MITRE ATT&CK ICS Techniques
The techniques RadMah AI supports for ICS attack dataset generation, grouped by effect path (write-side vs read-side) with consistent ground-truth labels on every affected row.
Write-side techniques (command-path injection)
Write-side attacks cause the applied_valueto diverge from the operator’s intended_value. Any such tamper is labelled in commands.ndjson with write_source="attacker" and a non-zero technique_id column, so downstream IDS training can learn the diff.
| Technique | Family | Effect |
|---|---|---|
| T0831 | Manipulation of Control | Operator setpoint or actuator command is altered before it reaches the process. Labelled as command_state="manipulated". |
| T0835 | Manipulate I/O Image | Operator write does not reach the process. Labelled as command_state="blocked". |
| T0836 | Modify Parameter | Controller tuning or limit parameters are altered rather than the setpoint itself. Labelled as command_state="parameter_modified". |
| T0855 | Unauthorized Command Message | A write appears in the stream that the operator never issued. Labelled as write_source="attacker" with no preceding operator row. |
Read-side techniques (observation-path manipulation)
Read-side attacks change what the operator sees. In telemetry rows, reported_value diverges from true_value, and affected rows are labelled with the technique id.
| Technique | Family | Effect |
|---|---|---|
| T0804 | Block Reporting Message | Drops the sensor reading so the operator sees a stale value. Reported value equals the previous tick’s value. |
| T0814 | Denial of Service | Withholds supervisory frames, producing long stale windows. |
| T0829 | Loss of View | Suppresses an entire channel. All reads for the targeted tag block for the campaign window. |
| T0832 | Manipulation of View | Applies a bias / scaling / replay transform to the reported value while keeping the true value intact. |
| T0846 | Remote System Discovery | Emits recon scan traffic into the protocol capture. Records as an event in ics_security. |
| T0856 | Spoof Reporting Message | A historical sensor value is replayed into the reported stream while the underlying process has moved on. |
Firmware and supply-chain techniques
| Technique | Family | Effect |
|---|---|---|
| T0857 | System Firmware | A firmware load event appears in the protocol capture and the affected actuator’s behaviour shifts from that point onward. |
| T0882 | Theft of Operational Information | An upstream supply node is disrupted and the effect propagates through to downstream signals (flow drops, level decays). |
Ground-truth labelling
Every telemetry row carries a labels object with regime (normal / high_load / fault) and anomaly (none / the technique id). Commands rows carry ground_truth (clean / control_attack) plus the technique_id. This labelling is what turns a simulation bundle into an IDS training corpus.
Customer code reaches the canonical technique catalog through the SDK call GET /v1/client/capabilities/mitre-ics (this is the only remaining "capabilities" endpoint — it is consumed in-workflow by the client-area MITRE panel and is the source of truth for what technique ids are recognised by the platform).