MITRE Engenuity announced on Monday the results of its first-ever ATT&CK Evaluations for Industrial Control Systems (ICS). 

Researchers with MITRE used the Triton malware to test the detection ability of five different cybersecurity products from ICS vendors. The results of the exam can be found here

Industrial control systems are used by many of the world’s most critical infrastructures, including energy transmission and distribution plants, oil refineries, wastewater treatment facilities and more.

MITRE Evaluations created a “curated knowledge base of adversary tactics, techniques and procedures based on known threats to industrial control systems” and used it to test products from Armis, Claroty, Microsoft, Dragos and the Institute for Information Industry.

MITRE said in a statement that Triton had been created by Russia’s Central Scientific Research Institute of Chemistry and Mechanics and had been used to attack industrial control systems across North America, Europe and the Middle East. The malware stops officials from addressing hazards and other conditions by specifically targeting safety systems. 

The US Treasury Department imposed sanctions on the Russian institute after Triton was used to shut down a Saudi refinery. 

Otis Alexander, leader of the ATT&CK Evaluations for ICS, said they chose to emulate the Triton malware because it targets safety systems, which “prevent some of the worst consequences from happening when something goes wrong in an industrial control setting.” 

“The amount of publicly reported data from the attacks and the devastating impact of the malware help ensure this is a robust emulation. We hope the evaluations can help organizations find security tools that are best suited to their individual needs,” Alexander said. 

“Our evaluations are intended to take the guesswork out of the process while providing realistic expectations about what security products can provide.”

According to MITRE, there are multiple ways ICS attacks can be detected and a number of different products that can handle the task. The study was part of a larger effort to help cybersecurity teams understand their tools and improve their work. 

The tests can help organizations understand which cybersecurity products are best at handling “volume of detections, the stage of attack when the detections occur, the types of data sources offered and how information may be presented.”

Yuval Eldar, general manager for IoT/OT security at Microsoft, said that with recent attacks targeting core business operations, community collaboration will help improve security products. He thanked MITRE Engenuity for the chance to test their agentless Azure Defender for IoT solution and Azure Sentinel SIEM/SOAR solution. 

“We look forward to our continued partnership and building upon what we learned about the need for a holistic SIEM/XDR view across networks, endpoints, identity, and other domains in our clients’ IT/OT infrastructures,” Eldar said. 

The ICS evaluations are intended to help organizations decide between cybersecurity products. MITRE Engenuity also provides similar services for security products for enterprise networks. They recently used attacks from cybercrime groups FIN7 and Carbanak to test 29 different cybersecurity products. 

Frank Duff, general manager of the ATT&CK Evaluations program, said vendors trust the organizations “to improve their offerings, and the community trusts that we’ll provide transparency into the technology that is necessary to make the best decisions for their unique environment.” 

“Unlike closed door assessments, we use a purple teaming approach with the vendor to optimize the evaluation process,” Duff explained. “MITRE experts provide the red team while the vendor provides the blue team to ensure complete visibility, while allowing the vendor to learn directly from ATT&CK experts.”