Next Article in Journal
Hybrid Quill Shaft for a Multifunctional Portal Machine Tool Centre
Previous Article in Journal
Experimental Validation of a Longitudinal Vehicle Model for an Agricultural Vehicle Using Coast-Down Testing and Diagnostic Data
Previous Article in Special Issue
Integrating Environmental Conditions into Machine Learning Models for Predicting Bridge Deterioration
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Applied Sciences
Volume 16
Issue 4
10.3390/app16041815
applsci-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Enhancing the MITRE ATT&CK® Framework for Cyber-Physical Systems Using Insights from Advanced Persistent Threats

by
Michael Mc Cabe
1,* and
Siv Hilde Houmb
1,2
1
Deptartment of Information Security and Communication Technology, Norwegian University of Science and Technology, 2815 Gjøvik, Norway
2
Norwegian Defence Cyber Academy, Norwegian Defence University College, 2617 Lillehammer, Norway
*
Author to whom correspondence should be addressed.
Appl. Sci. 2026, 16(4), 1815; https://doi.org/10.3390/app16041815
Submission received: 10 December 2025 / Revised: 2 February 2026 / Accepted: 4 February 2026 / Published: 12 February 2026
(This article belongs to the Special Issue Infrastructure Resilience Analysis)
Browse Figures
Review Reports Versions Notes

Abstract

In recent years, numerous Advanced Persistent Threats (APTs) have carried out cyber-physical attacks on critical infrastructures. Ukraine has been the victim of several advanced campaigns against its power grids, exemplifying a growing trend of disruptive and potentially destructive attacks. Although frameworks like the MITRE ATT&CK® (ATT&CK) document adversaries’ behaviour across various domains, they show limitations in representing the unique characteristics of cyber-physical attacks. Existing models often fail to capture the integration of physical processes, system states, and domain-specific impacts that are essential to understand threats in cyber-physical environments. This gap hinders the ability to fully model how APTs exploit physical components alongside cyber. This research investigates the limitations of the ATT&CK Industrial Control System (ICS) framework in the context of Cyber-Physical System (CPS). A capability analysis of selected Russian APTs known to target CPS was conducted, resulting in conceptual enhancements to better represent their relevant tactics and techniques. These enhancements were evaluated through semi-structured interviews with cybersecurity professionals. The findings indicate the need for improved representation of interactions in the physical domain, along with greater contextual detail on tactics and techniques. Although the study is exploratory, the enhancements provide a foundation for future research to strengthen CPS threat analysis.

1. Introduction

In 2024, InfraCERT, the Norwegian sector CERT for electrical power and petroleum, assessed that it is likely that members will experience attacks with a disruptive effect, and it is highly likely that threat actors are developing methods to achieve destructive attacks [1]. In recent years, we have seen attacks in which cyber tools are capable of altering management and control systems in critical infrastructure, affecting the physical state of systems [2].
Stuxnet is one of the most notable cyber attacks on an industrial system, which effectively delayed the Iranian nuclear programme [3]. Since the beginning of the conflict between Ukraine and Russia, Ukraine has experienced advanced cyber attacks attributed to Russian Advanced Persistent Threats (APTs) [4]. Among the number of cyber attacks, Ukraine experienced at least three disruptive attacks on its power grid, in 2015 [5], 2016 [6], and 2022 [7]. Cyber-physical attacks pose a substantial threat to critical infrastructures, which have increasingly become the focus of APT campaigns. These are often tied to geopolitical tensions and hybrid warfare.
MITRE ATT&CK® (ATT&CK) taxonomy is a knowledge base to model tactics, techniques, and procedures (TTP) of known adversaries and attacks and can be used to model threats [8]. The cyberattacks on Ukraine and the Stuxnet attack are mapped to both the Enterprise and Industrial Control System (ICS) domains. The ATT&CK ICS was created to better understand adversaries in industrial environments. Cyber-physical system (CPS) is an evolving term for systems in which computational and physical processes are deeply intertwined, enabling applications in healthcare, transportation, and critical infrastructure. However, research underscores the inadequacies of existing frameworks in comprehensively modeling and mitigating threats to CPS, particularly in addressing the physical domain, processes, and societal role.
By evaluating the terms of ICS and CPS, this paper aims to assess the applicability and need for enhancements to the ATT&CK ICS taxonomy. The approach involves mapping the capabilities of Russian APTs to attack CPS in the energy sector and examining the use of the framework in professional practice.

1.1. Motivation and Contribution

To understand advanced cyber-physical attacks, we need more knowledge about threats in the cyber-physical domain. This paper aims to increase knowledge of TTP in cyber-physical domains and propose enhancements to the ATT&CK framework. This will provide insight into how APTs attack CPSs, and how the term CPS is understood and used both in academic research and by cybersecurity professionals.
The general problem is to study the taxonomy of the ATT&CK ICS and the need for enhancements to evaluate the threat to CPS. The research questions this paper addresses are as follows:
RQ1.
What capabilities do Russian APTs have to carry out cyber-physical attacks on CPS?
RQ2.
What enhancements to the ATT&CK framework can be derived from an analysis of Russian APT capabilities?
RQ3.
What enhancements to cyber security frameworks do cyber professionals find needed for threat modelling of CPS?

1.2. Organisation and Limitations

The paper is organised as follows: Section 2 presents background information related to CPS, APT, and ATT&CK. Section 3 reviews related work and highlights existing approaches relevant to this study. Section 4 describes the research design and the data collection process. Section 5 present the results of the analysis, then discussed in Section 6. Finally, Section 7 concludes the research, lists key findings and insights from the discussion.
APT and CPS are a broad area of research, and this paper limits the study to a selection of Russian APTs that have a history of targeting ICS; Dragonfly [9], Sandworm [10], TEMP.Veles [11] and ALLANITE [12]. The selection of APTs was based on documented ICS TTP in the ATT&CK framework, version 16. Lastly, the enhancements are conceptual and preliminary in nature due to the time and scope of the research.

2. Background

2.1. Cyber-Physical System

The National Institute of Standards and Technology (NIST) developed the CPS framework to establish a shared understanding of CPS concepts through a structured framework, promoting collaboration, research integration, and innovation [13]. The framework defines CPSs as follows:
Cyber-physical systems integrate computation, communication, sensing, and actuation with physical systems to fulfil time-sensitive functions with varying degrees of interaction with the environment, including human interaction.
[13] (p. 5)
A CPS can be one or multiple devices and be devices in a system-of-systems. A single device is often referenced to as a cyber-physical device, and is outlined as “A device that has an element of computation and interacts with the physical world through sensing and actuation” [13] (p. 43). CPSs are found everywhere, e.g., in vehicles, aeroplanes, factories, digital substations, and more, all of which connect the cyber and physical domains.
ICS is defined by NIST as:
General term that encompasses several types of control systems, including supervisory control and data acquisition (SCADA) systems, distributed control systems (DCSs), and other control system configurations such as Programmable Logical Controller (PLC), often found in industrial sectors and critical infrastructures.
[14] (p. 183)
This paper adopts the definition of industrial control systems (ICSs) as control systems and limits its scope to the interface at Purdue Level 1, which connects the lower level—namely, the integration of programmable logic controllers (PLCs) and remote terminal units (RTUs) with field devices. Consequently, sensors and actuators are considered part of the CPS domain. While ICS is treated as a subset of CPSs, CPS concepts extend beyond one system and encompass systems-of-systems and other domains.

2.2. MITRE ATT&CK®

The ATT&CK framework is an open knowledge base that describes cyber adversary behaviour, based on real-world observations [8]. Originally, the matrix was created to document TTPs of cyberattacks on Microsoft Windows-based systems, but it has since been expanded to cover the Enterprise, Mobile, and ICS domains and their subdomains. The observations collected from cyber attacks are described with the model of [8]:
  • Tactics—Why an adversary is performing an action.
  • Techniques—How and what tactical goal is achieved by the action.
  • Sub-techniques—Low-level techniques and behaviour of the adversary.
  • Procedures—How techniques are implemented as a whole.
Organisations and the cyber security community can use the ATT&CK to assess, understand, and improve an organisation’s security, with the following use cases: Adversary emulation, Red teaming, Cyber Threat Intelligence Enrichment, and more.

