MITRE Engenuity Releases First ATT&CK® Evaluations for Industrial Control Systems Security Tools

MITRE Engenuity today released results from its first round of independent MITRE Engenuity ATT&CK® Evaluations for Industrial Control Systems (ICS). The evaluations examined how cybersecurity products from five ICS vendors detected the threat of Russian-linked Triton malware.

TRITON malware targets safety systems, preventing operators from responding to failures, hazards and other unsafe conditions, potentially causing physical destruction that can lead to fatal consequences. Russia’s Central Scientific Research Institute of Chemistry and Mechanics developed TRITON, which was used in an attack that shut down a Saudi refinery, leading the U.S. Department of Treasury to impose sanctions against the institute.

The evaluations use ATT&CK for ICS, a MITRE-curated knowledge base of adversary tactics, techniques, and procedures based on known threats to industrial control systems. ATT&CK for ICS provides a common language to describe the tactics and techniques that cyber adversaries use when attacking the systems that operate some of the nation’s most critical infrastructures, including energy transmission and distribution plants, oil refineries, wastewater treatment facilities, and more.

The evaluations, which were paid for by the participating vendors, included products from Armis; Claroty; Dragos; the Institute for Information Industry; and Microsoft.

“We chose to emulate the Triton malware because it targets safety systems, which prevent some of the worst consequences from happening when something goes wrong in an industrial control setting,” said Otis Alexander, who leads the ATT&CK Evaluations for ICS. “The amount of publicly reported data from the attacks and the devastating impact of the malware help ensure this is a robust emulation. We hope the evaluations can help organizations find security tools that are best suited to their individual needs.”

There are many products that offer different approaches to detecting ICS attacks, and these evaluations can help security practitioners better understand how they meet their organization’s needs in areas including the stage of attack when the detections occur, the types of data sources that can be collected, and how information may be presented. Few organizations have the time and resources to install and test multiple products as they make decisions on what they need to defend their networks. “Our evaluations are intended to take some of the guesswork out of the process and provide clarity about how security products detect adversary activity,” said Alexander.

In addition to the ATT&CK Evaluations for ICS, MITRE Engenuity also evaluates security products for enterprise networks. Most recently, MITRE Engenuity examined 29 products against the threat from cybercrime groups FIN7 and Carbanak, which have demonstrated the ability to compromise financial service and hospitality organizations, respectively, using malware and tradecraft.

“MITRE Engenuity’s ATT&CK Evaluations program is built on the backbone of MITRE’s integrity and commitment to making the world a safer, more secure place,” said Frank Duff, general manager of the ATT&CK Evaluations program. “Vendors trust us to improve their offerings, and the community trusts that we’ll provide transparency into the technology that is necessary to make the best decisions for their unique environment. Unlike closed door assessments, we use a purple teaming approach with the vendor to optimize the evaluation process. MITRE experts provide the red team while the vendor provides the blue team to ensure complete visibility, while allowing the vendor to learn directly from ATT&CK experts.”

For the full results and more information about MITRE Engenuity’s ATT&CK Evaluations, visit attackevals.mitre-engenuity.org.

Vendor Perspective

Chris Dobrec, vice president of product marketing, Armis: “Armis is thrilled to participate in the first-ever MITRE Engenuity ATT&CK® Evaluations for ICS. The ATT&CK Evaluations help the cybersecurity community by improving security products through real-world tactics and techniques employed by adversaries. This ensures that organizations can actively evaluate ICS security solutions with confidence in order to protect themselves from the latest advances from attackers.”

Grant Geyer, chief product officer, Claroty: “ICS is the new target of choice for cyber criminals and nation states, as demonstrated by the uptick in cyber attacks on critical infrastructure in recent months, so it’s more important than ever that organizations can ensure that they are equipped to handle this onslaught of attacks. We are honored to participate in the first MITRE Engenuity ATT&CK® Evaluations for ICS, which sets an important new standard for industrial cybersecurity solutions.”

Sergio Caltagirone, vice president of threat intelligence, Dragos, Inc.: “Dragos is excited to have participated in the first ever MITRE Engenuity ATT&CK Evaluations for ICS. The evaluation process is notable for its approach to impartially testing all participating vendor products so that collectively we can improve the community’s understanding of OT detection. We welcome any opportunity to help build the community knowledge base and are confident that participating in these assessments of detection and protection capabilities contribute to driving our industry forward.”

Yuval Eldar, general manager for IoT/OT security, Microsoft: “As a leader in five Gartner Magic Quadrants and seven Forrester Waves, Microsoft Security is thrilled to be one of a select group of vendors included in the inaugural round of the MITRE Engenuity ATT&CK® Evaluations for ICS. With recent attacks targeting core business operations, community collaboration such as this can help us all create a safer world. We thank MITRE Engenuity for the opportunity to participate in testing our agentless Azure Defender for IoT solution and Azure Sentinel SIEM/SOAR solution. We look forward to our continued partnership and building upon what we learned about the need for a holistic SIEM/XDR view across networks, endpoints, identity, and other domains in our clients’ IT/OT infrastructures.”

###