique Utilize strongM0808
cryptographic techniques and protocols to prev
Encrypt Netmitigation mitigates T0887 Wireless Sntechnique InformationM0808
which is sensitive to the operation and architectu
Encrypt Senmitigation mitigates T0811 Data from technique The encryption
M0941 of firmware should be considered to prevent
Encrypt Senmitigation mitigates T0839 Module Fi technique When at rest,M0941
project files should be encrypted to prevent un
Encrypt Senmitigation mitigates T0873 Project Filetechnique The encryption
M0941 of firmware should be considered to prevent
Encrypt Senmitigation mitigates T0857 System Fi technique Encrypt anyM0941
operational data with strong confidentiality requ
Encrypt Senmitigation mitigates T0882 Theft of Optechnique Consider implementing
M0941 full disk encryption, especially if engin
Encrypt Senmitigation mitigates T0864 Transient technique Execution prevention
M0941 may block malicious software from acce
Execution mitigation mitigates T0807 Command-Li technique Minimize the
M0938
exposure of API calls that allow the execution o
Execution mitigation mitigates T0871 Execution technique Use tools that
M0938
restrict program execution via application cont
Execution mitigation mitigates T0849 Masqueradtechnique Minimize the M0938
exposure of API calls that allow the execution o
Execution mitigation mitigates T0834 Native API technique Execution prevention
M0938 may prevent malicious scripts from acc
Execution mitigation mitigates T0853 Scripting technique ApplicationM0938
control may be able to prevent the running of exe
Execution mitigation mitigates T0863 User Executechnique Utilize exploit
M0938
protection to prevent activities which may be e
Exploit Promitigation mitigates T0817 Drive-by C technique Web Application
M0950Firewalls may be used to limit exposure of a
Exploit Promitigation mitigates T0819 Exploit Pubtechnique Security applications
M0950 that look for behavior used during explo
Exploit Promitigation mitigates T0820 Exploitatiotechnique Security applications
M0950 that look for behavior used during explo
Exploit Promitigation mitigates T0890 Exploitatiotechnique Security applications
M0950 that look for behavior used during explo
Exploit Promitigation mitigates T0866 Exploitatiotechnique Filter for protocols
M0950 and payloads associated with firmware ac
Filter Netwmitigation mitigates T0800 Activate F technique Allow/denylists
M0937 can be used to block access when excessive I/
Filter Netwmitigation mitigates T0806 Brute Forcetechnique Traffic to known
M0937anonymity networks and C2 infrastructure c
Filter Netwmitigation mitigates T0884 Connectiontechnique Perform inline
M0937allowlisting of automation protocol commands
Filter Netwmitigation mitigates T0868 Detect Opetechnique ApplicationM0937
denylists can be used to block automation protoc
Filter Netwmitigation mitigates T0816 Device Restechnique Filter for protocols
M0937 and payloads associated with firmware ac
Filter Netwmitigation mitigates T0839 Module Fi technique Perform inline
M0937allowlisting of automation protocol commands
Filter Netwmitigation mitigates T0861 Point & Tagtechnique Filter for protocols
M0937 and payloads associated with program do
Filter Netwmitigation mitigates T0843 Program Dtechnique Filter for protocols
M0937 and payloads associated with program up
Filter Netwmitigation mitigates T0845 Program Utechnique Filter application-layer
M0937 protocol messages for remote services
Filter Netwmitigation mitigates T0886 Remote Sertechnique Perform inline
M0937allowlisting of automation protocol commands
Filter Netwmitigation mitigates T0848 Rogue Mastechnique Perform inlineM0937allowlisting of automation protocol commands
Filter Netwmitigation mitigates T0856 Spoof Repotechnique Filter for protocols
M0937 and payloads associated with firmware ac
Filter Netwmitigation mitigates T0857 System Fi technique M0937
Perform inline allowlisting of automation protocol commands
Filter Netwmitigation mitigates T0855 Unauthori technique Consider using M0937 IP allowlisting along with user account manage
Filter Netwmitigation mitigates T0859 Valid Acco technique M0937
Human User mitigation mitigates T0800 Activate F technique Devices th M0804
Human User mitigation mitigates T0858 Change Optechnique All field c M0804
Human User mitigation mitigates T0885 Commonlytechnique All field c M0804
Human User mitigation mitigates T0868 Detect Opetechnique All field c M0804
Human User mitigation mitigates T0816 Device Restechnique All
All field c M0804
APIs on remote systems or local processes should require
Human User mitigation mitigates T0871 Execution technique M0804
Human User mitigation mitigates T0838 Modify Alatechnique All field c M0804
Human User mitigation mitigates T0839 Module Fi technique Devices th M0804
Human User mitigation mitigates T0861 Point & Tagtechnique All field c M0804
Human User mitigation mitigates T0843 Program Dtechnique All field c M0804
Human User mitigation mitigates T0845 Program Utechnique AllAll field
remotec M0804
services should require strong authentication befo
Human User mitigation mitigates T0886 Remote Sertechnique M0804
Human User mitigation mitigates T0857 System Fi technique Devices th M0804
Limit access to remote services through centrally managed co
Limit Acce mitigation mitigates T0822 External R technique Enforce systemM0935 policies or physical restrictions to limit hardw
Limit Hardwmitigation mitigates T0847 Replicatio technique Protection M0934
devices should have minimal digital components t
Mechanicalmitigation mitigates T0879 Damage totechnique Protection M0805 devices should have minimal digital components t
Mechanicalmitigation mitigates T0880 Loss of Saf technique TechniquesM0805can include (i) reducing transmission power on w
Minimize Wmitigation mitigates T0860 Wireless technique Reduce theM0806 range of RF communications to their intended op
Minimize Wmitigation mitigates T0887 Wireless Sntechnique Once an adversary
M0806 has access to a remote GUI they can abuse
Mitigation mitigation mitigates T0823 Graphical Utechnique This techniqueM0816 may not be effectively mitigated against, cons
Mitigation mitigation mitigates T0877 I/O Image technique This technique M0816 may not be effectively mitigated against, cons
Mitigation mitigation mitigates T0835 Manipulatetechnique This type ofM0816 attack technique cannot be easily mitigated with
Mitigation mitigation mitigates T0801 Monitor Prtechnique Network connection
M0816 enumeration is likely obtained by using c
Mitigation mitigation mitigates T0840 Network Cotechnique PreventingM0816 screen capture on a device may require disabling
Mitigation mitigation mitigates T0852 Screen Captechnique Use strongM0816 multi-factor authentication for remote service acc
Multi-factomitigation mitigates T0822 External R technique Use multi-factor
M0932authentication wherever possible.