2.3. Russian Affiliated Advanced Persistent Threat (APT)

Russia is widely recognised as one of the most prominent cyber powers in the world. Several well-known APT groups, such as Sandworm and Fancy Bear, are attributed with Russian origins [15] and are frequently linked to Russian intelligence services. The Russian intelligence is mainly divided into three organisations: the Federal Security Service (FSB), the Foreign Intelligence Service (SVR), and the Military Intelligence (GRU). Figure 1 illustrates the relationship between these agencies and the APTs attributed. Table 1 provides an overview of the names some cybersecurity companies and government entities use when referring to these APTs.
The FSB Centre 16 has been linked to multiple APT operations that target critical infrastructure across Europe, Asia, and the USA [15]. For example, in 2013, they compromised a software package from a European PLC manufacturer. In 2018, they conducted a spear-phishing campaign to obtain credentials and gain access to critical infrastructure systems in the USA.
The FSB Centre 18, known as Centre for Information Security, has carried out multiple cyber espionage-related attacks and published information aligned with Russian interests [15]. For example, they leaked a trade document between the USA and the United Kingdom.
The cyber structure of Russian intelligence is constantly evolving. In 2024, the USA and its allies disclosed new information about the GRU 161st Specialist Training Center (Unit 29155). The unit has been linked to various covert operations, including attempted coups, sabotage, influence campaigns, and assassination attempts throughout Europe [16]. Notably, Unit 29155 has collaborated with non-GRU actors in their operations and is known for releasing the destructive WhisperGate malware, which has targeted Ukrainian organisations since early 2022.
Table 1. Overview of naming conventions for APT groups across various organisations.
Table 1. Overview of naming conventions for APT groups across various organisations.
DragonflySandwormTEMP.VELESALLANITE
MandiantTEMP.Isotope (UNC806/UNC2486) [17]APT44 [18]--
DragosDYMALLOY [19]Electrum [20], KAMACITE [21]XENOTIME [22]ALLANITE [23]
ESETDragonfly [24]Sandworm [25]--
CISABERSERK BEAR [26]GTsST/Unit 74455 [26]TsNIIKhM [26]-

3. Related Work

3.1. The Gap in Frameworks for Threat Analyses of CPS

Presekal et al. [27] identified limitations in how APTs are analysed in Cyber-Physical Power Systems (CPPS) when using frameworks such as ATT&CK, SANS ICS kill chain [28], and Cyber Kill chain [29]. They argue that the physical process is not included. For example, ‘point of no return’ denotes the moment in an attack when restoring a CPPS requires a major recovery effort. As a result, they proposed a new framework, the Advanced Cyber-Physical Power System (ACPPS) kill chain. The researchers found that a CPPS has most of the same characteristics as a CPS, except for differences in attack techniques, impacts, and responses [27]. Compared to ATT&CK ICS, the Cyber Kill Chain, and other frameworks, the researchers added stages E (Cause power system cascading failures and blackouts) and F (Social impact and restoration) to ACPPS, which includes specific sub-stages for a power system and its impacts. Previous stages (A-D) are related to IT and OT and are also found in the Cyber Kill Chain and ATT&CK ICS.
Akbarzadeh et al. found a shortfall in the existing Cyber Kill Chain when threat modelling APTs attacking CPS [30]. Known APTs such as Stuxnet, which attacked secure air-gapped systems, emphasise the sophistication and challenge of attacking CPSs. To collect evidence, Akbarzadeh et al. demonstrated a two-stage attack on an IEC 61850 [31] system in a hardware-in-the-loop setup, leveraging the physical domain to gain initial access [30]. The study proposed a cyber kill chain for CPS, which illustrates the relation between the cyber and physical domains:
  • Initial access [Cyber and Physical];
  • Reconnaissance [Cyber and Physical];
  • Data Exfiltration [Physical];
  • Weaponisation [Cyber];
  • Local Access [Physical];
  • Delivery [Cyber and Physical];
  • Exploitation [Cyber and Physical];
  • Actions [Cyber and Physical];
  • Sabotage [Cyber and Physical].
The time between initial access and sabotage can be prolonged, as attackers may need to recruit an insider, plant malware to gather information by data exfiltration, deliver weaponised malware, and perform additional preparatory actions and sabotage.
M. Rocchetto and N. O. Tippenhauer reviewed attacks on CPS, characteristics of APTs and attacker models, and found no common adequate attacker model for CPS [32]. They also emphasised the offensive and defensive opportunities presented by the physical layers in a CPS. The study defined a general taxonomy and created a tool to compare attack profiles and classify attacks on CPSs. To accomplish this, the researchers reviewed attacks on CPSs that target or rely on the physical layer. In their attack profile archetype, a nation-state actor would have physical knowledge of the target and motivation to target physical equipment.

3.2. Cyber Attacks on Power Grids

Accurate synchronisation to time and between devices is a key feature in many CPSs, e.g., in a power system [13]. Akbarzadeh et al. performed an attack on the Precision Time Protocol in an IEC 61850 power grid substation [33]. They managed to introduce a fake time source to the operational devices, making the original source non-operational. Furthermore, it highlighted the consequences of time manipulation in a substation and the importance of securing basic yet critical protocols. Akbarzadeh et al. also emphasised the need for local access to the substation in order to perform similar attacks, e.g., through a Virtual Private Network (VPN), delivery by USB, or through a compromised maintenance laptop [33].
Ahmad et al. developed a practical attack model to breach a power transformer diagnosis system and proposed a testbed to enhance the security of these systems [34]. The researchers used the ATT&CK framework to design attacks and scenarios and built a testbed that performed a man-in-the-middle and a Denial-of-Service (DoS) attack to disable remote control of the power transformer diagnostic system.
M. Zhang and S. Zonouz presented a physical implant designed to be attached to a PLC’s circuit board, enabling remote control by the attacker through cellular connectivity [35]. Once installed, the implant allows the attackers to control, hijack, and block digital signals and execute input/output (I/O) commands. It can be deployed through stealthy physical installations or by compromising the supply chain.

3.3. Researching Advanced Persistent Threats (APTs)

APTs exhibit distinct characteristics that differentiate them from traditional cyber threats. Chen et al. analysed the attack model and behavioural traits of APTs, identifying the following key characteristics [36]: (1) Specific Targets and Clear Objectives, (2) Highly Organised and Well-Resourced Attackers, (3) A Long-Term Campaign with Repeated Attempts, and (4) Stealthy and Evasive Techniques.
Researching APTs can be challenging due to fragmented information across industry and academic sources, and validation is difficult because incident-related raw data are often classified [37]. Lemay et al. collected information and provided a brief analysis of multiple APTs associated with China, Russia, “Western powers”, South Asia, and the Middle East [37]. The authors found that these groups evolve rapidly and improve existing attack tools. Moreover, they may join forces both domestically and across borders, which complicates the attribution of cyber attacks to specific groups or nation-states.

3.4. Summary of Related Work

Existing work has highlighted a gap in current frameworks—the limited representation of the physical domain in analyses of APT attacks on CPS. Presekal et al. [27] suggested an enhancement to the cyber kill chain. Ahmed et al. [34] and Akbarzadeh et al. [33], among others, demonstrated cyber attacks on CPS. While the related work enriches the high-level narrative of CPS threats and details low-level attacks, this research investigates the tactics and techniques used in cyber-physical attacks and maps them to the ATT&CK framework.

