Skip to content

Commit

Permalink
Review for publication
Browse files Browse the repository at this point in the history
  • Loading branch information
@mehaase
mehaase committed Jul 16, 2024
1 parent c81e675 commit 07522a0
Show file tree
Hide file tree
Showing 10 changed files with 385 additions and 366 deletions.
69 changes: 38 additions & 31 deletions README.md
View file
Original file line number Diff line number Diff line change
@@ -1,57 +1,64 @@
[![MITRE ATT&CK® 15.1](https://img.shields.io/badge/MITRE%20ATT%26CK®-v15-red)](https://attack.mitre.org/versions/v15/)
[![MITRE ATT&CK®
15.1](https://img.shields.io/badge/MITRE%20ATT%26CK®-v15-red)](https://attack.mitre.org/versions/v15/)

# Defending OT with ATT&CK

Defending Operational Technology (OT) with ATT&CK is a Center for Threat-Informed Defense (Center)
project that provides a customized collection of [MITRE ATT&CK®](https://attack.mitre.org/) techniques tailored to the
attack surface and threat model for OT environments. The collection of threats contained
in the ATT&CK knowledgebase, including historical attacks against OT, are used to define a
reference architecture and technology domains of interest for OT. The resultant collection
can be used by organizations that use OT to evaluate and employ security controls for
Defending Operational Technology (OT) with ATT&CK is a Center for Threat-Informed
Defense (Center) project that provides a customized collection of [MITRE
ATT&CK®](https://attack.mitre.org/) techniques tailored to the attack surface and threat
model for OT environments. The collection of threats contained in the ATT&CK
knowledgebase, including historical attacks against OT, are used to define a reference
architecture and technology domains of interest for OT. The resultant collection can be
used by organizations that use OT to evaluate and employ security controls for
real-world adversary behaviors.

This work builds upon the Center's [Defending IaaS with ATT&CK](https://mitre-engenuity.org/cybersecurity/center-for-threat-informed-defense/our-work/defending-iaas-with-attack/) project by using
the methodology and tooling created under that project as a basis. Defending OT with ATT&CK
provides an additional collection of resources cyber defenders can use to understand and make
threat-informed decisions for techniques that could be used within an IT/OT hybrid architecture
and environment.

**Table Of Contents:**

- [Getting Started](#getting-started)
- [Getting Involved](#getting-involved)
- [Questions and Feedback](#questions-and-feedback)
- [Notice](#notice)

## Getting Started

To get started, visit the project website. The website includes an overview of the project,
the reference architecture assets, the threat modeling methodology, and the customized threat
collection. Use cases and a cyber tabletop exercise scenario are also provided.
The project website includes an overview of the project, the reference architecture
assets, the threat modeling methodology, and the customized threat collection.

| Resource | Description |
| ----------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------- |
| [Project Website](https://center-for-threat-informed-defense.github.io/defending-ot-with-attack/) | Reference architecture, methodology, usage |
| [Threat Collection](https://github.com/center-for-threat-informed-defense/defending-ot-with-attack/TBD) | Mapped techniques for OT environments |
| [Hybrid Navigator Layer](https://github.com/center-for-threat-informed-defense/defending-ot-with-attack/tree/main/mappings/layers/TBD) | ATT&CK Navigator views of the hybrid ATT&CK matrix |
| Resource | Description |
| -------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------- |
| [Project Website](https://center-for-threat-informed-defense.github.io/defending-ot-with-attack/) | Reference architecture, methodology, usage |
| [Threat Collection](https://github.com/center-for-threat-informed-defense/defending-ot-with-attack/modified_work_bench_file.json) | Mapped techniques for OT environments |
| [Hybrid Navigator Layer](https://github.com/center-for-threat-informed-defense/defending-ot-with-attack/tree/main/mappings/layers/TBD) | ATT&CK Navigator views of the hybrid ATT&CK matrix |

## Getting Involved

There are several ways that you can get involved with this project and help
advance threat-informed defense. Please review the project resources, use them, and tell us
what you think.
advance threat-informed defense.

We welcome your contributions to help advance Defending OT with ATT&CK in the form of [pull
requests](https://github.com/center-for-threat-informed-defense/defending-ot-with-attack/pulls). Please review the [contributor notice](https://github.com/center-for-threat-informed-defense/defending-ot-with-attack/blob/main/CONTRIBUTING.md) before making a pull request.
- **Visit the project website.** Use the website to learn about the methodology,
findings, and deliverables for this project.
- **Use it with ATT&CK Workbench.** For [ATT&CK
Workbench](https://github.com/center-for-threat-informed-defense/attack-workbench-frontend)
users, import the threat collection from this project into your Workbench so that you
can integrate OT planning into your overall workflow
- **Spread the word.** Share your feedback and thoughts on the project with your
colleagues and industry peers.