Multi-factomitigation mitigates T0842 Network Sntechnique IntegratingM0932 multi-factor authentication (MFA) as part of organ
Multi-factomitigation mitigates T0859 Valid Acco technique Use host-basedM0932 allowlists to prevent devices from accepting c
Network Almitigation mitigates T0800 Activate F technique Utilize network
M0807 allowlists to restrict unnecessary connections
Network Almitigation mitigates T0878 Alarm Supptechnique Utilize networkM0807 allowlists to restrict unnecessary connections
Network Almitigation mitigates T0802 Automatedtechnique Utilize network M0807 allowlists to restrict unnecessary connections
Network Almitigation mitigates T0803 Block Com technique Utilize networkM0807 allowlists to restrict unnecessary connections
Network Almitigation mitigates T0804 Block Repotechnique ImplementM0807 network allowlists to minimize serial comm port a
Network Almitigation mitigates T0805 Block Seri technique Utilize network
M0807 allowlists to restrict unnecessary connections
Network Almitigation mitigates T0806 Brute Forcetechnique Use host-basedM0807 allowlists to prevent devices from accepting c
Network Almitigation mitigates T0858 Change Optechnique M0807
Network Almitigation mitigates T0884 Connectiontechnique Network allM0807
Use host-based allowlists to prevent devices from accepting c
Network Almitigation mitigates T0879 Damage totechnique Use host-based M0807 allowlists to prevent devices from accepting c
Network Almitigation mitigates T0868 Detect Opetechnique Use host-based M0807 allowlists to prevent devices from accepting c
Network Almitigation mitigates T0816 Device Restechnique Use host-based M0807 allowlists to prevent devices from accepting c
Network Almitigation mitigates T0838 Modify Alatechnique Use host-based M0807 allowlists to prevent devices from accepting c
Network Almitigation mitigates T0839 Module Fi technique Use host-based M0807 allowlists to prevent devices from accepting c
Network Almitigation mitigates T0861 Point & Tagtechnique M0807
Use host-based allowlists to prevent devices from accepting c
Network Almitigation mitigates T0843 Program Dtechnique Use host-based M0807 allowlists to prevent devices from accepting c
Network Almitigation mitigates T0845 Program Utechnique Network allowlists
M0807 can be implemented through either host-b
Network Almitigation mitigates T0886 Remote Sertechnique Use host-based M0807 allowlists to prevent devices from accepting c
Network Almitigation mitigates T0848 Rogue Mastechnique Use host-based M0807 allowlists to prevent devices from accepting c
Network Almitigation mitigates T0856 Spoof Repotechnique M0807
Network Almitigation mitigates T0869 Standard Aptechnique Network allM0807
Use host-based allowlists to prevent devices from accepting c
Network Almitigation mitigates T0857 System Fi technique Use host-based M0807 allowlists to prevent devices from accepting c
Network Almitigation mitigates T0855 Unauthori technique Network intrusion
M0807 detection and prevention systems that can
Network Inmitigation mitigates T0830 Adversary-technique Network intrusion
M0931 detection and prevention systems that use
Network Inmitigation mitigates T0885 Commonlytechnique Network intrusionM0931 detection and prevention systems that use
Network Inmitigation mitigates T0884 Connectiontechnique Network intrusion
M0931 detection and prevention systems that use
Network Inmitigation mitigates T0867 Lateral Tootechnique Network intrusion
M0931 prevention systems and systems designed
Network Inmitigation mitigates T0865 Spearphishtechnique Network intrusion
M0931 detection and prevention systems that use
Network Inmitigation mitigates T0869 Standard Aptechnique If a link is being
M0931 visited by a user, network intrusion preventio
Network Inmitigation mitigates T0863 User Executechnique Segment operational
M0931 network and systems to restrict access t
Network S mitigation mitigates T0800 Activate F technique Network segmentation
M0930 can be used to isolate infrastructure c
Network S mitigation mitigates T0830 Adversary-technique Segment operational
M0930 assets and their management devices b
Network S mitigation mitigates T0878 Alarm Supptechnique Prevent unauthorized
M0930 systems from accessing control servers
Network S mitigation mitigates T0802 Automatedtechnique Restrict unauthorized
M0930 devices from accessing serial comm po
Network S mitigation mitigates T0805 Block Seri technique Segment operational
M0930 assets and their management devices b
Network S mitigation mitigates T0806 Brute Forcetechnique Segment operational
M0930 network and systems to restrict access t
Network S mitigation mitigates T0858 Change Optechnique Configure internal
M0930 and external firewalls to block traffic using
Network S mitigation mitigates T0885 Commonlytechnique Segment operational
M0930 network and systems to restrict access t
Network S mitigation mitigates T0868 Detect Opetechnique Segment operational
M0930 network and systems to restrict access t
Network S mitigation mitigates T0816 Device Restechnique Segment externally
M0930 facing servers and services from the rest
Network S mitigation mitigates T0819 Exploit Pubtechnique Segment networks
M0930 and systems appropriately to reduce acce
Network S mitigation mitigates T0866 Exploitatiotechnique Deny directM0930remote access to internal systems through the us
Network S mitigation mitigates T0822 External R technique Deny directM0930remote access to internal systems through the us
Network S mitigation mitigates T0883 Internet Actechnique Segment operational
M0930 network and systems to restrict access t
Network S mitigation mitigates T0838 Modify Alatechnique Segment operational