4. Materials and Methods

4.1. Research Design

Throughout this work, a combination of methodologies is applied, with the overarching approach based on the Technology Research methodology [38]. Figure 2 illustrates an overview of the research process, which was carried out in two iterations:
  • A literature review was conducted to investigate potential enhancements focused on attacks using the physical layer of CPS. This involved analysing the capabilities of Russian APTs, as described in Section 4.2. The findings were subsequently analysed as discussed in Section 4.2.4.
  • Insights gained from the literature review prompted a re-evaluation of the problem. Based on the identified gaps and opportunities, enhancements were formulated. These were then further evaluated through semi-structured interviews with cyber security professionals, as described in Section 4.3.
Due to time constraints and the scope of the work, the supporting evidence is limited, which impacts the validity of the paper, and the study should therefore be regarded as exploratory in nature.
Applsci 16 01815 g002
Figure 2. Overview of methodology.
Figure 2. Overview of methodology.
Applsci 16 01815 g002

4.2. Multivocal Literature Review

The literature review was conducted in several phases. Initially, a problem description was formulated in the early fall of 2024, accompanied by a preliminary review of the relevant literature [39] (p. 82). To address the research problem, a targeted review was conducted in early 2025, specifically aimed at examining the capabilities of APTs.
In order to identify the capabilities of Russian APTs, a multivocal literature review [40] was chosen as the methodological approach. This decision was based on the fact that there exists limited peer-reviewed academic literature on APTs. The purpose is to search for information from governments and cybersecurity companies that publish findings based on raw and processed data collected through their products, services, and research. This approach is particularly relevant in the context of cyber threat intelligence, where governments and cybersecurity companies frequently publish detailed incident and threat reports. The multivocal literature review was conducted in three steps:
  • Collect and identify relevant keywords to search for research papers on APTs.
  • Search research libraries for selected APTs, using keywords identified in step 1.
  • Search the grey literature for selected Russian APTs.

4.2.1. Searching for Relevant Keywords

The first step was to identify related keywords commonly used in research about APTs. As mentioned in the introduction, Stuxnet is one of the most well-known APTs, and serves as a strong case study due to its demonstration of advanced capabilities and long-term persistence. Therefore, the initial keyword search focused on academic research on Stuxnet and returned numerous articles with the name in their titles.
In addition to Stuxnet, the search was extended to include another prominent APT, Sandworm, along with several of its associated aliases. These names are gathered from [10]. However, the aliases “IRIDIUM” and “ELECTRUM” were excluded from the search due to name conflicts with unrelated topics, which generated a high number of irrelevant results.
Table 2 outlines the complete list of search terms and describes the procedures followed during the search. Table 3, summarises the findings with the number of articles found and the number of relevant papers assessed. Search two: searching for Sandworm returned zero research papers and is excluded from Table 3.
Table 4 lists the top words collected from “author keywords” and selection of relevant words from titles, excluding Stuxnet and Sandworm from titles. The words are grouped together, e.g., cyber attack and stealthy attack are combined to attack, as a search with the word would cover both word combinations. “Stuxnet” and “attack” were the most used words, which means that it was relevant to use the APT names and attacks from the literature searches. In addition, “industrial”, “ICS”, “CPS”, “virus”, and “worm” (similar words for malware types) are relevant. Lastly, some articles also referenced other known APTs, i.e., Refs. [41,42] that included Wannacry, Triton, Duqu, and more.

4.2.2. Searching Research Databases

In the second phase of the literature review, a search was conducted in academic research libraries using the keywords identified in the previous step. The goal was to collect data to analyse the capabilities of relevant Russian actors. The results in Table 4 showed that the use of the APT group names directly was effective in identifying the relevant literature. In addition to APT names, search terms such as CPS, ICS, and related concepts were used. Although the keyword search revealed additional terms, many fell outside the scope of this study—for example, those pertaining to “security models” and “numerical computing.” The specific search criteria applied to the database queries are presented in Table 5. Based on the volume and relevance of the results summarised in Table 3, a smaller set of databases was ultimately selected for this search.
Table 6 illustrates the results of the search in the databases specified in Table 5. The number of search results varied significantly across databases, largely due to differences in their search capabilities. However, all platforms supported filtering by title and author keywords, which helped refine the searches.

4.2.3. Searching Grey Literature

For the grey literature search, two cybersecurity companies and one government agency were selected, as listed in Table 7. The selection of sources was not based on a formal ranking of cybersecurity organisations, but rather on the author’s familiarity with reputable companies and agencies actively publishing threat intelligence and cybersecurity reports. Due to the limited search capabilities of these sites, only the names of the selected APTs were used as search queries. All known aliases attributed to each APT are outlined in Table 7, which were included in the search to account for the varying naming conventions used by different organisations. The search was conducted at the end of February 2025 and continued until mid-March 2025. A summary of the results is found in Table 8.
Although grey literature was necessary due to the limited academic coverage of the topic, it introduced both advantages and challenges. The advantage is that cybersecurity companies and government entities can provide detailed first-hand insight into threat reports, incident analyses, and group profiles. For example, as reported in [43]. However, access to some reports is restricted by paywalls (e.g., Dragos), and the content may reflect a strategic decision, marketing interests, or product promotions. Furthermore, even peer-reviewed research often relied on the grey literature as a primary source.

4.2.4. Analysing Capabilities and ATT&CK Matrix

The objective of the analysis was to identify potential enhancements to the ATT&CK ICS framework based on attacks on the physical layer of CPS. As discussed in Section 5.3, the initial hypothesis of a physical-layered attack was falsified, as the analysis did not observe such a TTP. The problem was reevaluated by considering dimensions not covered by the existing taxonomy. The analysis identified suggestions to enhance the ATT&CK framework, which were later examined in this research. The analysis focused on the capabilities of Russian APT groups, interpreted through the ATT&CK ICS framework.
This research employed a directed content analysis [44] approach, using inductive reasoning to uncover tactics, techniques, and broader patterns in APT capabilities. Coding was anchored to the ATT&CK framework. This process yielded meanings and recurring themes that highlight potential gaps where the ATT&CK framework could be expanded or refined.

4.3. Semi-Structured Interview

As part of the evaluation in the second iteration, and to discuss key findings of the literature review, a semi-structured interview with a deductive approach was conducted [44]. The Related Work highlights some limitations of frameworks representing cyber-physical attacks. Based on this, the overall hypothesis for the interview is: The ATT&CK for ICS needs enhancements for CPS attacks exploiting characteristics using the physical domain. The interviews aimed to gather deeper insight from cybersecurity professionals, focusing on their perception of terms such as CPS and ICS, their use of frameworks such as the ATT&CK, and their thoughts on the enhancements. The feedback on these enhancements can contribute to understanding the subject’s perspective on cybersecurity.
The semi-structured interview method was chosen because it allows flexibility for follow-up questions and allows interviewers to explore emergent themes [45]. However, it makes reproducibility more complicated. Further, interview results depend highly on the interviewee’s ability to communicate and can be subject to misunderstandings.

4.3.1. Interview Design

A detailed interview guide is provided in [46] (p. 63). The interview is structured into three parts, each part designed with a specific purpose:
  • Part 1: Familiarise with the participants and their experience with CPS.
  • Part 2: Investigate the usage of the ATT&CK or other frameworks.
  • Part 3: Discuss the proposed enhancements from the analysis of APTs.
The target group consisted of cybersecurity professionals working with CPS, specifically in the energy sector. Participants were selected by purposive sampling [39], reaching out to individuals based on their relevant experience and role. Of the eight professionals contacted, five accepted the invitation and four interviews were conducted.
The four individuals brought diverse backgrounds, professional focuses and interests, enriching the study with varied perspectives on the challenge. While this diversity strengthens external validity and supports broader generalisation of the findings, the sample was limited to the Norwegian sector. Regarding internal validity, the sample size (n = 4) is insufficient for robust validation of the enhancements. For comparison, the ATT&CK ICS involved more than 100 experts in its initial review [47], a scale that was not feasible in this research.

4.3.2. Interview Execution

All interviews were conducted in weeks 17 and 18 in 2025. All subjects were offered the choice of virtual or physical interviews, based on their preferences. One interview was conducted in person, and the rest were conducted virtually. To ensure confidentiality and promote openness, all interviews were anonymised, and no information identifying the company or person was recorded. The intention was to let the subject speak freely without worrying about the loss of confidential information.

