The MITRE ATT&CK framework is the most widely adopted catalog of adversary behavior in cybersecurity. Most IT security teams have used MITER ATT&CK for Enterprise for years to structure threat models, organize detection coverage, and describe how attackers operate. Fewer security teams have worked with the version built specifically for industrial control systems (ICS) — and even fewer have grasped how the Enterprise and ICS matrices actually relate to each other in a real industrial environment.
This article explains both. It is written for the OT cybersecurity professional who already knows the framework but wants a current treatment with the cross-domain perspective; for the IT security professional moving into industrial environments who needs the bridge from familiar Enterprise tactics to the unfamiliar physical-process tactics; and for the insurance underwriter who needs enough framework literacy to read an OT cyber submission with informed judgment.
If you're not yet familiar with why OT environments face structurally different security challenges than IT, that article is the right starting point. This one picks up from there.
What MITRE ATT&CK Is
MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a knowledge base of adversary behavior derived from real-world observations. It is maintained by MITRE Corporation and updated several times a year through government funding a global community of contributors.[1] MITRE ATT&CK organises observed adversary behaviour around tactics, techniques, and sub-techniques. Tactics describe the adversary's objective — the why behind an action, such as Initial Access, Execution, or Persistence. Techniques describe the method used to achieve that objective — the how. Sub-techniques provide a more granular description of specific ways a technique may be carried out. Every entry is mapped to documented incidents and threat groups, which means ATT&CK is not theoretical taxonomy — it is a structured description of what attackers have actually been observed doing.
The current release covers three technology domains. The Enterprise matrix has 15 tactics, 222 techniques, and 475 sub-techniques — the original matrix, covering Windows, macOS, Linux, cloud infrastructure, network devices, and containers.[2] The ICS matrix has 12 tactics, 79 techniques, and 18 sub-techniques — released in 2020 and focused on industrial control systems and the physical processes they operate.[2][3] The Mobile matrix has 12 tactics and 77 techniques, addressing smartphone and tablet threats.[2]
The matrices that matter for OT environments are Enterprise and ICS (unless mobile is a large part of your ICS/OT environment) — and the relationship between ATT&CK ICS and Enterprise is the heart of any credible OT threat model.
The Two Matrices That Dominate OT Environments
The Enterprise matrix documents adversary behavior against IT systems and technology you typically find in the corporate network. The ICS matrix documents adversary behavior against industrial systems — the PLCs, DCS, SCADA systems, safety instrumented systems (SIS), engineering workstations, and historians that operate physical processes.
Many readers learn the matrices as if they describe two disjoint worlds. They don't. Real OT attacks live in both.
Enterprise is where an OT attack almost always begins. Initial access through corporate IT — spearphishing, exploitation of public-facing applications, compromised vendor remote access — is the rule. The early phases of every major industrial cyber incident in the public record live in the Enterprise matrix: phishing emails to engineering staff, credential theft on IT networks, lateral movement through corporate Active Directory. By the time an adversary touches anything that looks like OT, they have typically been operating in the Enterprise matrix for weeks or months.
ICS is where the attack goes when the adversary's objective is to penetrate the OT network and manipulate a physical process. Modifying ladder logic on a PLC, suppressing safety system alarms, sending false setpoints to a DCS — these techniques have no Enterprise equivalent because they exist only against the engineering-specific protocols and devices used to operate physical equipment.
The critical observation: MITRE tried not to duplicate Enterprise techniques into the ICS matrix (with some exceptions). When an adversary uses spearphishing to compromise an engineering workstation, that's still Enterprise T1566 — even though the target is now an OT-adjacent asset.[3] The ICS matrix focuses on what is genuinely new to industrial environments, not on rebuilding the IT-side catalog inside a new wrapper. This means any complete OT threat model requires both matrices in scope. Treating ICS as a self-contained framework misses a significant portion of every observed attack chain.
