Cyber Infrastructure Protection Innovation Center
We develop technologies, practices, and approaches to protect critical infrastructure from malicious cyber or non-kinetic attack or disruption.
The vast cyber infrastructure underpinning our way of life is increasingly at risk. From transportation to healthcare, systems and networks previously out of reach for adversaries—due to perceived norms, feared repercussions, or lack of capability—are regularly targeted and compromised. These threats come from a variety of sources, including cyber attacks by adversary nation states, criminals, terrorists, and other non-state actors, to achieve strategic, tactical, and financial objectives.
The Cyber Infrastructure Protection Innovation Center (CIPIC) within MITRE Labs develops technical capabilities to ensure resiliency of our nation’s and our allies’ cyber infrastructure and provides techniques to deter adversaries and mitigate risk.
CIPIC’s work informs MITRE sponsors’ cyber resiliency, protects national security, and secures the systems that power our lives.
Our Capabilities
OT Engineering and Response
Engineering secure operational technology (OT) requires understanding the unique protocols, platforms, and architectures used throughout critical infrastructure. Security engineering identifies techniques and technologies to detect and protect against evolving threats. This includes evaluating and deploying technologies to inventory assets, managing and authenticating access attempts, segmenting networks, and securing communications. Further, it explores data sources and tools needed to monitor for threats, along with the development of tailored analytics to improve detection. These engineering efforts must integrate with legacy systems, maintain high availability requirements, and ensure the system avoids associated safety/environmental hazards.
Critical Infrastructure Resiliency and Safety
Critical infrastructure operations can be done safely, securely, and reliably even in contested environments, through assessments, analysis, and engineering of applications, devices, communications, and supporting infrastructure. Using passive and active data collection methods, this capability performs system validation (e.g., identifying assets, data ingress/egress points, etc.) and, using available threat intelligence, will facilitate a systematic risk approach to remediating any identified gaps. Using formalized and repeatable assessments, cross-cutting gaps can be identified and prioritized for remediation, research, and innovation. The capability will maintain an understanding of the current threat landscape and acquire/develop the training and tooling necessary to stay current on adversary TTPs.
OT/Internet of Things Device Security
OT, IoT, and mobile devices are at the core of critical infrastructure processes. Ensuring the security and integrity of these devices is key to improving the security and safety of those processes. CIPIC conducts technical analysis across the surface of these devices, including embedded systems (i.e., Real Time Operating System ), binaries (including software and firmware) and unique protocols through the use of technical competencies like forensic analysis and reverse engineering.
Engineering secure operational technology (OT) requires understanding the unique protocols, platforms, and architectures used throughout critical infrastructure. Security engineering identifies techniques and technologies to detect and protect against evolving threats. This includes evaluating and deploying technologies to inventory assets, managing and authenticating access attempts, segmenting networks, and securing communications. Further, it explores data sources and tools needed to monitor for threats, along with the development of tailored analytics to improve detection. These engineering efforts must integrate with legacy systems, maintain high availability requirements, and ensure the system avoids associated safety/environmental hazards.
Critical infrastructure operations can be done safely, securely, and reliably even in contested environments, through assessments, analysis, and engineering of applications, devices, communications, and supporting infrastructure. Using passive and active data collection methods, this capability performs system validation (e.g., identifying assets, data ingress/egress points, etc.) and, using available threat intelligence, will facilitate a systematic risk approach to remediating any identified gaps. Using formalized and repeatable assessments, cross-cutting gaps can be identified and prioritized for remediation, research, and innovation. The capability will maintain an understanding of the current threat landscape and acquire/develop the training and tooling necessary to stay current on adversary TTPs.
OT, IoT, and mobile devices are at the core of critical infrastructure processes. Ensuring the security and integrity of these devices is key to improving the security and safety of those processes. CIPIC conducts technical analysis across the surface of these devices, including embedded systems (i.e., Real Time Operating System ), binaries (including software and firmware) and unique protocols through the use of technical competencies like forensic analysis and reverse engineering.