5. Results

5.1. Russian APTs Capability to Perform Cyber Attacks on CPS

From the literature review of searching research databases, outlined in Section 4.2.2, six papers were found relevant to assess the capabilities of Dragonfly, Sandworm, and TEMP.VELES to conduct cyber attacks on CPS, and most papers relied on grey literature as a source of information. The ALLANITE group was briefly mentioned in a few papers and will therefore not be further discussed. Most of the literature focuses on specific attacks aimed at addressing vulnerabilities, incidents, and threats to CPS, such as BlackEnergy, Industroyer, and Triton. These cases collectively underscore the capabilities of Russian state-linked APTs to target CPS. Table 9 summarises the attacks explored in the subsequent sections.
The keyword search performed in Section 4.2, also revealed a limited number of research publications related to the selected APT groups. Across the various academic databases consulted, most searches returned between zero and five results. In the next phase of the review, described in Section 4.2.2, it became evident that many academic articles cited white papers and reports published by reputable cybersecurity companies and government agencies, rather than peer-reviewed research papers. An overview of the search results from the research databases and grey literature, including relevant articles, is presented in Table 10.

5.1.1. TEMP.VELES—Triton

TEMP.VELES is infamous for the Triton attack, which targeted Triconex Safety Instrumented Systems (SIS) controllers and caused a refinery in the Middle East to shut down for several days [49]. However, the literature does not conclusively determine whether the shutdown was caused directly by the cyberattack or whether a precautionary operational decision was made to safely restore the system.
The method for initial access remains publicly unknown, but it is believed that the attackers laterally moved through a misconfigured firewall from the IT network to the OT network [48]. This allowed them to establish a foothold on an SIS engineering workstation. From this position, the attackers waited until the controller was manually switched to PROGRAM mode, enabling them to deliver a malicious inject.bin file. This file reportedly exploited a zero-day vulnerability, performed a privilege escalation, and directly manipulated memory. As a result, the attackers gained persistent access and full configuration control over the SIS controllers.
With this level of access, TEMP.VELES was capable of sending unauthorised command messages to PLCs, potentially altering the physical process. This included actions such as forcing unsafe controller states, shutting down operations, or disabling safety mechanisms designed to prevent catastrophic failure. The report [49] mapped the attack techniques to the ATT&CK ICS.
Based on the assumed attack path, the adversary likely operated across Purdue levels 5 to 3 during the lateral movement phase. Once an SIS engineering workstation was compromised, they moved to Purdue level 2. By manipulating the controller and PLC, they influenced devices down to Purdue level 0, directly affecting physical processes.

5.1.2. Dragonfly—Havex

Havex is a well-known malware associated with cyber espionage campaigns targeting critical infrastructures in Europe and the USA [48]. It is typically deployed via trojanized installers delivered via spear-phishing emails or downloaded from compromised vendor websites. Once executed by a user, Havex operates primarily as a Remote Access Tool. Its main capabilities include automated reconnaissance of ICS environments and the enumeration of Open Platform Communications (OPC) tags, allowing attackers to map out industrial assets [49].
In addition to its reconnaissance capabilities, Havex can deploy additional malware payloads, making it a versatile platform for espionage and potential sabotage. The malware has also been observed performing DoS attacks on OPC platforms [49], and has primarily affected systems within Purdue levels 5 to 3, targeting IT and operational layers [48]. Furthermore, it can inhibit response functions and reduce Purdue levels, potentially affecting physical processes in CPS. For example, in attacks similar to those on Ukraine’s power grid, malware such as Havex can be bundled with other tools to form customised attack chains, highlighting its utility as a facilitator for deeper exploitation of CPS.

5.1.3. Sandworm (Ukraine, 2015)—BlackEnergy and KillDisk

The first incidents and versions of BlackEnergy were observed in 2007, when it was used primarily as a tool for Distributed DoS attacks [50]. Over time, the malware evolved significantly. The most notorious use occurred in 2015, targeting Ukraine’s power grid, involving a variant commonly referred to as BlackEnergy 3 [50]. Prior to the attack, the threat actor is believed to have conducted extensive reconnaissance over several months [48], gathering information from both the IT and the OT environment. Techniques such as remote service exploitation and system discovery were employed to obtain remote access credentials, details about uninterruptible power supplies, and other critical infrastructure components. Sandworm demonstrated BlackEnergy’s modular architecture, allowing specific components to be selectively deployed based on the target [51]. In preparation for the blackout, the attackers also deployed KillDisk on various systems and network shares. KillDisk was used to delete logs, erase configurations, and disrupt recovery efforts, effectively covering the attackers’ tracks.
Access to the Distribution Management System (DMS) and Human–Machine Interface (HMI) was gained through stolen VPN credentials and the use of remote access tools. This enabled them to open circuit breakers in substations. Furthermore, it allowed attackers to remotely open circuit breakers at substations, initiating the blackout. During the attack, operators struggled with inaccurate telemetry, blocked communications, and general loss of situational awareness. To further degrade system recovery and increase impact, attackers corrupted firmware on Serial-to-Ethernet adapters, executed KillDisk to disable backup power systems, and wiped data. Concurrently, a DoS attack was launched against a telephone centre of the companies affected by the attack, preventing communication during the attack. The BlackEnergy 3 malware attacked devices on Purdue levels 4 to 2 [48], and the changes made on devices at level 2 affected lower levels, opening circuit breakers and causing a power outage.

5.1.4. Sandworm (Ukraine, 2016)—Industroyer

In 2016, Ukraine experienced a cyberattack similar to the 2015 event, in which half of Kyiv experienced a one-hour power outage. Similar to BlackEnergy, the initial access was achieved by a phishing campaign, and a Command and Control (C&C) connection was established after the initial compromise [43,52]. Upon gaining access to the OT environment, the attackers deployed customised modular malware for specific industrial communication protocols, including IEC 101 [53], IEC 104 [54], IEC 61850 [31] and OPC devices [48]. The modularity of the malware makes it capable of attacking conventional and digital substations in Europe and North America. Each protocol featured dedicated communication components designed to enumerate RTUs, PLCs, and other devices. This capability allowed the attackers to map system components and manipulate device states, ultimately interfering with physical processes. For example, leveraging Brute Force I/O to interact with cyber-physical devices. In addition to the core modules, the malware included port-scanning functionality and a DoS tool that exploits a known vulnerability in Siemens SIPROTEC devices [55]. This vulnerability rendered the devices unresponsive to legitimate communication via COM ports and triggered a reboot of the devices.
Although this attack had a lesser impact than the 2015 Ukraine attack, both Dragos and ESET reported a more sophisticated execution and could potentially have a far greater impact [43,52]. Analysts suggested that the adversary has likely gained deeper insight into the system’s industrial processes by leveraging inherent safety and reliability features. For instance, open a circuit breaker when the system tries to close it or vice versa, and exploit self-protective capabilities to cause instability and disruption. Such actions could result in “islanding” effects, where a substation is disconnected from the grid and operates in isolation. In addition, it could have a destructive physical outcome.
The malware’s activities spanned Purdue levels 4 through 0 [48], highlighting its ability to affect everything from enterprise-level to low-level control and physical infrastructure.

5.1.5. Sandworm (Ukraine, 2022)

In October 2022, Ukraine experienced two disruptive events on substations, leading to power outages reminiscent of the cyber-physical attacks experienced in 2015 and 2016 [56]. While the initial attack vector into the IT environment remains unclear, it is reported that the attacker gained access to the OT environment by exploiting a hypervisor that hosted SCADA management instances. The attacker then mounted a native MicroSCADA binary. This MicroSCADA exploit was used to issue commands to RTUs to open circuits, thereby interrupting physical power flow.
The actors caused a second disruptive event, targeting the IT environment with data-wiping malware, a newer variant of CaddyWiper [56]. This was likely intended to erase forensic evidence and conceal the details of the attack, similar to the tactics observed in previous incidents.
Similar to previous attacks in Ukraine, Sandworm successfully opened substation circuit breakers, demonstrating its capability to understand and manipulate physical processes to execute cyber-physical attacks. From the literature review, the only detailed public analysis was a Mandiant threat report [56], discovered through a Dragos article [57].
This incident highlights Sandworm’s evolving sophistication and its ability to conduct cyber-physical attacks. Using living off the land techniques, they likely reduced the time and resources needed to carry out the attack [56]. The techniques used suggest a growing maturity in Russia’s offensive OT arsenal, including the ability to recognise novel OT threat vectors, develop new capabilities, and target various kinds of OT infrastructure.

