Security News > 2020 > September > FireEye Proposes Converged Enterprise and ICS ATT&CK Matrix
In developing its ICS ATT&CK matrix, MITRE stressed that it is necessary to understand both Enterprise ATT&CK and ICS ATT&CK to accurately track threat actor behaviors across OT incidents.
"Over the past 5 to 10 years," Nathan Brubaker, senior manager at Mandiant Threat Intelligence told SecurityWeek, "Every sophisticated ICS attack instance we have observed has passed through these intermediary systems on their way to impacting ICS. This includes malware like Stuxnet, Triton and most others. Ninety to ninety-five percent of threat actor activity occurs on these intermediary systems." So that's the most likely place you're going to find ICS attackers, and the best opportunity to stop them.
ICS ATT&CK contains details of TTPs that explain threats to ICS, such as PLCs and other embedded systems, but by design does not include the intermediary systems that run on standard enterprise operating systems.
To achieve this holistic view of the full OT attack lifecycle, Mandiant Threat Intelligence has proposed a hybrid matrix comprising ICS/Enterprise overlap, ICS/Enterprise subtechnique overlap, ICS only, and Enterprise only techniques.
While attacks against ICS systems specifically designed to cause physical damage remain relatively rare because of the difficulty, cost and resources to develop them, common criminals are increasingly targeting ICS systems with ransomware to increase the likelihood of a substantial extortion return.