MITRE ATT&CK for ICS is one of the best free resources in OT security. It's also one of the most underused, because too many facilities treat it as a checklist rather than a threat modeling tool.
Used well, the ICS matrix is a shared vocabulary — a way for plant engineers, security teams, and executives to talk about attacker behavior without a translation layer. Used poorly, it becomes a spreadsheet that nobody reads.
What the ICS matrix is
ATT&CK for ICS is a knowledge base of attacker tactics and techniques specifically observed in industrial environments. It complements the main ATT&CK matrix (which is IT-focused) with OT-specific tactics like Impair Process Control, Inhibit Response Function, and Impact.
Each technique is documented with observed adversary groups, example procedures, and mitigations. For OT, this is the closest thing we have to a living, public threat library.
How to use it without turning it into a checklist
Step 1: Identify the techniques that matter for your environment
You will not defend against every technique equally. For a hydropower operator, the techniques around firmware manipulation of specific turbine controllers matter more than they do for a cold storage logistics facility. For a data center, techniques involving engineering workstation compromise and historian manipulation are particularly relevant.
Start by identifying your 20–30 most-relevant techniques. Not 150. Twenty to thirty.
Step 2: Map your existing defenses
For each relevant technique, ask three questions:
- What control do we have that would prevent this?
- What control do we have that would detect this?
- What control do we have that would limit impact if this succeeded?
Write the answers. "Nothing" is a valid answer and often the most important one.
Step 3: Prioritize the gaps
Rank unaddressed techniques by a combination of likelihood (in your environment, against your adversaries) and impact (to production, safety, or data integrity). Address the top 5 first. The bottom 15 can wait or accept residual risk.
Step 4: Run detection engineering against the prioritized list
Once prevention is in place, build detection. For each prioritized technique, what log, packet, or sensor would show you the technique was in progress? This is where OT detection differs from IT detection — you are often looking at protocol anomalies in Modbus or DNP3 traffic, not at endpoint logs.
Step 5: Exercise
Tabletop or live-drill against specific techniques. "An attacker has used T0849 (Masquerading) to replace our HMI executable. Walk me through how you would notice." Concrete scenarios produce better defenses than abstract ones.
Common mistakes
- Checking boxes without evidence. "We are covered on T0823" means nothing if there is no control or detection to point at.
- Trying to cover everything. Focus matters. 20 well-understood techniques beat 120 half-understood ones.
- Ignoring adversary group context. Not every technique is used by every actor. The groups relevant to Pacific Northwest industrials are not identical to the groups relevant to middle-eastern oil and gas.
- Letting the matrix substitute for a risk assessment. ATT&CK tells you what attackers do. It does not tell you which attackers are likely to target you.
Where to start, this week
If you have never used the ICS matrix, do this:
- Visit attack.mitre.org/matrices/ics
- Pick one tactic column (Initial Access is a good starting point)
- Read every technique in that column
- For each, ask "could this work here, and what would we see if it did?"
- Write down three techniques you are not comfortable defending against
That 90-minute exercise produces more usable threat-modeling output than most expensive consulting engagements — and it's something plant security teams can do themselves.
If you would like facilitation or a structured workshop around ATT&CK for ICS at your facility, we run them.
This article was written by the Cascadia OT Security practice, which advises Pacific Northwest data centers and manufacturers on industrial cybersecurity. For engagement inquiries, reach our practice team.