5.1.6. VPNFilter

VPNFilter was a worldwide cyberattack campaign that targeted routers and network-attached storage by deploying malicious binaries that established a C&C connection [48]. The malware was installed with a packet sniffer and a Tor Network plug-in, enabling both stealthy data exfiltration and anonymised communication. The packet sniffer component was used to intercept website credentials and log Modbus TCP/IP traffic. Although the malware did not interact directly with lower-level operational components, its presence at Purdue levels 4 through 3 [48] suggests it was well positioned for intelligence gathering and could be used to deliver malware for disruptive or preparatory cyber-physical attack operations.

5.2. Capabilities Summary

This paper identified 14 relevant articles that analyse or provide in-depth information on cyber incidents, with the objective of assessing attack strategies targeting CPS and evaluating the capabilities of Russian APT groups. TEMP.VELES, Dragonfly, and Sandworm are highly capable of conducting sophisticated attacks on CPS. A common tactic among these groups involves compromising the IT environment, followed by lateral movement (TA0109) into the OT domain. From there, attackers typically establish a foothold on key assets, such as HMIs or engineering workstations, which they then use to issue unauthenticated or malicious commands (T0855) to RTUs and PLCs. These actions ultimately result in operational impacts, including Loss of Productivity (T0828), Denial of Service (T0814), and Data Destruction (T0809). Moreover, these threat actors demonstrate a strong intent to maximise disruption, often by attempting to delete devices, erase logs, or manipulate physical processes, and cause lasting damage. The attacks also exhibit a high degree of adaptability, as seen in the use of modular malware tailored to specific environments. For example, Industroyer was capable of targeting IEC 101, IEC 104, and IEC 61850 protocols, making it effective against both legacy and modern substation installations.
The power grid and substations have been repeatedly targeted in these attacks. Sandworm, in particular, has executed at least three cyber-physical attacks in Ukraine, resulting in temporary power outages. Although these incidents did not cause catastrophic consequences, the evidence suggests that the attackers possess the capability to inflict significantly greater damage to critical infrastructure, operations, and public services.

5.3. Analysis of Capabilities

Based on the literature review and analysis, six potential enhancements have been identified to improve the ATT&CK ICS matrix. The paper [27], which is also discussed in Related Work, was identified during the literature review and served as inspiration for the enhancements. None of the suggested tactics or techniques involves the direct exploitation of field devices at Purdue Level 0. Instead, the enhancements focus on distinguishing between the definitions of ICS and CPS, highlighting the role of the physical domain, and further focusing on CPS processes and impacts.
The first suggestion is Social impact. A CPS might be highly integrated into the society, and unavailable services might have little to severe consequences. The cyberattacks on Ukraine in 2015, 2016, and 2022 all caused some degree of power outage. This technique focuses on the physical dimension in CPS, compared to the control perspective of Loss of Availability (T0826). The technique applies to adversary actions whose consequences affect society or human safety. For example, transportation systems and power infrastructure. It does not include consumer devices and other non-safety-critical environments.
Secondly, it is observed how Sandworm attempted to cause “islanding” effects on substations, although it remains uncertain what the ambition was. However, inducing such effects concurrently on multiple substations could cause Cascading effect across a power grid. The technique applies to highly interconnected infrastructures through physical dynamics, including power grids, petrochemical systems, and water supply systems. It excludes attacks whose primary objective is to shut down a system or its components for control in ICS. Furthermore, it does not include defensive actions that shut down other interconnected systems to reduce consequences.
To achieve the “islanding” effect and maximise disruption, an attacker must possess detailed knowledge of the target. The capability analysis shows that Sandworm has been expanding its domain expertise in targeted systems, allowing the group to cause significant disruptions and destruction. Therefore, Exploiting process control is proposed as a new tactic, and State manipulation is a technique of this tactic. For example, by changing the physical state of these systems at the correct time, they can exploit safety conditions and operational processes.
The capabilities analysis shows that APTs have demonstrated an intent to carry out disruptive and destructive attacks. For example, in preparation for the attacks, they took measures that later hampered recovery efforts. Although the ATT&CK Enterprise includes the Inhibit System Recovery (T1409), there are no obvious techniques addressing this within the ICS domain. Consequently, this paper explores the addition of the technique Inhibit recovery. This scope to adversary efforts’ intention to delay the time to restore operations. Examples include deleting or corrupting the backup configuration, persistent process instability and impairment, and making equipment and systems inoperable by destruction. It does not include deleting active operational data or configuration. It also explicitly excludes actions that deny control of an operational device, as such behaviour is covered by existing denial-of-control techniques.
Lastly, the final enhancement seeks to explore the use of the term CPS, with a focus on the physical domain, addressing definitional ambiguities, and further discuss organisation of the ICS domain.
The ATT&CK matrix was not initially used to identify capabilities, but served as a reference point for comparison during the analysis. Tactics and techniques associated with the identified APTs are available in prior sources [9,10,11]. The enhancements are defined in Table 11.

5.4. Semi-Structured Interviews

This section presents the findings from the semi-structured interviews conducted with cybersecurity professionals working with CPS environments. The results are organised into thematic subsections aligned with the structure of the Interview Guide, which can be found in [46] (p. 63).

5.4.1. Part 1: Who Participated and What Is Their Knowledge About CPS?

Two of the interview subjects have backgrounds as industrial technicians and process engineers before transitioning to cybersecurity engineering and architectural roles, with a particular focus on industrial environments. The third participant, a cybersecurity architect, has a slightly more theoretical background. All three professionals are affiliated with Norwegian energy companies. The last participant is a cybersecurity advisor and a key stakeholder for software specialised for OT and is affiliated with a provider of commercial cybersecurity services. All participants had years of professional experience and mostly worked with assets at Purdue levels 3 to 1, as well as at Purdue levels 4 to 0. The subjects represent different profiles of groups with security interests in the CPS. In summary, the participants represent both commercial and in-house perspectives and are interested in exploiting processes and embedded devices.
The interpretation and use of the terms CPS and ICS varied among subjects. Two subjects did not distinguish between the two terms, while a third subject stated that CPS is not used. For these three individuals, OT was a commonly adopted term, although other terms, such as IACS, were also mentioned. The last subject defined CPS to include the physical aspect, while ICS refers to the control system.
All participants reported using the ATT&CK framework, along with other widely recognised industry standards such as IEC 62443 [58], for guidance on securely maintaining and implementing IACS. Other cited frameworks include NIST, national laws, and sector-specific standards. Despite their widespread use, several authors described these frameworks as overly comprehensive and overly focused on functional requirements. Notably, none of the participants identified enhancements for these frameworks that specifically address the unique characteristics or security needs of CPS, particularly concerning the physical process layer.

5.4.2. Part 2: ATT&CK Usage and Limitations

As previously mentioned, all participants reported using the ATT&CK framework to some extent across both the Enterprise and ICS domains. Primarily, it is used as a knowledge base for threat information, risk assessments, barrier design, studies, and security analysis, which align with the use cases outlined in Section 2.2.
Although ATT&CK is described as a useful tool, subjects highlighted its reactive nature and the need for more data. Two subjects specifically emphasised the need for greater detail on procedures, mitigations, and use cases. They argued that such improvements would enhance the framework’s contextual relevance, which is often difficult to adapt to their specific systems. For example, mapping techniques to actual security incidents can be challenging without sufficient contextual information.
Several subjects also noted the presence of enterprise operating systems across all Purdue levels, down to level 1. They advocated for more integration between the Enterprise and ICS domains in the ATT&CK framework. This would improve contextual awareness and reveal interconnections, particularly given the use of enterprise operating systems in CPS. A participant further questioned the coverage of deterministic operating systems in the ATT&CK framework, specifically, real-time operating systems. The subject highlighted the emergence of MITRE EMB3D™ (EMB3D) [59], which is a more in-depth knowledge base for threat modelling of embedded systems.
Two subjects also raised concerns about the framework’s limited scope. One described ATT&CK as “too Spartan”, which was interpreted as the framework primarily addressing large and advanced attacks, and further neglects threats faced by smaller industries and environments, e.g., Industrial Internet of Things (IIOT). For example, attacks on manufacturing robots. Another subject noted that it tends to focus on individual cases with respect to specific systems, making it difficult to apply to a broader context. Furthermore, a subject observed that it offers limited value for understanding threats in the context of processes and embedded CPS systems, instead remaining largely focused on “IT attacks”.
Finally, all subjects emphasised the importance of physical safety and security. One subject strongly argued that safety and security should not rely on potentially hackable digital systems. In scenarios involving significant risk to human life or severe consequences, physical barriers must take precedence over cyber defence, e.g., network firewalls. The Triton incident was considered a critical turning point, demonstrating the high level of risk such attacks pose to physical safety.

