ICS Initial Access consists of techniques that use various entry vectors to gain an initial foothold within an Industrial Control Systems environment. These techniques target operational technology assets, engineering workstations, human-machine interfaces (HMIs), and data historians. Entry may be achieved through IT network pivoting, direct exploitation of internet-accessible ICS devices, spearphishing of OT personnel, or compromise of the supply chain.
Tactic Overview
Tactic ID: TA0108 — Matrix: ICS — Techniques: 12
The Initial Access tactic represents a phase in the adversary lifecycle where the adversary is trying to get into your ICS environment. This tactic is part of the MITRE ATT&CK ICS matrix and encompasses 12 known techniques that adversaries employ during this phase of an attack.
Understanding this tactic is critical for defenders to build effective detection strategies and implement appropriate countermeasures. Organizations should map their security controls against each technique to identify coverage gaps and prioritize defensive investments.
Techniques (12)
The following techniques are categorized under the Initial Access tactic in the MITRE ATT&CK ICS matrix:
| Technique ID | Name | Description | MITRE Reference |
|---|---|---|---|
T0817 | Drive-by Compromise | Adversaries compromise websites visited by ICS personnel to deliver exploits targeting engineering workstations. | T0817 |
T0819 | Exploit Public-Facing Application | Adversaries exploit vulnerabilities in internet-accessible ICS applications including HMIs and web interfaces. | T0819 |
T0866 | Exploitation of Remote Services | Adversaries exploit vulnerabilities in remote services used in ICS environments to gain access to control systems. | T0866 |
T0822 | External Remote Services | Adversaries use external remote services (VPN, RDP) to gain initial access to ICS networks from the internet. | T0822 |
T0883 | Internet Accessible Device | Adversaries discover and exploit ICS devices directly accessible from the internet via Shodan or similar scanning. | T0883 |
T0886 | Remote Services | Adversaries use ICS remote services including RDP, VNC, and vendor-specific protocols for lateral movement. | T0886 |
T0847 | Replication Through Removable Media | Adversaries copy malware to removable media to move between IT and OT networks, especially air-gapped environments. | T0847 |
T0848 | Rogue Master | Adversaries set up a rogue master device to issue unauthorized commands to slave controllers in ICS environments. | T0848 |
T0865 | Spearphishing Attachment | Adversaries send targeted emails with malicious attachments to ICS operators and engineers. | T0865 |
T0862 | Supply Chain Compromise | Adversaries compromise the supply chain of ICS components including PLCs, RTUs, and engineering software. | T0862 |
T0864 | Transient Cyber Asset | Adversaries compromise portable engineering devices (laptops, USB drives) that connect between IT and OT networks. | T0864 |
T0860 | Wireless Compromise | Adversaries exploit wireless communications in ICS environments including Wi-Fi, Bluetooth, and RF protocols. | T0860 |
Detection & Mitigation
Organizations should implement layered defenses addressing each technique within this tactic. Below are key mitigation strategies recommended by Mjolnir Security analysts.
Key Mitigations
- Network segmentation (IT/OT boundary)
- Multi-factor authentication for remote access
- USB device policies
- Application whitelisting on HMIs
- Air-gapped network design
Detection Strategies
Effective detection of Initial Access techniques requires a combination of log analysis, behavioral monitoring, and threat intelligence correlation. Security teams should focus on establishing baselines for normal activity and alerting on deviations that may indicate adversary behavior aligned with this tactic.
- SIEM Integration: Correlate events across multiple data sources to detect technique patterns
- Behavioral Analytics: Deploy UEBA solutions to identify anomalous activity indicative of this tactic
- Threat Hunting: Proactively search for indicators of techniques within this tactic using hypothesis-driven investigations
- Purple Teaming: Regularly test detection coverage by simulating techniques from this tactic
Associated Threat Actors
The following threat actors are known to heavily leverage techniques from the Initial Access tactic:
For comprehensive threat actor profiles, visit the APT Groups Hub.
Resources & References
Defend Against Initial Access Techniques
Mjolnir Security provides expert threat intelligence, purple team exercises, and detection engineering services to help organizations defend against adversary tactics mapped to the MITRE ATT&CK framework.
Stay updated on MITRE ATT&CK developments and threat intelligence insights.
View All Reports →Written by Mjolnir Security Research — Published March 7, 2026