Please submit [issues on GitHub](https://github.com/center-for-threat-informed-defense/defending-ot-with-attack/issues) for any technical questions or requests.
You may also contact [[email protected]](mailto:[email protected]?subject=Question%20about%20defending-ot-with-attack) directly for more general inquiries about
the Center for Threat-Informed Defense.
## Questions and Feedback

## Notice
We welcome your feedback and contributions to help advance Mappings Explorer. Please see
the guidance for contributors if are you interested in [contributing or simply reporting
issues.](/CONTRIBUTING.md)

<!-- TODO Add PRS prior to publication. -->
Please submit
[issues](https://github.com/center-for-threat-informed-defense/mappings-explorer/issues)
for any technical questions/concerns or contact
[[email protected]](mailto:[email protected]?subject=Question%20about%20Defending%20OT%20with%20Attack)
directly for more general inquiries.

## Notice

Copyright 2024 MITRE Engenuity. Approved for public release. Document number REPLACE_WITH_PRS_NUMBER
© 2024 MITRE Engenuity. Approved for public release. Document number(s) CT0121.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this
file except in compliance with the License. You may obtain a copy of the License at
Expand Down
Binary file removed docs/_static/assets.png
View file
Binary file not shown.
Binary file added docs/_static/defending-ot.jpg
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
99 changes: 47 additions & 52 deletions docs/architecture.rst
View file
Original file line number Diff line number Diff line change
@@ -1,69 +1,64 @@
Reference Architecture
======================

Defending OT with ATT&CK developed a basic reference architecture to provide a common,
reusable view of assets and technologies used in IT/OT hybrid environments where a threat
actor can impact operations. The reference architecture identifies the attack surface and
serves as a framework for depicting assets using functional components across the technology
stack of an OT environment in hierarchical levels. It can be used to help understand the
segmentation of industrial processes and IT systems, delineated boundaries between different
operational zones, and interactions between IT and OT systems.

.. image:: ./_static/ref_arch.png

The Defending OT with ATT&CK reference architecture is adapted from the `Purdue Enterprise Reference Architecture (PERA) model <https://www.energy.gov/sites/default/files/2022-10/Infra_Topic_Paper_4-14_FINAL.pdf>`_,
which historically has been the primary reference to describe the structure of OT networks.
ATT&CK for Enterprise and ATT&CK for ICS platforms and assets were reviewed to aid in determining
relevant assets and technologies. Consideration was also given for international standards and
Defending OT with ATT&CK developed a reference architecture to provide a common,
reusable view of assets and technologies used in IT/OT hybrid environments where a
threat actor can impact operations. The reference architecture identifies the attack
surface and serves as a framework for depicting assets using functional components
across the technology stack of an OT environment in hierarchical levels. It can be used
to help understand the segmentation of industrial processes and IT systems, delineated
boundaries between different operational zones, and interactions between IT and OT
systems.

.. figure:: ./_static/ref_arch.png
:align: center
:scale: 80%

Reference Architecture (click to enlarge)

The Defending OT with ATT&CK reference architecture is adapted from the `Purdue Enterprise Reference Architecture (PERA) model <https://www.energy.gov/sites/default/files/2022-10/Infra_Topic_Paper_4-14_FINAL.pdf>`_,
which historically has been the primary reference to describe the structure of OT networks.
ATT&CK for Enterprise and ATT&CK for ICS platforms and assets were reviewed to aid in determining
relevant assets and technologies. Consideration was also given for international standards and
sector-based use cases (e.g., factory automation, maritime transport).

Architecture Assets
-------------------

Control systems standards and guidance containing reference architectures with assets were reviewed
when developing the assets that comprise Defending OT with ATT&CK's reference architecture. These sources
include the `ISA/IEC 62443 series of standards <https://www.isa.org/standards-and-publications/isa-standards/isa-iec-62443-series-of-standards>`_ for protecting industrial automation and control systems (IACS)
from cyberthreats and `NIST SP 800-82 Rev. 3: Guide to Operational Technology (OT) Security <https://csrc.nist.gov/pubs/sp/800/82/r3/final>`_ which
encompasses security for a broad range of systems and devices. The following considerations were also
taken when defining the Defending OT with ATT&CK's architecture assets:

* Enterprise IT and OT Security

* Enterprise IT and OT security attack surface management, OT and ICS areas of interest,
network assets, wireless protocols in energy sector, manufacturing systems
Control systems standards and guidance containing reference architectures with assets
were reviewed when developing the assets that comprise Defending OT with ATT&CK's
reference architecture. These sources include the `ISA/IEC 62443 series of standards
<https://www.isa.org/standards-and-publications/isa-standards/isa-iec-62443-series-of-standards>`_
for protecting industrial automation and control systems (IACS) from cyberthreats and
`NIST SP 800-82 Rev. 3: Guide to Operational Technology (OT) Security
<https://csrc.nist.gov/pubs/sp/800/82/r3/final>`_ which encompasses security for a broad
range of systems and devices. The following considerations were also taken when defining
the Defending OT with ATT&CK's architecture assets:

* Network Segmentation, Governance, and Compliance
Enterprise IT and OT Security
Enterprise IT and OT security attack surface management, OT and ICS areas of interest,
network assets, wireless protocols in energy sector, manufacturing systems

* Measured inclusion due to the limitations of mapping these assets to attack vectors
Network Segmentation, Governance, and Compliance
Measured inclusion due to the limitations of mapping these assets to attack vectors

* Architecture and Attack Vectors
Architecture and Attack Vectors
Abstraction of cloud OT and on-prem OT to account for different attack vectors

* Abstraction of cloud OT and on-prem OT to account for different attack vectors

* Adversaries and Goals in IT compared to OT

* Distinction emphasized between IT networks where adversaries seek information exfiltration
Adversaries and Goals in IT compared to OT
Distinction emphasized between IT networks where adversaries seek information exfiltration
and OT networks where objectives are focused on operations disruption

* Impacting ICS

* Understanding impact to assets, particulary in context of ICS and application of ATT&CK
Impacting ICS
Understanding impact to assets, particulary in context of ICS and application of ATT&CK
in IT and OT environments

.. image:: ./_static/assets.png

The below table provides descriptions for each of the 21 identified Defending OT with ATT&CK Architecture Assets. All assets can be mapped to
ATT&CK for Enterprise's platforms and/or ATT&CK for ICS' assets. There are nine assets where ATT&CK for ENterprise and ATT&CK for ICS overlap:
.. _asset-table:

* Control Server
* Human-Machine Interface (HMI)
* Jump Hosts
* Application Server
* Engineering Workstation
* Routers in OT networks
* Data Historian
* VPN Server
* Firewall
The below table provides descriptions for each of the 21 identified Defending OT with
ATT&CK Architecture Assets. All assets can be mapped to ATT&CK for Enterprise's
platforms and/or ATT&CK for ICS' assets. There are nine assets where ATT&CK for
Enterprise and ATT&CK for ICS overlap.

+--------------------------------------+---------------------------------------------------------------------------------------------------+
+ Asset Name + Description +
Expand All @@ -85,7 +80,7 @@ ATT&CK for Enterprise's platforms and/or ATT&CK for ICS' assets. There are nine
+ Container + A container is standard unit of virtualized software that packages up code and its dependencies +
+ + so the application runs quickly and reliably from one computing environment to another. +
+--------------------------------------+---------------------------------------------------------------------------------------------------+
+ Control Server + Control servers are typically a software platform that runs on a modern server operating system +
+ Control Server + Control servers are typically a software platform that runs on a modern server operating system +
+ [ICS & Enterprise] + (e.g., MS Windows Server). The server typically uses one or more automation protocols (e.g., +
+ + Modbus, DNP3) to communicate with the various low-level control devices such as Remote Terminal +
+ + Units (RTUs) and Programmable Logic Controllers (PLCs). The control server also usually provides +
Expand Down Expand Up @@ -174,9 +169,9 @@ ATT&CK for Enterprise's platforms and/or ATT&CK for ICS' assets. There are nine
+ Servers and Endpoints + A server is a system that provides resources, data, services, or programs to other systems over a +
+ [OS: Linux, Windows] + network. Endpoints are physical devices that connect to and exchange information with a network. +
+--------------------------------------+---------------------------------------------------------------------------------------------------+
+ Virtual Private Network (VPN) Server + A VPN server is a device that is used to establish a secure network tunnel between itself and +
+ Virtual Private Network (VPN) Server + A VPN server is a device that is used to establish a secure network tunnel between itself and +
+ [ICS & Enterprise] + other remote VPN devices, including field VPNs. VPN servers can be used to establish a secure +
+ + connection with a single remote device, or to securely bridge all traffic between two separate +
+ + connection with a single remote device, or to securely bridge all traffic between two separate +
+ + networks together by encapsulating all data between those networks. VPN servers typically support +
+ + remote network services that are used by field VPNs to initiate the establishment of the secure +
+ + VPN tunnel between the field device and server. +
Expand Down
Loading

0 comments on commit 07522a0

Please sign in to comment.