M0930 network and systems to restrict access t
Network S mitigation mitigates T0839 Module Fi technique Segment networks
M0930 and systems appropriately to reduce acce
Network S mitigation mitigates T0842 Network Sntechnique Segment operational
M0930 assets and their management devices b
Network S mitigation mitigates T0861 Point & Tagtechnique Segment operational
M0930 network and systems to restrict access t
Network S mitigation mitigates T0843 Program Dtechnique Segment operational
M0930 network and systems to restrict access t
Network S mitigation mitigates T0845 Program Utechnique Segment and M0930
control software movement between business
Network S mitigation mitigates T0886 Remote Sertechnique Segment operational
M0930 assets and their management devices b
Network S mitigation mitigates T0848 Rogue Mastechnique Segment operational
M0930 network and systems to restrict access t
Network S mitigation mitigates T0881 Service Stotechnique Segment operational
M0930 assets and their management devices b
Network S mitigation mitigates T0856 Spoof Repotechnique Ensure proper M0930network segmentation between higher level co
Network S mitigation mitigates T0869 Standard Aptechnique Segment operational
M0930 network and systems to restrict access t
Network S mitigation mitigates T0857 System Fi technique Segment and M0930
control software movement between business
Network S mitigation mitigates T0864 Transient technique Segment operational
M0930 assets and their management devices b
Network S mitigation mitigates T0855 Unauthori technique Harden theM0930 system through operating system controls to prev
Operating mitigation mitigates T0847 Replicatio technique Example mitigations
M0928 could include minimizing its distribution/
Operationalmitigation mitigates T0882 Theft of Optechnique M0809
Utilize out-of-band communication to validate the integrity o
Out-of-Banmitigation mitigates T0830 Adversary-technique Provide an M0810
alternative method for alarms to be reported in th
Out-of-Banmitigation mitigates T0878 Alarm Supptechnique Provide an M0810
alternative method for sending critical commands
Out-of-Banmitigation mitigates T0803 Block Com technique Provide an M0810
alternative method for sending critical report mes
Out-of-Banmitigation mitigates T0804 Block Repotechnique Ensure devicesM0810 have an alternative method for communicatin
Out-of-Banmitigation mitigates T0805 Block Seri technique Provide operators
M0810 with redundant, out-of-band communicati
Out-of-Banmitigation mitigates T0813 Denial of Ctechnique Provide operators
M0810 with redundant, out-of-band communicati
Out-of-Banmitigation mitigates T0815 Denial of technique Provide operators
M0810 with redundant, out-of-band communicati
Out-of-Banmitigation mitigates T0826 Loss of Avaitechnique Provide operators
M0810 with redundant, out-of-band communicati
Out-of-Banmitigation mitigates T0827 Loss of Contechnique Provide operators
M0810 with redundant, out-of-band communicati
Out-of-Banmitigation mitigates T0829 Loss of Vietechnique Utilize out-of-band
M0810 communication to validate the integrity o
Out-of-Banmitigation mitigates T0831 Manipulatitechnique Utilize out-of-band
M0810 communication to validate the integrity o
Out-of-Banmitigation mitigates T0832 Manipulatitechnique Review vendor M0810 documents and security alerts for potentially
Password Pmitigation mitigates T0812 Default Cretechnique Set and enforce
M0927 secure password policies for accounts.
Password Pmitigation mitigates T0822 External R technique Enforce strong
M0927 password requirements to prevent password b
Password Pmitigation mitigates T0886 Remote Sertechnique Applications M0927
and appliances that utilize default username and
Password Pmitigation mitigates T0859 Valid Acco technique Minimize permissions
M0927 and access for service accounts to limit
Privileged mitigation mitigates T0809 Data Destrtechnique Minimize permissions
M0926 and access for service accounts to limit
Privileged mitigation mitigates T0811 Data from technique Use least privilege
M0926 for service accounts. (Citation: Keith Stouff
Privileged mitigation mitigates T0819 Exploit Pubtechnique Minimize permissions
M0926 and access for service accounts to limit
Privileged mitigation mitigates T0866 Exploitatiotechnique Restrict rootM0926
or administrator access on user accounts to limi
Privileged mitigation mitigates T0842 Network Sntechnique Audit domain M0926
and local accounts and their permission levels r
Privileged mitigation mitigates T0859 Valid Acco technique Hot-standbys M0926
in diverse locations can ensure continued opera
Redundancy mitigation mitigates T0813 Denial of Ctechnique Hot-standbys M0811
in diverse locations can ensure continued opera
Redundancy mitigation mitigates T0815 Denial of technique Hot-standbys M0811
in diverse locations can ensure continued opera
Redundancy mitigation mitigates T0826 Loss of Avaitechnique Hot-standbysM0811
in diverse locations can ensure continued opera
Redundancy mitigation mitigates T0827 Loss of Contechnique Hot-standbys M0811
in diverse locations can ensure continued opera
Redundancy mitigation mitigates T0829 Loss of Vietechnique Protect filesM0811
stored locally with proper permissions to limit o
Restrict Fi mitigation mitigates T0809 Data Destrtechnique Protect filesM0922
stored locally with proper permissions to limit op
Restrict Fi mitigation mitigates T0811 Data from technique Protect filesM0922
stored locally with proper permissions to limit op
Restrict Fi mitigation mitigates T0872 Indicator technique Use file system
M0922 access controls to protect system and applica