What Makes OT Risk Structurally Different
Beyond the architectural and tooling incompatibilities, there is a deeper structural difference in the nature of the risk itself.
Physical consequences. In IT, the worst-case outcome of a successful cyber attack is data theft, ransomware encryption, or business disruption. These are serious. In OT, the worst-case outcome includes physical destruction of equipment, environmental damage, and harm to people. The 2010 Stuxnet attack destroyed uranium enrichment centrifuges at Natanz.[2] The 2014 German Steel mill attack changed code in the blast furnace, preventing shutdown and causing significant physical damage.[3] The 2022 Industroyer2 attack targeted Ukrainian high-voltage substations with the explicit goal of triggering physical disconnection.[4] These are not theoretical scenarios.
Interdependencies with critical infrastructure. OT environments are not isolated business systems. They are frequently part of supply chains and infrastructure networks where a failure at one node propagates to others. An attack on a natural gas transmission operator affects industrial customers downstream. A compromise of an electricity distribution system has cascading effects across sectors. This interconnectedness means the blast radius of an OT security failure can extend far beyond the organization directly attacked.
Scarcity of historical loss data. IT cyber risk quantification benefits from decades of accumulated actuarial data: breach costs, ransomware payouts, incident frequencies by industry and company size. OT has far less. Incidents are underreported — organizations are reluctant to disclose attacks on critical infrastructure. The incident population is smaller. The consequence models are more complex because physical damage and production loss require engineering judgment, not just financial modeling. This data scarcity creates real challenges for industrial cyber risk management and makes traditional IT-based risk models unreliable in OT contexts.
Long-dwell, slow-burn attack patterns. OT attacks are frequently characterized by long reconnaissance phases and deliberate, precise execution. Adversaries operating in OT environments often spend months mapping assets, understanding process flows, and positioning for impact before executing. Industroyer, the malware used against Ukrainian infrastructure in 2016 and again in 2022, was engineered to speak native industrial protocols and execute impact operations with surgical precision.[4] Detection approaches calibrated for IT attack patterns — which tend to be faster and nosier — will miss OT-specific attacker behavior.
Matrices Are Not Silos
The position worth stating directly: ATT&CK for Enterprise and ICS should be treated as a single attack surface, not two isolated frameworks. Any technique can be used at any point in an attack — the only constraint is whether the target device supports the technique. A spearphishing attachment doesn't run on a PLC, but it absolutely runs on an engineering workstation that has browser access or has an email client. A Modify Program technique doesn't apply to a Windows server, but it applies to the PLC the Windows server pushes configurations to.
This matters for two reasons.
Enterprise techniques are sufficient to cause significant OT impact on their own. The Colonial Pipeline incident in 2021 was an Enterprise-matrix event end to end — the adversary never executed an ICS-specific technique. Yet the operator shut down 5,500 miles of fuel pipeline for five days as a precautionary response, with significant downstream economic consequence.[4] Norsk Hydro in 2019 followed the same pattern: ransomware encryption of IT infrastructure forced manual operation of OT systems and produced approximately $70 million in losses.[5] The lesson — Enterprise TTPs alone are capable of causing OT disruption, business interruption, and substantial financial loss without ever touching the ICS matrix.
ICS techniques extend the consequence ceiling. Where Enterprise techniques can cause disruption, ICS techniques can cause physical destruction. Stuxnet used Modify Parameter to vary centrifuge speeds beyond safe operating thresholds while simultaneously using Spoof Reporting Message to feed operators false data.[6] TRITON was designed specifically to disable Schneider Triconex safety controllers — the last line of defense before physical disaster.[7] These outcomes are not achievable through Enterprise techniques alone. The ICS matrix is what extends the framework into territory where cyber attacks produce explosions, equipment destruction, and risk to human life.
The practical implication: any threat model for an industrial environment that uses only ICS or only Enterprise is incomplete. Both are required, and the model needs to describe how an adversary could use both.