5.4.3. Part 3: Opinions on Enhancements for ATT&CK ICS

Table 12 presents a summary map of participants’ interpreted feedback. It was gathered through discussions on each suggestion and interpreted using the following measuring scale: “Strongly disagree”, “Disagree”, “Neither agree or disagree”, “Agree”, “Strongly Agree”, or “No opinion”. The level of agreement was assessed based on the participants’ statements regarding each enhancement and inferred from the depth of the discussion, with “strong” used to denote particularly passionate responses. Even when subjects support enhancements, they encourage further study and refinement of the concepts.
All subjects agreed on the relevance of introducing the Social impact as a technique of Impact (TA0105) to improve the ATT&CK framework. Although there was limited discussion about whether this should be classified as a sub-technique, the subjects emphasised the potential benefits of improved risk assessment, contextual understanding, and analytical capabilities. Notably, three of the subjects work with critical infrastructure and emphasised the consequences that operational failures can cause.
The concept of Cascading effect was understood by all subjects, with frequent references to power grid scenarios. Although the likelihood of such attacks was debated, given that major attacks have not yet occurred, it was generally agreed that they would most likely be carried out by state actors.
Exploiting process control was a topic of debate, and it was assessed that the actor would be a state-sponsored actor due to the significant expertise required to execute. Although perceived as less likely than other types of attacks, this suggestion generated considerable discussion. Two participants strongly agreed on the need for more research in this area and stressed the importance of understanding how processes can be manipulated to disrupt operations, cause sabotage, or inflict physical damage. It was understood that subjects with automation and process backgrounds demonstrated interest. Combining techniques in Inhibit Response Function (TA0107) and Impair Process Control (TA0106) could enable techniques of Exploiting process control.
Next, a specific technique of Exploiting process control was discussed. One subject supported the inclusion of the State manipulation technique and additionally suggested incorporating Manipulation of View, which currently exists under a different tactic. However, due to discussions of the suggested tactic Exploiting process control, this topic was less interesting, resulting in very little discussion.
The penultimate technique discussed was Inhibit recovery. All subjects agreed on the importance of recovery processes within CPS. It was mentioned which recovery activities are most important, such as configuration backups, recovery procedures, and supplier support. It was also emphasised that there were significant implications for both business continuity and societal welfare.
The last enhancement addressed Brute force I/O (T0806) and similar techniques with interfaces between Purdue level 1 and 0. As intended, much of the discussion shifted to the definitions of CPS and ICS, and subsequently to the organisation of the ATT&CK framework. The response did not provide a clear definition and was considered largely irrelevant to many participants. However, as previously described in Section 5.4.2, the current ATT&CK ICS framework may be too limited for certain attack patterns. Moreover, other names for the framework were mentioned, such as OT with subdomains, but limited feedback was received beyond what was discussed in Section 5.4.2.

6. Discussion

6.1. CPS Term in Research

The review of the research literature showed that CPS and ICS are applied inconsistently, as supported by interview observations, and that CPS is not a well-established term. Power grids and hydroelectric systems are often described with the term ICS. For example, ref. [48] addresses advanced cyberattacks targeting critical infrastructure, such as power grids, and their associated physical domain, which is often referred to as OT. On the other hand, Rocchetto and Tippenhauer defined CPS as: “…systems that consist of networked embedded systems, which are used to sense, actuate, and control physical processes” [32]. Ref. [32] adopts a similar definition as that presented in Section 2.1 and also exemplifies CPS as power plants and smart cars. Kayan et al. go further and discuss the term Industrial Cyber-Physical System, which is the industrial domain of CPS [60]. However, this research only distinguishes between the terms ICS and CPS: ICS controls these environments, while CPS integrates with the physical domain. This study also encountered additional terms, such as IACS, CPPS, and IIoT, but these are not discussed further in this paper.

6.2. Frameworks

MITRE’s idea for the ATT&CK ICS emerged in response to a gap in adversary analysis, highlighted by cyber attacks on Ukraine’s infrastructure in 2015 and 2016 [47]. The matrix addresses some physical aspects of the CPS domain. However, this research explores new perspectives on the tactic Impact (TA0105) and discusses new techniques for CPS processes. It can also be suggested to make a change in the organisation of the ICS domain, similar to Enterprise domain, which consists of subdomains. The subjects who participated in the interviews had varying opinions on this topic. In summary, ICS is too narrowly scoped today and does not include variations in OT environments.
To investigate RQ3, some interviews focused on the use of the ATT&CK framework. However, limited use of the ATT&CK framework was anticipated, so the interviews were expanded to discuss familiar frameworks for the subjects. Although the interview subjects referenced several other cybersecurity frameworks, these discussions did not yield insights into how the physical domain is addressed in relation to CPS attacks. Among the alternative frameworks mentioned, IEC 62443 has emerged as a widely adopted standard.
A subject commented on the reactive nature of the ATT&CK framework, which makes it less effective against emerging threats. MITRE emphasises this weakness of not knowing all available techniques used by all adversaries [8], and relies on contributions and publicly available information to map adversary behaviours. To shift to a proactive approach, research is needed to gain knowledge and provide evidence from case studies. For example, research TTP for attacks on deterministic and embedded systems.
Another subject focused on Purdue Level 2 devices, including security analysis and monitoring. Due to this, it was expected that the subject would relate to the ATT&CK ICS matrix, since the frameworks emphasised the focus of objects at Purdue level 2 to 0 [47]. However, the subject used only the Enterprise domain because the equipment was primarily Windows-based. This emphasises the multiple subjects addressed, which require greater integration across domains in the ATT&CK framework.
A different framework elucidated by a subject was EMB3D. EMB3D is a threat model for embedded devices in critical infrastructure, and its setup is similar to the ATT&CK framework and relies on observations of adversaries, proof-of-concept and theoretical/conceptual research publications [59]. It addresses four device properties: Hardware Architecture, System Software, Application software, and Networking. Studying the hardware property within this framework could have been valuable in addressing the initial problem and testing the previous hypothesis. As EMB3D was only fully released after the start of this research, it was not studied in sufficient detail to be included.
While some frameworks, such as ACPPS and EMB3D, are domain-specific, other widely adopted frameworks, such as ICS 62443, operate at a different level than ATT&CK. As discussed in the interviews, many subjects emphasised the demand for a broader context, and introducing a CPS-specific taxonomy could undermine this objective. Since ATT&CK is a globally recognised and widely used framework, it is both practical and advantageous to build on its existing taxonomy.