Restrict Fi mitigation mitigates T0849 Masqueradtechnique Ensure permissions
M0922 restrict project file access to only enginee
Restrict Fi mitigation mitigates T0873 Project Filetechnique Ensure proper
M0922process and file permissions are in place to inh
Restrict Fi mitigation mitigates T0881 Service Stotechnique Protect filesM0922
stored locally with proper permissions to limit op
Restrict Fi mitigation mitigates T0882 Theft of Optechnique Restrict theM0922
use of untrusted or unknown libraries, such as re
Restrict Li mitigation mitigates T0874 Hooking technique Ensure proper M0944registry permissions are in place to inhibit adve
Restrict Remitigation mitigates T0881 Service Stotechnique Restrict browsers
M0924to limit the capabilities of malicious ads and
Restrict W mitigation mitigates T0817 Drive-by C technique Consider restricting
M0921 access to email within critical process env
Restrict W mitigation mitigates T0865 Spearphishtechnique If a link is being
M0921 visited by a user, block unknown or unused fi
Restrict W mitigation mitigates T0863 User Executechnique If it is possible
M0921to inspect HTTPS traffic, the captures can be an
SSL/TLS In mitigation mitigates T0884 Connectiontechnique Ensure thatM0920
all SIS are segmented from operational networks
Safety Ins mitigation mitigates T0879 Damage totechnique Ensure thatM0812all SIS are segmented from operational networks
Safety Ins mitigation mitigates T0880 Loss of Saf technique Authenticateconnections
M0812 fromsoftware and devices to preven
Software Pmitigation mitigates T0800 Activate F technique To protect M0813
against MITM, authentication mechanisms should
Software Pmitigation mitigates T0830 Adversary-technique Devices shouldM0813 authenticate all messages between master an
Software Pmitigation mitigates T0806 Brute Forcetechnique M0813
Authenticateconnections fromsoftware and devices to preven
Software Pmitigation mitigates T0858 Change Optechnique Authenticate M0813
connections from software and devices to preve
Software Pmitigation mitigates T0868 Detect Opetechnique Authenticate M0813
connections from software and devices to preve
Software Pmitigation mitigates T0816 Device Restechnique Authenticateconnections
M0813 fromsoftware and devices to preven
Software Pmitigation mitigates T0838 Modify Alatechnique Authenticateconnections
M0813 fromsoftware and devices to preven
Software Pmitigation mitigates T0839 Module Fi technique Devices should
M0813 authenticate all messages between master an
Software Pmitigation mitigates T0861 Point & Tagtechnique AuthenticateM0813
connections from software and devices to preve
Software Pmitigation mitigates T0843 Program Dtechnique Authenticate M0813
connections from software and devices to preve
Software Pmitigation mitigates T0845 Program Utechnique All communication
M0813 sessions to remote services should be aut
Software Pmitigation mitigates T0886 Remote Sertechnique Devices should
M0813 authenticate all messages between master an
Software Pmitigation mitigates T0848 Rogue Mastechnique Devices shouldM0813 authenticate all messages between master an
Software Pmitigation mitigates T0856 Spoof Repotechnique Authenticateconnections
M0813 fromsoftware and devices to preven
Software Pmitigation mitigates T0857 System Fi technique Devices should
M0813 authenticate all messages between master an
Software Pmitigation mitigates T0855 Unauthori technique Ensure wireless
M0813 networks require the authentication of all de
Software Pmitigation mitigates T0860 Wireless technique Statically defined
M0813ARP entries can prevent manipulation and s
Static Net mitigation mitigates T0830 Adversary-technique Unauthorized M0814
connections can be prevented by statically defi
Static Net mitigation mitigates T0878 Alarm Supptechnique Unauthorized M0814
connections can be prevented by statically defi
Static Net mitigation mitigates T0803 Block Com technique Unauthorized M0814
connections can be prevented by statically defi
Static Net mitigation mitigates T0804 Block Repotechnique Statically defined
M0814ARP entries can prevent manipulation and s
Static Net mitigation mitigates T0842 Network Sntechnique ICS environments
M0814 typically have more statically defined devic
Static Net mitigation mitigates T0846 Remote Systechnique ICS environments
M0814 typically have more statically defined devic
Static Net mitigation mitigates T0888 Remote Systechnique A supply chain
M0814management program should include method
Supply Ch mitigation mitigates T0862 Supply Chatechnique Develop a robust
M0817cyber threat intelligence capability to deter
Threat Int mitigation mitigates T0820 Exploitatiotechnique Develop a robust
M0919cyber threat intelligence capability to deter
Threat Int mitigation mitigates T0890 Exploitatiotechnique Develop a robust
M0919cyber threat intelligence capability to deter
Threat Int mitigation mitigates T0866 Exploitatiotechnique Ensure all browsers
M0919 and plugins are kept updated to help pre
Update Sofmitigation mitigates T0817 Drive-by C technique Regularly scan
M0951externally facing systems for vulnerabilities an
Update Sofmitigation mitigates T0819 Exploit Pubtechnique Update software
M0951regularly by employing patch management
Update Sofmitigation mitigates T0820 Exploitatiotechnique Update software
M0951regularly by employing patch management
Update Sofmitigation mitigates T0890 Exploitatiotechnique Update software
M0951regularly by employing patch management
Update Sofmitigation mitigates T0866 Exploitatiotechnique A patch management
M0951 process should be implemented to che
Update Sofmitigation mitigates T0862 Supply Chatechnique Patch the BIOS
M0951 and EFI as necessary.