MITRE PIVOT — The Cross-Domain Attack Model
MITRE itself has formalized this cross-domain perspective in a side project. PIVOT — Platform Independent Vectors of Techniques[8] — is a MITRE concept that connects multiple ATT&CK matrices based on the adversary's actual path through a system-of-systems environment. Where the matrices describe behavior within a technology domain, PIVOT describes the components and pathways that adversaries use to move between domains.
PIVOT introduces the concept of pivot points — components that translate data from one protocol format to another. In industrial environments these include data historians (translating between OT industrial protocols and IT databases), engineering workstations (carrying both Enterprise OS techniques and ICS-specific engineering software), protocol gateways translating between Modbus and OPC UA, and serial-to-ethernet converters bridging legacy field equipment to IP networks. In military and aerospace systems the same concept covers translations between TCP/IP and protocols like MIL-STD 1553B.
The PIVOT observation worth carrying forward: these pivot points are seldom understood or enumerated in industrial cyber assessments. Most asset inventories list devices by function (PLC, HMI, historian) without identifying which devices act as protocol translators between security domains. That gap allows adversaries to laterally move across technology domains undetected — which is precisely what makes IT-to-OT pivots so consistently successful.
For a credible OT threat model, the question isn't "what techniques exist in the ICS matrix?" — it's "what is the path an adversary can take from their initial access point in our IT environment to a successful impact in our OT environment, and which pivot points enable that crossing?"
The 12 ATT&CK for ICS Tactic Categories
ICS tactics describe the campaign sequence of an OT-focused attack, generally moving left to right from initial access to impact. The full attack rarely runs strictly left to right — adversaries loop back, escalate privileges mid-campaign, and re-enter discovery as they learn more about the environment — but the left-to-right reading is the right mental model for an introduction.
| Tactic | What the adversary does | Example technique |
|---|---|---|
| Initial Access | Gains first foothold, typically via IT | Spearphishing (T0865) |
| Execution | Runs malicious code in OT environment | Native API (T0834) |
| Persistence | Maintains access across reboots | Modify Program (T0839) |
| Privilege Escalation | Gains elevated OT access | Exploitation for Privilege Escalation (T0890) |
| Evasion | Avoids detection | Alarm Suppression (T0878) |
| Discovery | Maps the environment | Network Sniffing (T0842) |
| Lateral Movement | Moves toward target assets | Exploitation of Remote Services (T0866) |
| Collection | Gathers process data | Automated Collection (T0802) |
| Command and Control | Communicates with compromised systems | Standard Application Layer Protocol (T0869) |
| Inhibit Response Function | Suppresses process alarms | Modify Alarm Settings (T0838) |
| Impair Process Control | Executes the physical attack | Modify Parameter (T0836) |
| Impact | Produces the final physical outcome | Loss of Safety (T0880) |
Three tactics are unique to ICS and have no Enterprise equivalent: Inhibit Response Function, Impair Process Control, and Impact.[9] These are the tactics that describe attacks on the physical process. Everything else exists in some form in the Enterprise matrix, with variations specific to industrial protocols and devices.
The deeper per-tactic reference — observed adversary behavior, real incident mappings, and control implications — is available as the gated ICS Threat Matrix asset linked at the end of this article.
End-to-End Scenario: IT to OT, Traced Across Matrices
This scenario is constructed from documented techniques observed in multiple real ransomware-pivot incidents, including the 2019 Norsk Hydro attack and the broader pattern of ransomware groups targeting manufacturing.[5] It traces the campaign through both matrices to show where the boundaries actually sit.
Initial Access — Enterprise T1566 (Phishing). A finance department employee opens a phishing email attachment. The dropper deploys to the corporate IT network.
Discovery — Enterprise T1018 (Remote System Discovery). From the corporate network, the adversary enumerates IT infrastructure and identifies connections to the manufacturing OT network — typically through the historian server or recent files.
Lateral Movement — Enterprise T1210 (Exploitation of Remote Services). The adversary exploits an unpatched remote desktop service connecting corporate IT to the plant historian.