6.3. Capability Mapping of APTs

In iteration 1 and in order to answer RQ1, this research examined the threat report on selective APTs, which is outlined in Section 5.1. It was observed that only a few papers added in-depth data on the malware and codes used in attacks. Only refs. [43,52] shared fragments of the code. The limited insight into raw and processed data challenges the reliability of the data [61] (p. 102), making it difficult to verify and cross-check. Lemay et al. highlighted the monopoly of the primary data source with regard to incident data [37].
Most of the attacks analysed in this study were attributed to Sandworm, which is linked to multiple attacks in Ukraine, and the most significant incidents are registered after the annexation of the Crimean Peninsula in 2014. The attacker commonly gained access to the IT environment and then laterally moved to the OT environment. Consequently, the adversary has been taking low risk, but aimed for maximum gain. This method is cheaper and requires less knowledge about physical security and surroundings. In other words, the capability analysis presented in Section 4.2.4 has not identified capabilities to directly perform physical-layer attacks on CPS, e.g., the attack vectors Stuxnet used to gain access. Akbarzadeh et al. emphasised that successful attacks on CPS often require some form of physical access, and physical dimensions need to be addressed in multiple stages of the cyber kill chain [30]. An example of involving physical dimensions in a cyber-physical attack is the implant demonstrated by M, Zhang and S, Zonouz, which is physically attached to PLCs to allow manipulation or disruption [35].
Russian APTs have demonstrated extensive domain knowledge of power grid systems, with broad support for protocols in their malware, including IEC 101, IEC 104, OPC, IEC 61850, MicroSCADA systems, and more. These protocols and systems are widely adopted in the power sector, but are also used in other domains, making the group capable of attacking many industries worldwide. The group is recognised as having access to specialised equipment to customise such attacks [43], and its capabilities indicate knowledge of the systems’ physics for planning attacks.

6.4. Enhancements for MITRE ATT&CK

To address RQ2, several enhancements to the ATT&CK framework were explored based on the capability analysis in Section 5.1. This section builds on that foundation and further explores the main issues. By integrating insights from all research questions, this section discusses the enhancements individually. Table 13 summarises improvements in the context of cyberattacks and existing tactics and techniques.
Societal impact is explored as a technique to achieve an “impact” of the attack. The purpose is to address the adversary’s motivation to impact the societal needs to support the adversary’s objective. For example, cyber attacks on the Ukrainian power grid [43,56,62] were likely motivated by the conflict to cause blackouts. Most techniques linked to Impact (TA0105) in the ATT&CK ICS taxonomy are addressed from the perspective of the target in the ICS domain, and not surrounding impacts in the physical domain. For example, Loss of Availability (T0826), addresses the operational ability to deliver services [63]. The Societal impact describes the physical impact of attacks on the CPS. Furthermore, many industries do provide social services, and to gain more context on capabilities, Loss of Availability (T0826) is too general. In terms of similarities, the Societal impact can be a sub-technique that, in more detail, describes how the objective is achieved. Presekal et al. argued for a social impact in a cyber kill chain model for CPPS. They used a power blackout as an example, as it can have severe consequences for many social services [27]. The interviews also found Societal impact relevant for the ATT&CK ICS framework, which can provide more context to threats, the importance of the system, and the consequences of failure. For example, both the 2021 blackout in Texas [64] and the 2025 blackout in Spain [65] are incidents that led to death due to loss of heating and unsafe alternative heating.
Substations are interconnection points in power grids, and a disturbance in one can propagate and cause a change in other parts of the power grid. ESET and Dragos [43,52] investigated a more disruptive capability of the Crashoverride, which indicated the ability to cause “islanding” effects on substations. Many simultaneous changes in the power grid could cause instability and lead to a larger outage. During the winter storms in Texas in 2021, a large part of Texas experienced a massive blackout. Power generation did not match demand [64], and the interdependence between oil production and electricity posed additional challenges. During a period of four minutes, the grid frequency dropped below 59.4 Hz from the optimal 60 Hz. According to the grid operators [64], a total of nine minutes below 59.4 Hz could have cascading effects and cause a total blackout throughout the grid. Another example is the blackout in Spain in 2025. In the time leading up to the widespread blackout, 15-volt frequency oscillations were observed every 1.5 s [66]. Although the two incidents are not attributed to cyber-physical attacks, they demonstrate intent to impact and exploit the physical domain and how cyber-physical attacks could cause blackouts due to Cascading effects. According to Dragos, Sandworm and other advanced adversaries have, over time, developed domain knowledge of power grid operations, making them potential threats to exploit Cascading effects. Hasan et al. modelled the behaviour of protective relays and breakers in power grids under normal and cyber-faulty conditions to simulate and analyse cascading failures [67]. Using the IEEE-14 bus system, they simulated how interactions in protection mechanisms can drive blackout evolution. By replacing cyber faults with adversarial cyber-physical manipulation, such a testbed could be used to demonstrate and study proposed techniques.
Understanding operational and safety processes within a system, opens opportunities for attackers to achieve sabotages. A 1 Hz drop in frequency in power grids can cause blackouts [64]. Adversary can use this knowledge to calculate which and how many substations or power generators to attack simultaneously to cause enough instability for a blackout. Exploit process control was suggested for these types of attacks. Simulating behaviour models, as demonstrated in [67], can provide insights into system operations under such scenarios. Three participants supported the concept. Two of the participants with a background as a technician and process operator strongly agreed with the concept and encouraged more research in the area. Potential exploitable processes within an oil platform were discussed. For example, an attacker could take advantage of the mud mixture and the pipeline inspection system. The importance of not relying on cyber for critical systems was underscored. There must be a physical barrier to avoid exploitation of processes and process controls. For example, design after the lockout/tagout principles [68]. However, attacks that Exploit process control were considered unlikely at the time and would require a highly skilled attacker.
To support the proposed tactic Exploit process control, the technique State manipulation was introduced. This technique involves altering key system states in a CPS, which may cause process disruption or degradation. As discussed previously, the power grid’s frequency is a critical physical parameter that must remain stable to ensure reliable service. A sudden shutdown of power generation could cause instabilities. In oil production, improper mud mixtures can cause equipment damage and safety incidents. The severity of the impact of a State manipulation depends on the nature and context of the state. It was also discussed State manipulation as a sub-technique under Loss of Control (T0827). State manipulation was supported by one participant, while the others found it unclear. There is limited research and evidence addressing this concept. Therefore, this enhancement requires more research and adjustments.
The explored enhancements Cascading Effect, Exploit Process Control, and State Manipulation describe adversary behaviours that are inherently difficult to observe in real-world environments because they are rare. Nevertheless, recent work on ICS honeypots demonstrates a viable methodology for studying such behaviours. In particular, ref. [69] presents an ICS honeypot capable of simulating a water tank process and explicitly demonstrates an instance of State Manipulation through adversarial control of physical process variables. For CPS honeypots to be effective, it is essential that they incorporate realistic physical process models and feedback mechanisms. By extending such process- and state-aware environments to model additional physical processes, it becomes possible to construct controlled environmental settings in which the explored enhancements can be systematically observed, reproduced, and analysed. Such technology can therefore support the validation and refinement of CPS-oriented extensions to the ATT&CK ICS framework.
Moreover, all interview participants supported the importance of Inhibit recovery. The attacks in Ukraine performed multiple actions that delayed recovery efforts. Russian APTs demonstrated a recurring pattern of disruptive and destructive intent, often aimed at permanently deleting/damaging system components and causing persistent process impairment. For example, once a power grid is in a blackout, the time to recover can be long. The blackout in Spain took more than 20 h to be fully operational again [66]. While the ICS framework covers controller-related processes, Inhibit recovery includes lower-level and physical recovery efforts. Figure 3 explores an expansion of the ICS framework. Although this research did not identify any physical destruction, real-world examples of physical damage to embedded devices exist. For example, Fuxnet malware attacked thousands of sensors in Russia, destroying memory chips and altering UBI volume [70], which consequently resulted in an extended recovery time due to the replacement of the device. Stuxnet is another example where the adversary intentionally destroyed centrifuges. While Data Destruction (T0809) also describes deletion of configuration backup, it does not include physical destruction with means of delaying recovery, and has other tactical reasons than long-term operational damage or loss.
The last proposal aimed to discuss the terms ICS and CPS, and whether techniques such as Brute force I/O (T0806) and Block Serial COM (T0805) are covered by the CPS term and the physical domain. Among the participants, there were few opinions on the topic. Furthermore, there was consensus on greater integration with other domains and on exploring more industrial environments. However, there is little evidence and arguments for the enhancement.
In summary, support for four enhancements was found, namely: Societal impact, Cascading effect, Exploit process control, and Inhibit recovery. Societal impact and Inhibit recovery are tangible concepts and can be related to historical cyberattacks, whereas Cascading effect and Exploit process control are more conceptual and warrant further research, particularly in practical applications. The enhancements explore how the physical domain can extend and incorporate into the ATT&CK ICS framework. In terms of generalisation, many examples and discussions relate to power grids, and future research should include an in-depth analysis of the petroleum and hydropower sectors.