Update Sofmitigation mitigates T0857 System Fi technique Update software
M0951on control network assets when possible. If
Update Sofmitigation mitigates T0864 Transient technique Ensure users M0951
and user groups have appropriate permissions f
User Acco mitigation mitigates T0811 Data from technique Consider utilizing
M0918jump boxes for external remote access. Add
User Acco mitigation mitigates T0822 External R technique Limit privileges
M0918 of user accounts and groups so that only desig
User Acco mitigation mitigates T0838 Modify Alatechnique Limit the accounts
M0918 that may use remote services. Limit the pe
User Acco mitigation mitigates T0886 Remote Sertechnique Limit privileges
M0918 of user accounts and groups so that only auth
User Acco mitigation mitigates T0881 Service Stotechnique Ensure usersM0918
and user groups have appropriate permissions f
User Acco mitigation mitigates T0859 Valid Acco technique Develop and M0918
publish policies that define acceptable informati
User Trainimitigation mitigates T0811 Data from technique Users can be M0917
trained to identify social engineering techniques
User Trainimitigation mitigates T0865 Spearphishtechnique Use user training
M0917as a way to bring awareness to common ph
User Trainimitigation mitigates T0863 User Executechnique Regularly scan
M0917externally facing systems for vulnerabilities an
Vulnerabilimitigation mitigates T0819 Exploit Pubtechnique Regularly scan
M0916the internal network for available services to id
Vulnerabilimitigation mitigates T0866 Exploitatiotechnique ImplementM0916
continuous monitoring of vulnerability sources. A
Vulnerabilimitigation mitigates T0862 Supply Chatechnique M0916
System and process restarts should be performed when a tim
Watchdog mitigation mitigates T0814 Denial of Stechnique M0815
reference citation url
A G Foord,A G Foord, https://www.icheme.org/media/9906/xviii-paper-23.pdf
Aditya K SoAditya K Sohttps://www.helpnetsecurity.com/2019/07/10/bacnet-devices/
Andy GreenAndy Greenhttps://www.wired.com/story/iran-hackers-us-phishing-tensions/
Anton Che Anton Cherhttps://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-n
Anton CherAnton Cherhttps://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf
Bastille Ap Bastille 20 https://www.bastille.net/blogs/2017/4/17/dallas-siren-attack
Ben HunterBen Hunterhttps://www.fortinet.com/blog/threat-research/ekans-ransomware-targeting-ot-ics-systems
Blake JohnBlake John https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-tri
Booz Allen Booz Allen https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-ligh
Brubaker-InNathan Bruhttps://www.mandiant.com/resources/incontroller-state-sponsored-ics-tool
CISA June CISA 2013, https://us-cert.cisa.gov/ncas/alerts/TA13-175A
CISA MarchCISA 2010, https://us-cert.cisa.gov/ncas/tips/ST05-003
CISA-AA22DHS/CISA. https://www.cisa.gov/uscert/ncas/alerts/aa22-103a
Carl Hurd Carl Hurd https://www.youtube.com/watch?v=yuZazP22rpI
Catalin Ci Catalin Ci https://news.softpedia.com/news/on-chernobyl-s-30th-anniversary-malware-shuts-down-german-nucle
Chris Bing Chris Bing https://www.cyberscoop.com/xenotime-ics-cyber-attacks-trisis-dragos/
Colin Gray Colin Gray https://cdn.selinc.com/assets/Literature/Publications/Technical%20Papers/6891_HowSDN_CG_2018072
D. Parsons D. Parsons https://www.csiac.org/journal-article/practical-industrial-control-system-ics-cybersecurity-it-and-ot-hav
DHS NatioDHS Natiohttps://www.dhs.gov/sites/default/files/saver-msr-rf-detection_cod-508_10july2019.pdf
DHS CISA FDHS CISA 2https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%
Daavid HenDaavid Henhttps://www.f-secure.com/weblog/archives/00002718.html
Dan GoodiDan Goodinhttps://arstechnica.com/information-technology/2017/03/hack-that-escapes-vm-by-exploiting-edge-bro
Daniel KapDaniel Kap https://www.fireeye.com/blog/threat-research/2020/02/ransomware-against-machine-learning-to-disru
Davey Wind Davey Wind https://www.forbes.com/sites/daveywinder/2020/06/10/honda-hacked-japanese-car-giant-confirms-cy
David Vorea David Vorea https://www.bloomberg.com/news/features/2019-12-03/merck-cyberattack-s-1-3-billion-question-was-
Department Department https://us-cert.cisa.gov/sites/default/files/recommended_practices/final-RP_ics_cybersecurity_incident
Department Department https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth
Dragos Dragos D https://dragos.com/resource/dymalloy/
Dragos De Dragos 201https://dragos.com/blog/trisis/TRISIS-01.pdf
Dragos Inc Dragos Inc.https://dragos.com/blog/crashoverride/CrashOverride-01.pdf
Dragos OctDragos 201https://dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf
Dragos ThrDragos Thre https://dragos.com/wp-content/uploads/Dragos-Oil-and-Gas-Threat-Perspective-2019.pdf
Dragos ThrDragos Thrhttps://www.dragos.com/blog/industry-news/ekans-ransomware-and-ics-operations/
Dragos-Pi DRAGOS. (2https://hub.dragos.com/hubfs/116-Whitepapers/Dragos_ChernoviteWP_v2b.pdf?hsLang=en
Dwight AndDwight Ande https://www.sans.org/reading-room/whitepapers/ICS/protect-critical-infrastructure-systems-whitelistin
ESET ESET ACA https://www.welivesecurity.com/wp-content/uploads/200x/white-papers/ESET_ACAD_Medre_A_white
ESET IndusAnton Cherhttps://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf
ESET ReseaESET Resear https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf
Eduard KovEduard Kovhttps://www.securityweek.com/five-threat-groups-target-industrial-systems-dragos
Eduard KovEduard Kovhttps://www.cyberviser.com/2018/05/group-linked-to-shamoon-attacks-targeting-ics-networks-in-midd
Electricity Electricity https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt6a77276749b76a40/607f235992f006
Emerson EEmerson Exhttps://emersonexchange365.com/products/control-safety-systems/f/plc-pac-systems-industrial-compu
FireEye TR Blake Johnshttps://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-tri
Gardiner, JGardiner, https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
