MITRE Engenuity Releases First ATT&CK Evaluations for Industrial Control Systems Security Tools

July 19, 2020

MITRE Engenuity has released results from its first round of independent MITRE Engenuity ATT&CK® Evaluations for Industrial Control Systems (ICS). The evaluations examined how cybersecurity products from five ICS vendors detected the threat of Russian-linked Triton malware.

TRITON malware targets safety systems, preventing operators from responding to failures, hazards and other unsafe conditions, potentially causing physical destruction that can lead to fatal consequences. Russia’s Central Scientific Research Institute of Chemistry and Mechanics developed TRITON, which was used in an attack that shut down a Saudi refinery, leading the U.S. Department of Treasury to impose sanctions against the institute.

The evaluations use ATT&CK for ICS, a MITRE-curated knowledge base of adversary tactics, techniques, and procedures based on known threats to industrial control systems. ATT&CK for ICS provides a common language to describe the tactics and techniques that cyber adversaries use when attacking the systems that operate some of the nation’s most critical infrastructures, including energy transmission and distribution plants, oil refineries, wastewater treatment facilities, and more.

The evaluations, which were paid for by the participating vendors, included products from Armis; Claroty; Dragos; the Institute for Information Industry; and Microsoft.

“We chose to emulate the Triton malware because it targets safety systems, which prevent some of the worst consequences from happening when something goes wrong in an industrial control setting,” said Otis Alexander, who leads the ATT&CK Evaluations for ICS. “The amount of publicly reported data from the attacks and the devastating impact of the malware help ensure this is a robust emulation. We hope the evaluations can help organizations find security tools that are best suited to their individual needs.”

View on MITRE Engenuity