A few years ago, we began cataloguing publicly reported OT-impacting cyber attacks to build an OT-specific dataset. We ran into a recurring problem: many incidents were grouped under "OT attacks", but they weren’t equivalent.
Some involved adversaries that never reached OT environments but still caused effects, often through impacts on IT systems or dependencies. Others touched OT systems without meaning to. And a small number were deliberate, precise, and clearly OT-focused.
Splitting them into IT and OT attacks alone was too simplistic. OT environments contain a lot of traditional IT assets like engineering workstations, patch management servers, even file shares. So when an adversary targets those, what kind of attack is it?
Existing frameworks like MITRE ATT&CK (Enterprise and ICS), the ICS Kill Chain, and the Cyber-physical Attack Lifecycle are excellent. We use them regularly. However, they fundamentally answer a different question than the one we were asking. Our challenge wasn't mapping behaviours or sequencing attack stages. It was describing the nature of the attack: the overall techniques used, the intent, and the context.
So we built our own taxonomy.
To support it, we used the Purdue Model, not as a prescriptive architecture, but as a reference point and common language for asset locations within an environment.
We defined two overarching categories, each containing underlying 'types' to better capture the nuance of real-world attacks:
𝗖𝗮𝘁𝗲𝗴𝗼𝗿𝘆 𝟭: 🖥️ Attacks that use exclusively IT TTPs
• 1a: The adversary never reaches OT. Impact cascades from disruption of dependencies in IT. OT may even be disconnected or shutdown driven by an abundance of caution or lack of confidence in security controls.
• 1b: The adversary reaches OT by accident or opportunistically. Traditional IT assets in the OT are touched, but the TTPs used remain purely IT-focused.
• 1c: The adversary deliberately targets traditional IT assets in OT. The OT is the target, but IT TTPs are still used.
𝗖𝗮𝘁𝗲𝗴𝗼𝗿𝘆 𝟮: ⚙️ Attacks that include the use of OT TTPs
• 2a: Crude OT attacks using basic tools or frameworks. Examples include CPU STOP commands or brute-forcing HMI credentials. These tend to be noisy, overt, and imprecise.
• 2b: Higher-capability attacks involving process comprehension. The adversary understands how OT interacts with physical processes and crafts meaningful impacts accordingly.
This taxonomy helped us structure the dataset more clearly and analyse adversary targeting, intent, and impact with greater precision.
Next week, I’ll start sharing some findings and related visualisations from the dataset. If there are particular aspects you'd like to explore, let me know.
---
Visuals below 👇
𝗣𝘂𝗿𝗱𝘂𝗲 𝗠𝗼𝗱𝗲𝗹
𝗧𝗮𝘅𝗼𝗻𝗼𝗺𝘆
#CyberSecurity #OTsecurity #ICSsecurity
