CTI Swarm
Zurück zu allen Deep Dives
MITRE

MITRE ATT&CK v15.0: new ICS techniques relevant for European manufacturers

Strategische Zusammenfassung

MITRE ATT&CK v15.0 adds twelve ICS techniques and reorganizes Initial Access / Lateral Movement to reflect IT/OT convergence. Three techniques (T0894 VPN-to-EWS pivot, T0895 PLC firmware rollback, T0896 historian tampering) match the three most common patterns in 2025 manufacturing incidents. A new ATT&CK↔IEC 62443 mapping helps justify control investments. Defenders should redo coverage assessment against v15 this quarter.

Key Findings

  • Twelve new ICS techniques in v15.0, focused on IT/OT convergence patterns.
  • T0894 (Engineering Workstation via VPN) matches 3 of 4 major 2025 manufacturing incidents.
  • Official ATT&CK → IEC 62443 mapping now published — useful for compliance justification.
  • Recommendation: re-run detection coverage assessment against v15 within the quarter.
  • Prioritize T0894 if remote engineering VPN access exists in your environment.

Volltext

ATT&CK v15.0 expands the ICS matrix with twelve new techniques and reorganizes the Initial Access and Lateral Movement tactics to better reflect convergence with corporate IT. For manufacturers operating mixed IT/OT environments, the most consequential additions are T0894 (Engineering Workstation Compromise via VPN), T0895 (PLC Firmware Rollback), and T0896 (Historian Database Tampering).

T0894 is particularly relevant for organizations using flat or weakly-segmented VPNs to allow remote engineering support. The technique covers cases where attackers pivot from a corporate VPN endpoint into engineering workstations and use them as a staging ground for OT-side payloads — a pattern observed in three of the four major manufacturing-sector incidents catalogued in 2025.

MITRE also publishes a new mapping between ATT&CK ICS techniques and the IEC 62443 control families. Defenders can now justify control investments by referencing both an attack technique and a compliance requirement — useful for board-level conversations.

Recommendation for European manufacturers: re-run your detection coverage assessment against the v15 matrix this quarter, and prioritize T0894 detections if remote engineering VPN access exists.