Ben Is Helpful

MITRE Att&ck for ICS: Man-in-the-Middle Attacks

Benjamin Burke
17 March, 2020 2 Min read

About MITRE Att&ck for Industrial Control Systems (ICS)

Read More About MITRE


MITRE Att&ck, which stands for Adversarial Tactics, Techniques and Common Knowledge, is a knowledge base of adversary tactics and techniques that help inform the cybersecurity industry. MITRE recently released an Att&ck knowledge base specifically designed for industrial control systems (ICS). ICS are found in industries such as electric, water, wastewater, oil and natural gas, transportation, chemical, pharmaceutical, and various manufacturing sectors. These systems enable the regular automation of key processes that everyone relies on, and any compromise on their operation could impact the health and safety of humans.

According to the MITRE Att&ck document, adversary TTPs associated with ATT&CK for ICS fall under the following broad categories:

• Blocked or delayed flow of information through ICS networks, which could disrupt ICS operation.
• Unauthorized changes to instructions, commands, or alarm thresholds, which could damage, disable, or shut down equipment, create environmental impacts, and/or endanger human life.
• Inaccurate information sent to system operators, either to disguise unauthorized changes, or to cause the operators to initiate inappropriate actions, which could have broad negative effects.
• ICS software or configuration settings modified, or ICS software infected with malware, which could have broad negative effects.
• Interference with the operation of equipment protection systems, which could endanger costly and difficult-to-replace equipment.
• Interference with the operation of safety systems, which could endanger human life.


Next in this blog series, we will address Man-in-the-Middle-Attacks. The aim is to help you understand the MITRE Att&ck walk-through, and their mitigation techniques, as well as offer our own insight.

Man-in-the-Middle Attacks (T830)

How It’s Done:

Man-in-the-Middle (MITM) attacks occur when adversaries with privileged network access modify traffic in real time, by intercepting it to and/or from a device on a given network. Depending on the desired effect, these attacks may be intended to alter traffic traveling between the two, collect sensitive information, eavesdrop, etc. This attack is typically executed via Address Resolution Protocol (ARP) poisoning and the use of a proxy. By launching such an attack, an adversary gains the ability to block, log, modify, or inject traffic into the communication stream.

For example, HEXANE’s attack on telecommunications providers in the Middle East, Central Asia and Africa, is thought to be a part of network-focused man-in-the-middle and other similar attacks.

Recommended Mitigation Techniques:

  • Encryption: Encrypt wireless device communications, perhaps with OSI Layer 2 encryption.
    • All communication through Dispel’s networks are secured with two layers of AES-256.
  • Password lockout policies can be enforced, but take care to balance this with operational needs, that might result in a few failed login attempts in stressful situations.
    • Dispel comes with default password lockout. This is configurable by an Administrator, and backup systems ensure that operational needs can still be met.
  • Challenge/Response authentication: Implementing Challenge/Response authentication eliminates the risk of discovery or replay that traditional password exchange has.
  • Limit access: Restrict access to control room(s), portable devices, and removable media.
    • Dispel Virtual Desktops are configurable to restrict access, removable media, and actions performed on systems.
  • Avoid certain media: Avoid unauthorized and suspicious media.
    • Routing traffic through Dispel Virtual Desktops ensures that all access to the target network is done with fresh computers, and that all unauthorized media is blocked.
  • Separate ICS and IT network cables: Ensure ICS and IT network cables are kept separate and that devices are locked up when possible.
    • Dispel cannot ensure the physical locking of network cables, but its Wicket-Enclave systems can ensure that access to ICS and IT networks are completely separate and segmented.
  • Use VPNs: Employ VPNs to provide secure access from an untrusted network to the ICS control network/restrict access to and from host computers.
    • Dispel’s Wicket-Enclave system provides secure access, and Dispel Virtual Desktops ensure that untrusted computers cannot directly access ICS networks.
  • Intrusion Detection: An Intrusion Detection System (IDS) could help detect a man-in-the-middle attack.
    • Dispel integrates with existing intrusion detection systems to provide traffic logs for analysis.

book a pilot cta 1

Your time matters, and your systems should work. Invest in a remote access system built from the ground up for industrial control networks, uniquely secured with moving target defense, with no compromises on security.

Ask us questions or get your demo at