Crossing the pivot point. The historian sits at the boundary between IT and OT. It speaks both Enterprise OS protocols and OT industrial protocols. This is the PIVOT point: the asset that lets the campaign cross from one matrix into the other. From the historian, the adversary moves to an engineering workstation — still using Enterprise techniques, because the engineering workstation is fundamentally a Windows machine.
Collection — ICS T0802 (Automated Collection). From the engineering workstation, the adversary reads current PLC configurations and process data. We are now firmly in the ICS matrix.
Persistence — ICS T0839 (Modify Program). The adversary inserts malicious rungs into PLC ladder logic on two production line controllers. This persistence survives even if the original IT-side compromise is detected and remediated.
Impair Process Control + Impact — ICS T0836 (Modify Parameter) and T0826 (Loss of Availability). Simultaneously: ransomware payloads encrypt IT systems across the corporate network, and the pre-staged PLC modifications activate to take production lines offline. The adversary now has dual leverage — IT decryption requires one ransom; OT restoration requires either a second ransom or coordinated negotiation.
The chain in summary: Enterprise techniques carried the attack from initial access through pivot. ICS techniques carried it from pivot through impact. Threat modeling that ignored either side of that crossing would have missed the attack.
Impact Tactics — Where the Loss Happens
The tactics on the right side of ATT&CK — to the right of Command and Control — are where loss is realized. Adversary actions earlier in the campaign create the capability for loss; the impact tactics turn that capability into a measurable financial event. Five tactics are central to OT loss modeling:[9]
- Exfiltration (Enterprise, TA0010) — the data leaves the environment. This is where a data breach actually becomes a breach. Collection (Enterprise, TA0009) is sometimes treated as the breach moment, but the real breach event — and the regulatory exposure that follows — occurs when data leaves the premise through exfiltration.
- Impact (Enterprise, TA0040) — IT-side consequences: data destruction, ransomware encryption, service stop, system shutdown.
- Inhibit Response Function (ICS, TA0107) — disables or disrupts safety and protective functions, removing the ability of the control system to mitigate process upsets.
- Impair Process Control (ICS, TA0106) — manipulates the physical process directly through modified setpoints, modified control logic, or spurious commands.
- Impact (ICS, TA0105) — the final physical outcome: loss of control, loss of view, loss of safety, equipment damage, loss of productivity.
Each of these tactics maps to one or more financial loss categories that an operator absorbs when the attack succeeds. The DeRISK Platform models these losses individually.
Primary losses are the direct consequence of the cyber impact: downtime (100% capacity loss, full business disruption — associated with both Enterprise Impact via ransomware encryption and ICS Impact via control system shutdown); loss of productivity (1–99% partial capacity loss — associated with Impair Process Control where production continues at reduced rates); equipment damage (physical damage to industrial assets — associated with Impair Process Control combined with Inhibit Response Function, where safety systems fail to prevent overload); human damage (injury or loss of life — associated with the same pattern, applied to processes with safety-critical consequences); and extortion (ransom paid — associated with Enterprise Impact when ransomware is the attack mechanism).
Secondary losses are the cascading consequences of the primary event: incident response costs, reputation loss, regulatory penalty, and compensation per affected person. These categories apply across most impact tactics. Their magnitude varies by sector, by jurisdiction, and by the affected population.
The relationship between impact tactic and loss category is what makes ATT&CK useful for financial quantification rather than just threat modeling. A successful Impair Process Control event in a continuous chemical process can produce equipment damage, productivity loss, and regulatory exposure simultaneously. A ransomware Impact in a discrete manufacturing facility might produce only downtime and extortion losses, but at significant magnitude. The financial model differs because the technical attack path differs — and the model needs to honor that distinction.
How the Framework Is Used in Practice
ATT&CK has three primary applications in industrial cybersecurity. The first two are well understood; the third is where DeRISK differs from most other approaches in the market.