Our Offerings
Infrastructure Susceptibility Analysis and Assessments
The Infrastructure Susceptibility Analysis (ISA) process is a focused analytic approach designed to identify the most likely attack paths and methods undertaken by an adversary to compromise, exploit, and attack a target. This approach builds on existing threat intelligence techniques, which are inherently reactive, to predict where future attacks are likely to manifest. Predictions of future cyber attacks are based on 1) the functionality, architecture, and design of the targeted infrastructure and 2) the intentions, motivations, interests, and capabilities of the adversary, identifying attack scenarios that are not only possible, but also most likely. The likelihoods are then applied to more traditional assessment methodologies to yield recommendations for mitigations that are designed to maximize defensive value and minimize adversary capabilities against a particular system.
Failure Mode Analysis
The Threat-Informed Failure Scenario methodology helps organizations model the techniques a cyber adversary would need to access, manipulate, and impact their environment. The development of cyber inducible failure scenarios helps evaluate risks by exploring how previously identified adversarial techniques, based on ATT&CK® for ICS, would apply to their unique architectural and process environments. The development of failure scenarios can be used to help align various defensive efforts around potential adversary techniques. For example, the scenarios can help 1) identify and prioritize the most relevant cyber threat intelligence (CTI), 2) evaluate security operations center (SOC) capabilities, including analytics development and adversary emulation/purple teaming efforts, and 3) inform the development of Table Top Exercises to review organizational cyber preparedness.
Exercise Development
A Table Top Exercise (TTX) is a structured activity to help organizations evaluate their preparedness to respond to various cyber incidents and better evaluate the maturity of their policies and procedures regarding cyber incident management and response. The TTX is a facilitated session where different cyber events or threats are presented to a team of participants across key security and operational roles. The team is then asked to provide answers about how they would respond to different scenarios, with whom they would communicate, what information they would need/share and report. The outcome of a TTX includes suggestions on policy changes, improved training and awareness of key staff, and clarification of responsibilities during an incident.
OT/IOT and Mobile Device and Application Testing
The OT/IOT and Mobile Device and Application Testing offering seeks to mitigate the risk that embedded devices and related networks, sensors, and technologies pose to the wider critical infrastructure ecosystem, as well as investigate new ways in which mobility can be used to enhance the security of the ecosystem. This includes 1) rigorous security testing of OT, IOT and mobile devices, application software, and related networking technologies, protocols, and accessories informed by timely, threat-informed information, and in line with best practices and cutting edge analysis and research; 2) developing and validating use cases, techniques, technologies, and standards to securely incorporate and integrate mobility into critical infrastructure environments; 3) contributing to the development of tools, infrastructure, methodologies, standards, and practices needed to continually enhance the secure development, integration, and use of mobile devices, software, protocols, and capabilities in critical infrastructure ecosystem.
Our Frameworks
ATT&CK for ICS
ATT&CK® for Industrial Control Systems (ICS) is a knowledge base that documents the actions an adversary may take while operating within an ICS network. The knowledge base can be used to better characterize and describe post-compromise adversary behavior. While ICS are increasingly adopting information technology (IT) solutions to promote enterprise systems connectivity and remote access capabilities, they still retain unique characteristics. Logic executing in ICS has a direct effect on the physical world. If executed improperly, this logic can cause grievous problems to include significant damage to health and safety for humans, to the environment, and to the economy through production losses and compromises of proprietary information. ATT&CK® for ICS characterizes and describes the actions of an adversary who seeks to cause such consequences.
ATT&CK for Mobile
ATT&CK® for Mobile is a public knowledge base of adversarial tactics, techniques, and procedures (TTPs) focused on smartphones and tablets running Android and iOS. The goal of ATT&CK® for Mobile is to capture adversarial behavior utilizing the familiar matrix structure of sub-techniques that was adopted in the April 2022 ATT&CK® release. With the ever-changing mobile threat landscape, and the constant evolution and innovation around mobile devices, it is critical that real-world adversarial behavior be properly captured so individuals and enterprises can adequately protect their devices. Due to the pervasiveness of mobile devices in daily life, a compromised device could have critical ramifications for an individual or enterprise. ATT&CK® for Mobile seeks to aid in the detection and prevention of such threats to mobile devices.