Hydro Hydro Kevihttps://www.hydro.com/en/media/on-the-agenda/cyber-attack/
ICS CERT S ICS CERT 2 https://www.us-cert.gov/ics/advisories/ICSA-11-094-02B
ICS-CERT AICS-CERT 2 https://ics-cert.us-cert.gov/advisories/ICSA-14-178-01
ICS-CERT ICS-CERT 2 https://www.us-cert.gov/ics/alerts/ICS-ALERT-14-281-01B
ICS-CERT ICS-CERT 20https://ics-cert.us-cert.gov/advisories/ICSA-18-107-02
ICS-CERT FICS-CERT 20https://ics-cert.us-cert.gov/alerts/IR-ALERT-H-16-056-01
ICS-CERT OICS-CERT 20https://www.us-cert.gov/ncas/alerts/TA17-293A
IEC FebruaIEC 2019, Fhttps://webstore.iec.ch/publication/34421
Intel Intel ESET https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/security-technologie
Jacqueline Jacqueline https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.ht
Jeff Jones Jeff Jones https://www.eisac.com/public-news-detail?id=115909
Joe Slowik Joe Slowik https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/
Joe Slowik Joe Slowik https://dragos.com/wp-content/uploads/CRASHOVERRIDE.pdf
John HultqJohn Hultqhttps://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html
Jos WetzelJos Wetzel https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware
Josh RinaldJosh Rinaldhttps://www.rtautomation.com/rtas-blog/still-a-thrill-opc-ua-device-discovery/
Julian RrusJulian Rrus https://pdfs.semanticscholar.org/18df/43ef1690b0fae15a36f770001160aefbc6c5.pdf
Junnosuke Junnosuke https://www.symantec.com/security-center/writeup/2017-030708-4403-99
Karen ScarKaren Scarfhttps://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-41r1.pdf
Keith Stou Keith Stoufhttps://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf
Kelly Jacks Kelly Jack https://www.darkreading.com/attacks-breaches/how-a-manufacturing-firm-recovered-from-a-devastati
Kevin Bea Kevin Beauhttps://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aim
Kevin SavaKevin Sava https://web.archive.org/web/20190930124504/https://www.symantec.com/security-center/writeup/20
Kyle WilhoiKyle Wilho https://www.youtube.com/watch?v=eywmb7UDODY&feature=youtu.be&t=939
Langner N Langner 20https://www.langner.com/2018/11/why-ethernet-ip-changes-the-ot-asset-discovery-game/
M. RentschM. Rentschlhttps://ieeexplore.ieee.org/document/6505877
MDudek-ICMDudek-ICS https://github.com/MDudek-ICS/TRISIS-TRITON-HATMAN/tree/master/decompiled_code/library
MITRE Jun MITRE 2020 https://cwe.mitre.org/data/definitions/227.html
Marc-EtienMarc-Etienhttps://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/
Max HeineMax Heinem https://www.darktrace.com/en/blog/post-mortem-of-a-targeted-sodinokibi-ransomware-attack/
McAfee LabMcAfee Labhttps://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-rans
McCarthy, M J cCarthy, https://doi.org/10.6028/NIST.SP.1800-2
J
Microsoft Microsoft https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/impleme
Microsoft Microsoft 2https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privilege
Microsoft Microsoft 2https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/attractive
Microsoft Microsoft https://msrc-blog.microsoft.com/2017/08/09/moving-beyond-emet-ii-windows-defender-exploit-guard/
N/A N/A Departhttps://www.exida.com/images/uploads/18492275-Alarm-Management-for-Process-Control.pdf
National InNational Inhttps://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
National S National S https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/industrial-control-systems/po
Nicolas FalNicolas Fal https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf
North AmerNorth Amerhttps://www.natf.net/docs/natf/documents/resources/security/natf-transient-cyber-asset-guidance.pdf
Novetta ThNovetta Thhttps://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.p
OWASP OWASP Tohttps://owasp.org/www-project-top-ten/
Orkhan Mam Orkhan Mam https://securelist.com/bad-rabbit-ransomware/82851/
Pinellas CoPinellas Cohttps://www.youtube.com/watch?v=MkXDSOgLQ6M
Ralph Lan Ralph Langn https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf
Robert A. Robert A. https://www.mitre.org/sites/default/files/publications/pr-20-01465-37-trusting-our-supply-chains-a-com
Robert Fal Robert Fal https://unit42.paloaltonetworks.com/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-delive
Schneider ESchneider Ehttps://www.youtube.com/watch?v=f09E75bWvkk&index=3&list=PL8OWO1qWXF4qYG19p7An4Vw3N2
SchweitzerSchweitzerhttps://cdn.selinc.com/assets/Literature/Publications/Application%20Notes/AN2015-08_20150817.pdf?
SecureWorSecureWork https://www.secureworks.com/research/revil-sodinokibi-ransomware
Selena Lar Selena Lar https://f.hubspotusercontent10.net/hubfs/5943619/Whitepaper-Downloads/Ransomware_in_ICS_Envir
SpennebergSpenneberg, https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Sole
Symantec Symantec https://docs.broadcom.com/doc/w32-duqu-11-en
Symantec JSymantec 2https://support.symantec.com/us/en/article.tech93179.html
Symantec Symantec 20 https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage
Symantec SSymantec Shttps://docs.broadcom.com/doc/dragonfly_threat_against_western_energy_suppliers#:~:text=The%20a
The Office The Office https://www.nrc.gov/docs/ML1209/ML120900890.pdf
Tom Fakte Tom Fakterhttps://www.cybereason.com/blog/the-sodinokibi-ransomware-attack
UNITED STUNITED STA https://www.justice.gov/opa/press-release/file/1328521/download
Wikipedia Wikipedia https://en.wikipedia.org/wiki/Control-flow_integrity
William La William Larhttps://blog.talosintelligence.com/2018/06/vpnfilter-update.html
Wylie-22 Jimmy Wylie https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%2
Zetter, Ki Zetter, Ki https://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/
Bonnie ZhuBonnie Zhuhttp://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258
Electricity Electricity https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt6a77276749b76a40/607f235992f006
Enterprise Enterprise https://attack.mitre.org/techniques/T1489/
Marshall AMarshall A https://web.archive.org/web/20200802103218/https://www.mitre.org/sites/default/files/pdf/08_1145.
