In a recent Tech Talk Tuesday session, Dan from Insane Forensics and Ron Fabello from SynSaber discussed the importance of leveraging both the MITRE ATT&CK Enterprise and MITRE ATT&CK ICS frameworks to ensure comprehensive protection.
Their key takeaway? Using both frameworks together is crucial for effective cybersecurity in industrial environments.
MITRE ATT&CK is a globally recognized knowledge base that catalogs attacker tactics and techniques. It provides valuable insights into how adversaries operate, helping cybersecurity professionals anticipate and mitigate threats.
MITRE ATT&CK Enterprise focuses on common attacker tactics used across various IT environments, such as phishing, credential dumping, and lateral movement.
MITRE ATT&CK ICS highlights attack techniques specific to industrial control systems, such as firmware modification, manipulation of control logic, and unauthorized command execution.
A common industry debate is whether these frameworks should be used together or separately. Dan and Ron strongly advocate for using both.
Many industrial environments use enterprise-level systems, including Windows servers, databases, and cloud applications. These systems are often targeted by attackers before pivoting to ICS infrastructure. Enterprise attacks can serve as a gateway to ICS networks.
Despite security best practices advising against it, many ICS environments are still connected to the internet through:
Direct network access
Cellular modems
Remote access tools
Attackers don’t always need to breach enterprise networks first; some ICS systems are directly reachable from the internet.
Many ICS devices run common services and software (e.g., Windows, Linux, Nginx, SQL), making them susceptible to traditional IT exploits.
Attackers use phishing emails, malware, and other IT-focused exploits to gain initial access before targeting industrial systems. An attack that starts in enterprise IT can have devastating consequences on ICS infrastructure.
Effective cybersecurity is about understanding and managing risk. Dan and Ron emphasize three key risk factors:
Impact: How damaging could an attack be?
Probability: How likely is an attack to occur?
Possibility: Is an attack technically feasible?
MITRE ATT&CK helps organizations categorize threats, assess attack probabilities, and determine whether a given exploit is possible.
Many companies underestimate threats due to misconceptions about ICS security:
“Our systems aren’t connected to the internet.” Reality: Many ICS networks have hidden connections that attackers can exploit.
“Attackers wouldn’t target us.” Reality: Cybercriminals, nation-state actors, and ransomware groups all target industrial environments.
“Our defenses are strong enough.” Reality: Many ICS environments still rely on outdated security measures.
Relying solely on MITRE ATT&CK ICS leaves organizations blind to enterprise-based attack paths. Research has shown that:
Enterprise attack techniques still apply to industrial networks.
Industrial systems often contain IT-based vulnerabilities.
Attackers exploit weak IT defenses to gain access to ICS.
A Windows system in a factory is just as vulnerable as one in a corporate office. Without considering both frameworks, companies risk leaving major attack vectors unprotected.
Use both MITRE ATT&CK Enterprise and ICS together for a comprehensive security strategy.
Industrial environments are not fully isolated, and enterprise attack methods often apply.
Risk assessments should factor in Impact, Probability, and Possibility for a realistic security approach.
Industrial cybersecurity is evolving, and attackers are leveraging both IT and OT vulnerabilities.
Cyber threats against industrial environments continue to evolve. Organizations that only focus on ICS-specific threats risk overlooking the broader attack landscape. By leveraging both MITRE ATT&CK Enterprise and ICS, cybersecurity teams can better anticipate threats, understand attack pathways, and fortify their defenses against modern cyber adversaries.
Our products are designed to work with
you and keep your network protected.
Insane Cyber © All Rights Reserved 2025
