ICS Collection consists of techniques adversaries use to gather domain-specific information from ICS environments. This includes intercepting ICS protocol communications, automated collection of process data, accessing data historians, reading I/O images from PLCs, monitoring process states, and uploading programs from controllers for analysis.
Tactic Overview
Tactic ID: TA0100 — Matrix: ICS — Techniques: 11
The Collection tactic represents a phase in the adversary lifecycle where the adversary is trying to gather data of interest and domain knowledge on your ICS environment. This tactic is part of the MITRE ATT&CK ICS matrix and encompasses 11 known techniques that adversaries employ during this phase of an attack.
Understanding this tactic is critical for defenders to build effective detection strategies and implement appropriate countermeasures. Organizations should map their security controls against each technique to identify coverage gaps and prioritize defensive investments.
Techniques (11)
The following techniques are categorized under the Collection tactic in the MITRE ATT&CK ICS matrix:
| Technique ID | Name | Description | MITRE Reference |
|---|---|---|---|
T0830 | Adversary-in-the-Middle | Adversaries position between ICS communications to intercept and modify process data and control commands. | T0830 |
T0802 | Automated Collection | Adversaries automatically collect ICS process data, configurations, and operational information from compromised systems. | T0802 |
T0811 | Data from Information Repositories | Adversaries access ICS data historians and information repositories to collect operational data and process parameters. | T0811 |
T0893 | Data from Local System | Adversaries collect data from local ICS engineering workstations including project files, configurations, and process documentation. | T0893 |
T0868 | Detect Operating Mode | Adversaries determine the current operating mode of controllers to understand process status before taking action. | T0868 |
T0877 | I/O Image | Adversaries read the I/O image of controllers to understand the current state of physical inputs and outputs. | T0877 |
T0801 | Monitor Process State | Adversaries monitor the state of physical processes to understand operations before manipulating them. | T0801 |
T0861 | Point & Tag Identification | Adversaries identify data points and tags within ICS SCADA systems to understand process variables and their meanings. | T0861 |
T0845 | Program Upload | Adversaries upload programs from controllers to analyze control logic and understand the physical process being controlled. | T0845 |
T0852 | Screen Capture | Adversaries capture screenshots from HMI displays to observe process visualizations and operator interfaces. | T0852 |
T0887 | Wireless Sniffing | Adversaries capture wireless communications in ICS environments to intercept control data and credentials. | T0887 |
Detection & Mitigation
Organizations should implement layered defenses addressing each technique within this tactic. Below are key mitigation strategies recommended by Mjolnir Security analysts.
Key Mitigations
- ICS protocol monitoring
- Access control for historians
- Encrypt ICS communications
- Monitor for unauthorized program uploads
- Physical security for control rooms
Detection Strategies
Effective detection of Collection techniques requires a combination of log analysis, behavioral monitoring, and threat intelligence correlation. Security teams should focus on establishing baselines for normal activity and alerting on deviations that may indicate adversary behavior aligned with this tactic.
- SIEM Integration: Correlate events across multiple data sources to detect technique patterns
- Behavioral Analytics: Deploy UEBA solutions to identify anomalous activity indicative of this tactic
- Threat Hunting: Proactively search for indicators of techniques within this tactic using hypothesis-driven investigations
- Purple Teaming: Regularly test detection coverage by simulating techniques from this tactic
Associated Threat Actors
The following threat actors are known to heavily leverage techniques from the Collection tactic:
For comprehensive threat actor profiles, visit the APT Groups Hub.
Resources & References
Defend Against Collection Techniques
Mjolnir Security provides expert threat intelligence, purple team exercises, and detection engineering services to help organizations defend against adversary tactics mapped to the MITRE ATT&CK framework.
Stay updated on MITRE ATT&CK developments and threat intelligence insights.
View All Reports →Written by Mjolnir Security Research — Published March 7, 2026