IEC FebruaIEC 2013, https://webstore.iec.ch/publication/4552
Bastille Ap Bastille 20 https://www.bastille.net/blogs/2017/4/17/dallas-siren-attack
Candell, R.Candell, R. https://nvlpubs.nist.gov/nistpubs/ams/NIST.AMS.300-4.pdf
Gallagher, Gallagher, https://arstechnica.com/information-technology/2017/04/dallas-siren-hack-used-radio-signals-to-spoof
Corero Corero In https://www.corero.com/resources/files/whitepapers/cns_whitepaper_ics.pdf
Michael J. Michael J. https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297
Tyson MacTyson Macau https://books.google.com/books?id=oXIYBAAAQBAJ&pg=PA249&lpg=PA249&dq=loss+denial+manipulati
Bruce SchnBruce Schnhttps://www.schneier.com/blog/archives/2008/01/hacking_the_pol.html
John Bill John Bill https://www.londonreconnections.com/2017/hacked-cyber-security-railways/
Shelley SmShelley Smihttps://inhomelandsecurity.com/teen_hacker_in_poland_plays_tr/
Common We Common Wea http://cwe.mitre.org/data/definitions/400.html
ICS-CERT AICS-CERT 20https://www.us-cert.gov/ics/alerts/ICS-ALERT-17-102-01A
ICS-CERT AICS-CERT 20https://ics-cert.us-cert.gov/advisories/ICSA-15-202-01
MITRE MarMITRE 2018 https://nvd.nist.gov/vuln/detail/CVE-2015-5374
Enterprise Enterprise https://attack.mitre.org/wiki/Technique/T1059
Dennis L. Dennis L. https://www.radioworld.com/industry/understanding-plc-programming-methods-and-the-tag-database
Booz Allen Booz Allen https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-ligh
Daavid HenDaavid Henhttps://www.f-secure.com/weblog/archives/00002718.html
CISA AA21-Department https://us-cert.cisa.gov/sites/default/files/publications/AA21-201A_Chinese_Gas_Pipeline_Intrusion_Ca
Alexander Alexander https://www.slideshare.net/dgpeters/17-bolshev-1-13
Alexander Alexander https://www.blackhat.com/docs/us-14/materials/us-14-Bolshev-ICSCorsair-How-I-Will-PWN-Your-ERP-T
Machine InMachine Inhttp://www.machine-information-systems.com/How_PLCs_Work.html
N.A. OctobN.A. 2017, https://forumautomation.com/t/what-are-the-different-operating-modes-in-plc/2489
Omron Omron Mach https://www.omron-ap.com/service_support/FAQ/FAQ00002/index.asp#:~:text=In%20PROGRAM%20m
PLCgurus 2PLCgurus 2https://www.plcgurus.net/plc-basics/
Jos WetzelsJos Wetzelshttps://troopers.de/downloads/troopers19/TROOPERS19_NGI_IoT_diet_poisoned_fruit.pdf
CybersecurCybersecurihttps://us-cert.cisa.gov/ncas/alerts/TA18-074A
North AmeriNorth Ameri https://www.nerc.com/files/glossary_of_terms.pdf
Dr. Kelvin Dr. Kelvin https://www.isa.org/standards-and-publications/isa-publications/intech/2010/december/programmable
NanjundaiaNanjundaiahttps://www.ezautomation.net/industry-articles/plc-ladder-logic-basics.htm
Benjamin FBenjamin Frhttps://statescoop.com/tornado-sirens-in-dallas-suburbs-deactivated-after-being-hacked-and-set-off/
Zack WhittZack Whittahttps://www.zdnet.com/article/experts-think-they-know-how-dallas-emergency-sirens-were-hacked/
SpennebergSpenneberghttps://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Sole
Control Gl Control Gl https://www.controlglobal.com/industrynews/2019/yokogawa-announcement-warns-of-counterfeit-tra
Colonial P Colonial P https://www.colpipe.com/news/press-releases/media-statement-colonial-pipeline-system-disruption
Lion CorpoLion Corporhttps://lionco.com/2020/06/26/lion-update-re-cyber-issue/
Paganini, PPaganini, Phttps://securityaffairs.co/wordpress/104749/cyber-crime/ransomware-attack-hit-lion.html
Enterprise Enterprise https://attack.mitre.org/techniques/T1193/
BSI State oBundesamthttps://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Securitysituation/IT-Security-Situ
f
Joe Slowik Joe Slowik https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/
Keith Stou Keith Stoufhttps://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf
Daniel OaklDaniel Oaklhttps://attack.mitre.org/wiki/Technique/T1133
Gabriel Sa Gabriel Sa https://www.sans.org/reading-room/whitepapers/ICS/man-in-the-middle-attack-modbus-tcp-illustrated
Nicolas FalNicolas Fal https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf
The MITREThe MITREhttps://attack.mitre.org/techniques/T1106/
Mark ThomMark Thomp https://time.com/4270728/iran-cyber-attack-dam-fbi/
Danny YadDanny Yadrhttps://www.wsj.com/articles/iranian-hackers-infiltrated-new-york-dam-in-2013-1450662559
Basnight, ZBasnight, Zhttp://www.sciencedirect.com/science/article/pii/S1874548213000231
BBC April BBC 2016, https://www.bbc.com/news/technology-36158606
Catalin Ci Catalin Ci https://news.softpedia.com/news/on-chernobyl-s-30th-anniversary-malware-shuts-down-german-nucle
Christoph SChristoph Shttps://www.reuters.com/article/us-nuclearpower-cyber-germany/german-nuclear-plant-infected-with-
Dark ReadinDark Readihttps://www.darkreading.com/endpoint/german-nuclear-power-plant-infected-with-malware/d/d-id/13
ESET April ESET 2016,https://www.welivesecurity.com/2016/04/28/malware-found-german-nuclear-power-plant/
KernkraftwKernkraftwhttps://www.kkw-gundremmingen.de/presse.php?id=571
Lee Mathew Lee Mathews https://www.geek.com/apps/german-nuclear-plant-found-riddled-with-conficker-other-viruses-1653415
Peter DockrPeter Dockrhttps://www.sciencealert.com/multiple-computer-viruses-have-been-discovered-in-this-german-nuclear
Sean GallagSean Galla https://arstechnica.com/information-technology/2016/04/german-nuclear-plants-fuel-rod-system-swar
Trend MicrTrend Micrhttps://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/malware-discovered-in-german-nu
ICS-CERT OICS-CERT 20https://www.us-cert.gov/ncas/alerts/TA17-293A
