How do access controls secure ICS devices?
Many ICS systems were not built with authentication, especially older devices. Access control is therefore your first defence against intrusion.
Access Management (M0801) enforces identity checks through gateways or inline security systems, even when devices cannot authenticate users themselves.
Two key protections apply:
Human User Authentication (M0804) covers actions such as firmware updates (ICS T0800), mode changes (ICS T0858), and parameter modification (ICS T0836).
Software and Device Authentication (M0813) prevents spoofed devices or unauthorized applications from interacting with ICS components.
This ensures that only trusted users and systems can issue control commands.
How is network traffic controlled in ICS?
ICS security depends heavily on network design.
MITRE promotes segmentation to isolate enterprise IT from control environments (Network Segmentation – M0930), combined with protocol-level inspection to stop unauthorized operations such as device shutdowns or reprogramming (Network Traffic Filtering – M0937, ICS T0816).
For critical systems, Network Allowlisting (M0807) restricts endpoints so equipment communicates only with approved servers or control stations. Together, these controls limit both exposure and lateral movement.
How does MITRE protect firmware and software?
You cannot assume that running software is trustworthy. Integrity must be continuously validated.
MITRE requires:
Continuous integrity checks of devices and configurations (Audit – M0947)
Verification that only signed firmware and programs execute (Code Signing – M0945, ICS T0839 and T0857)
Hardware-based validation during startup to ensure the system boots from a trusted state (Boot Integrity – M0946)
These controls detect compromise early, before operations are affected.
How do you maintain availability during an attack?
In industrial environments, security only matters if operations continue safely.
MITRE emphasizes redundancy through backup systems and hot-standby capability (Redundancy – M0811) supported by tested recovery procedures (Data Backup – M0953).
Outages must not break visibility or control. That is why Out-of-Band Communication (M0810) provides trusted fallback channels, while Safety Instrumented Systems (M0812) contain physical impact if core systems fail (ICS T0879 and T0880).
How are exploits and malware blocked?
MITRE focuses on execution control rather than detection alone.
Execution Prevention (M0938) stops unauthorized code from running. Exploit Protection (M0950) identifies abnormal execution behavior. Where operations allow it, antimalware tools (M0949) provide added protection.
Finally, Web Content Restriction (M0921) closes common entry points by limiting access to unsafe websites, scripts, and files. This reduces exposure to drive-by malware (ICS T0817) and phishing attachments (ICS T0865).
Why does this framework matter?
MITRE ATT&CK for ICS is not theory. It tells you where to invest.
You gain visibility, structural resilience, and control. You replace emergency response with engineering discipline.
This is how OT security matures.