Threat modeling. Security teams use the catalog to map plausible attack paths against their specific environment — identifying which techniques are relevant given their asset inventory, network architecture, and industry threat profile. This is the foundation of scenario-based risk assessment. Threat intelligence feeds — CISA advisories, MITRE updates, vendor disclosures, sector ISAC reports — translate into updated technique probabilities for the modeled environment.
Detection engineering. Each ATT&CK technique includes data sources and detection guidance. Security teams use this to identify what telemetry they need to collect, what behavioral signatures to build, and where their detection coverage has gaps. A facility that discovers it has no visibility into ICS T0843 (Program Download) — which would allow an adversary to exfiltrate or replace PLC logic — has a concrete detection gap to close.
ICS cyber risk quantification. The DeRISK Platform uses ATT&CK as the core of its attack path modeling — not as a reference document, but as the operational threat structure that drives the financial model. Initial access vectors are drawn from both Enterprise and ICS matrices: every plausible entry point into the customer's environment — phishing, exposed services, vendor remote access, supply chain compromise, removable media — is assigned a base probability calibrated to industry threat data. Lateral movement is modeled across the customer's actual network architecture, with the Purdue model layers and identified pivot points determining which paths exist between initial access and target assets. Technique paths are evaluated for feasibility against the customer's specific security controls.
The maturity of the customer's cyber program is modeled as an inhibitor to attack progression. Strong segmentation lowers the probability that lateral movement succeeds. Mature monitoring lowers the probability that an attack proceeds undetected long enough to reach impact. Patch management, access control, incident response readiness, and the other security program elements assessed in the customer's submission all contribute to the inhibitor model. The output is probability-weighted financial loss across the full set of modeled attack paths — Annual Expected Loss, Value at Risk, and attack-path-ranked prioritization — each grounded in a specific chain of ATT&CK tactics and techniques, with explicit impact tactic mapping to loss category.
This is the difference between scoring risk and modeling it. Scoring approaches assign abstract numbers to security findings. Path-based modeling produces a financial output traceable back to a specific attack chain — and that traceability is what makes the output defensible in an underwriting conversation, a board review, or an internal budget allocation discussion.
Keep this as a reference.
Download the From ATT&CK to AEL: The OT Cyber Impact-to-Loss Reference — DeNexus's framework for mapping MITRE ATT&CK's Impact tactics to the financial losses they cause, including a worked example that translates a full attack chain into dollar exposure.
References
[1] MITRE Corporation, "MITRE ATT&CK®." URL: https://attack.mitre.org/
[2] MITRE ATT&CK, "Updates — April 2026 (v19)." URL: https://attack.mitre.org/resources/updates/updates-april-2026/
[3] MITRE Corporation, "MITRE ATT&CK for Industrial Control Systems: Design and Philosophy," March 2020. URL: https://attack.mitre.org/docs/ATTACK_for_ICS_Philosophy_March_2020.pdf
[4] CNBC, "Colonial Pipeline restarts after hack, but supply chain won't return to normal for a few days," May 12, 2021. URL: https://www.cnbc.com/2021/05/12/colonial-pipeline-restarts-after-hack-but-supply-chain-wont-return-to-normal-for-a-few-days.html
[5] MITRE Corporation, "Cyber Risk to Mission Case Study: Norsk Hydro." URL: https://apps.dtic.mil/sti/trecms/pdf/AD1183007.pdf
[6] MITRE ATT&CK, "Stuxnet, Software S0603." URL: https://attack.mitre.org/software/S0603/
[7] MITRE ATT&CK, "Triton, Software S1009." URL: https://attack.mitre.org/software/S1009/
[8] MITRE Corporation, "Platform Independent Vectors of Techniques (PIVOT)." URL: https://apps.dtic.mil/sti/trecms/pdf/AD1180518.pdf
[9] MITRE ATT&CK, "Matrix — ICS." URL: https://attack.mitre.org/matrices/ics/