The MITREThe MITREhttps://attack.mitre.org/techniques/T1068/
C
Blake JohnBlake John https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-tri
Dragos De Dragos 201https://dragos.com/blog/trisis/TRISIS-01.pdf
Mark LovelMark Lovelhttps://duo.com/decipher/the-dallas-county-siren-hack
Beckhoff Beckhoff https://infosys.beckhoff.com/english.php?content=../content/1033/tc3_sourcecontrol/18014398915785
PLCdev PLCdev Nichttp://www.plcdev.com/book/export/html/373
MITRE MITRE Sy https://attack.mitre.org/wiki/Technique/T1049
Netstat Wikipedia. https://en.wikipedia.org/wiki/Netstat
Daniel PeckDaniel Peckhttps://www.researchgate.net/publication/228849043_Leveraging_ethernet_card_vulnerabilities_in_fie
NCCIC JanuNCCIC 2014, https://www.us-cert.gov/sites/default/files/Monitors/ICS-CERT_Monitor_Jan-April2014.pdf
Stephen HilStephen Hihttps://documents.trendmicro.com/assets/white_papers/wp-caught-in-the-act-running-a-realistic-facto
etails-2015-attacks-ukrainian-news-media-electric-industry/
dustroyer.pdf
ting-ot-ics-systems
-new-ics-attack-framework-triton.html
/ukraine-report-when-the-lights-went-out.pdf
are-shuts-down-german-nuclear-power-plant-503429.shtml
s/6891_HowSDN_CG_20180720_Web2.pdf?v=20190312-231901
cs-cybersecurity-it-and-ot-have-converged-discover-and-defend-your-assets/
10july2019.pdf
%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf
pes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/
inst-machine-learning-to-disrupt-industrial-production.html
apanese-car-giant-confirms-cyber-attack-on-global-operations-snake-ransomware/?sh=2725c35753ad
ck-s-1-3-billion-question-was-it-an-act-of-war
RP_ics_cybersecurity_incident_response_100609.pdf
_ICS-CERT_Defense_in_Depth_2016_S508C.pdf
pective-2019.pdf
operations/
2b.pdf?hsLang=en
astructure-systems-whitelisting-35312
/ESET_ACAD_Medre_A_whitepaper.pdf
dustroyer.pdf
argeting-ics-networks-in-middle-east-and-uk/
6749b76a40/607f235992f0063e5c070fff/E-ISAC_SANS_Ukraine_DUC_5%5b73%5d.pdf
pac-systems-industrial-computing-forum/8383/increase-security-with-tpm-secure-boot-and-trusted-boot
-new-ics-attack-framework-triton.html
e-papers/security-technologies-4th-gen-core-retail-paper.pdf
to-iranian-cyber-espionage.html
-ics-environments/
dworm-team.html
ndustrial-malware
m-recovered-from-a-devastating-ransomware-attack/d/d-id/1334760
-used-in-targeted-attacks-aimed-at-big-business-c666551f5880
m/security-center/writeup/2012-052811-0308-99
-discovery-game/
compiled_code/library
bi-ransomware-attack/
yzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us
curity-best-practices/implementing-least-privilege-administrative-models
eged-access/securing-privileged-access-reference-material#a-nameesaebmaesae-administrative-forest-design-approach
curity-best-practices/attractive-accounts-for-credential-theft
dows-defender-exploit-guard/
or-Process-Control.pdf
industrial-control-systems/position-zero-integrity-checking-windows-based-ics-scada-systems.cfm
xnet-Update-Feb-2011.pdf
ient-cyber-asset-guidance.pdf
eration-Blockbuster-Report.pdf
usting-our-supply-chains-a-comprehensive-data-driven-approach.pdf
i-arabian-organizations-deliver-helminth-backdoor/
O1qWXF4qYG19p7An4Vw3N2YZ86aRS&t=0s
es/AN2015-08_20150817.pdf?
ds/Ransomware_in_ICS_Environments_Whitepaper_10_12_20.pdf?utm_referrer=https%3A%2F%2Fwww.dragos.com%2Fresource%2Fra
LC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf
gy_suppliers#:~:text=The%20attackers%2C%20known%20to%20Symantec,supply%20in%20the%20affected%20countries.
entations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf
aines-power-grid/
6749b76a40/607f235992f0063e5c070fff/E-ISAC_SANS_Ukraine_DUC_5%5b73%5d.pdf
es/default/files/pdf/08_1145.pdf
k-used-radio-signals-to-spoof-alarm-says-city-manager/
ystem-cyber-kill-chain-36297
49&dq=loss+denial+manipulation+of+view&source=bl&ots=dV1uQ8IUff&sig=ACfU3U2NIwGjhg051D_Ytw6npyEk9xcf4w&hl=en&sa=X&ved
methods-and-the-tag-database-system
/ukraine-report-when-the-lights-went-out.pdf
se_Gas_Pipeline_Intrusion_Campaign_2011_to_2013%20(1).pdf
r-How-I-Will-PWN-Your-ERP-Through-4-20mA-Current-Loop-WP.pdf
in-plc/2489
~:text=In%20PROGRAM%20mode%2C%20the%20CPU,can%20be%20created%20or%20modified.
oisoned_fruit.pdf
010/december/programmable-logic-controller-hardware/
r-being-hacked-and-set-off/
gency-sirens-were-hacked/
LC-Blaster-A-Worm-Living-Solely-In-The-PLC.pdf
ment-warns-of-counterfeit-transmitters/
pipeline-system-disruption
ack-hit-lion.html
curitysituation/IT-Security-Situation-in-Germany-2014.pdf?__blob=publicationFile&v=3
-ics-environments/
attack-modbus-tcp-illustrated-wireshark-38095
xnet-Update-Feb-2011.pdf
n-2013-1450662559
are-shuts-down-german-nuclear-power-plant-503429.shtml
n-nuclear-plant-infected-with-computer-viruses-operator-says-idUSKCN0XN2OS
ected-with-malware/d/d-id/1325298
clear-power-plant/
nficker-other-viruses-1653415/
overed-in-this-german-nuclear-plant
r-plants-fuel-rod-system-swarming-with-old-malware/
are-discovered-in-german-nuclear-power-plant
-new-ics-attack-framework-triton.html
ourcecontrol/18014398915785483.html&id=
net_card_vulnerabilities_in_field_devices
an-April2014.pdf
e-act-running-a-realistic-factory-honeypot-to-capture-real-threats.pdf
gn-approach
ragos.com%2Fresource%2Fransomware-in-ics-environments%2F
%20countries.
S%20attack%20toolkit.pdf
pyEk9xcf4w&hl=en&sa=X&ved=2ahUKEwj2wJ7y4tDlAhVmplkKHSTaDnQQ6AEwAHoECAgQAQ#v=onepage&q=loss%20denial%20manipula
q=loss%20denial%20manipulation%20of%20view&f=false