7. Conclusions

This research explored the limitations of the ATT&CK ICS framework to map TTP in the context of CPS. The research followed a structured methodology based on the Technology Research design, with iterative phases to investigate the problem. First, the research began with a literature review analysing the capabilities of Russian APTs and their relevance to CPS. The selected APTs were found to be more than capable of attacking CPS, and their capabilities were reviewed to identify enhancements to the ATT&CK framework, using ICS and CPS definitions as a base. The enhancements explored how the physical domain of CPS can be relevant to future cyberattacks and to impacts and processes within CPS.
Based on the enhancements, interviews were conducted with four cybersecurity professionals experienced with CPS and ICS security. These interviews provided insights into the usage of the ATT&CK framework. Although the interviewees acknowledge the usefulness of the framework, they expressed challenges and limitations regarding its reactive nature, limited contextual depth, and insufficient coverage of a wider range of systems. Among the interview participants, there was broad agreement on the importance and relevance of certain enhancements. Societal impact, Cascading effects, Exploit process control, and Inhibit recovery could strengthen the applicability of the framework to CPS threat modelling. Cascading effects and Exploit process control were discussed extensively by some of the subjects, highlighting the need for further research into how process manipulation could be used to disrupt operations or cause physical damage. Beyond specific techniques, the participants emphasised the importance of improved integration between other ATT&CK domains to reflect the interconnected nature of CPS. One subject pointed to alternative initiatives, such as EMB3D, that may be more relevant to embedded threats. Future research should conduct the same study using EMB3D, ACPPS, and similar frameworks.
Although this research advances our understanding of the ATT&CK ICS framework and threats to CPS, it has some limitations. The enhancements are exploratory and serve as a basis for future research. Future research will expand the scope by analysing additional cyberattacks and conducting practical demonstrations. Additionally, future work will include a broader range of interviews, both in number and geographically, to strengthen the reliability and generalisability of the findings. Another important topic for future research is analysing the enhancements enabled by detection methods and process-aware honeypots.

Author Contributions

Conceptualization, S.H.H. and M.M.C.; methodology, M.M.C.; formal analysis, M.M.C.; investigation, M.M.C.; writing—original draft preparation, M.M.C.; writing—review and editing, S.H.H. and M.M.C.; supervision, S.H.H. All authors have read and agreed to the published version of the manuscript.

Funding

This research is partly funded by the Research Council of Norway-funded CORESIM (Context-Based Real-Time OT-IT Systems Integrity Management) project.

Institutional Review Board Statement

Not applicable.

Informed Consent Statement

Not applicable.

Data Availability Statement

The original contributions presented in the study are included in the article, further inquiries can be directed to the corresponding author.

Acknowledgments

This paper is part of a larger suite of cyber-attack and APT analysis being performed as part of the Research Council of Norway-funded CORESIM (Context-Based Real-Time OT-IT Systems Integrity Management) project.

Conflicts of Interest

The authors declare no conflicts of interest.

Abbreviations

The following abbreviations are used in this manuscript:
ACPPS Advanced Cyber-Physical Power System
APTAdvanced Persistent Threat
CPPSCyber-Physical Power System
CPSCyber-Physical System
C&CCommand and Control
DoSDenial of Service
EMB3DEMB3D™
FSBFederal Security Service
GRUMilitary Intelligence
HMIHuman Machine Interface
IACSIndustrial Automation and Control System
ICSIndustrial Control System
IECInternational Electrotechnical Commission
I/OInput/Output
NISTNational Institute of Standards and Technology
OPCOpen Platform Communications
PLCProgrammable Logical Controller
RTURemote Terminal Unit
TTPsTactics, Techniques, and Procedures
VPNVirtual Private Network

References

  1. InfraCERT. Trusselvurdering 2024; Technical Report; InfraCERT: Oslo, Norway, 2024. [Google Scholar]
  2. Norwegian National Security Authority. Risiko 2024; Technical Report; Norwegian National Security Authority: Kolsås, Norway, 2024. [Google Scholar]
  3. Knapp, E.D.; Langill, J.T. Chapter 7—Hacking Industrial Control Systems. In Industrial Network Security, 2nd ed.; Knapp, E.D., Langill, J.T., Eds.; Syngress: Boston, MA, USA, 2015; pp. 171–207. [Google Scholar] [CrossRef]
  4. Przetacznik, J.; Tarpova, S. Russia’s War on Ukraine: Timeline of Cyber-Attacks; Technical Report; European Parliament: Strasbourg, France, 2022. [Google Scholar]
  5. 2015 Ukraine Electric Power Attack, Campaign C0028. Available online: https://attack.mitre.org/campaigns/C0028/ (accessed on 1 December 2024).
  6. 2016 Ukraine Electric Power Attack, Campaign C0025. Available online: https://attack.mitre.org/campaigns/C0025/ (accessed on 1 December 2024).
  7. 2022 Ukraine Electric Power Attack, Campaign C0034. Available online: https://attack.mitre.org/campaigns/C0034/ (accessed on 1 December 2024).
  8. Strom, B.E.; Applebaum, A.; Miller, D.P.; Nickels, K.C.; Pennington, A.G.; Thomas, C.B. MITRE ATT&CK®: Design and Philosophy; Technical Report; MITRE: McLean, VA, USA, 2020. [Google Scholar]
  9. Dragos Threat Intelligence. Dragonfly. Available online: https://attack.mitre.org/groups/G0035/ (accessed on 4 February 2025).
  10. Dragos Threat Intelligence; Karabacak, H. Sandworm Team. Available online: https://attack.mitre.org/groups/G0034/ (accessed on 2 February 2025).
  11. Dragos Threat Intelligence. TEMP.Veles. Available online: https://attack.mitre.org/groups/G0088/ (accessed on 4 February 2025).
  12. Dragos Threat Intelligence. ALLANITE. Available online: https://attack.mitre.org/groups/G1000/ (accessed on 4 February 2025).
  13. Griffor, E.R.; Greer, C.; Wollman, D.A.; Burns, M.J. Framework for Cyber-Physical Systems: Volume 1, Overview; Technical Report NIST SP 1500-201; National Institute of Standards and Technology: Gaithersburg, MD, USA, 2017. [Google Scholar] [CrossRef]
  14. Stouffer, K.; Pease, M.; Tang, C.; Zimmerman, T.; Pillitteri, V.; Lightman, S.; Hahn, A.; Saravia, S.; Sherule, A.; Thompson, M. Guide to Operational Technology (OT) Security; Technical Report NIST SP 800-82r3; National Institute of Standards and Technology (U.S.): Gaithersburg, MD, USA, 2023. [Google Scholar] [CrossRef]
  15. Russia’s FSB Malign Activity: Factsheet. Available online: https://www.gov.uk/government/publications/russias-fsb-malign-cyber-activity-factsheet/russias-fsb-malign-activity-factsheet (accessed on 29 December 2024).
  16. Federal Bureau of Investigation; Cybersecurity & Infrastructure Security Agency; National Security Agency; U.S. Department of the Treasury; U.S. Department of State; U.S. Cyber Command Cyber National Mission Force; Netherlands Defence Intelligence and Security Service; Czech Military Intelligence; Czech Republic Security Information Service; German Federal Office for the Protection of the Constitution; et al. Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure; Technical Report; Cybersecurity and Infrastructure Security Agency: Washington, DC, USA, 2024. [Google Scholar]
  17. Hultquist, J. Anticipating Cyber Threats as the Ukraine Crisis Escalates. Available online: https://cloud.google.com/blog/topics/threat-intelligence/ukraine-crisis-cyber-threats (accessed on 8 February 2025).
  18. Roncone, G.; Black, D.; Wolfram, J.; McLellan, T.; Simonian, N.; Hall, R.; Prokopenkov, A.; Jenkins, L.; Perez, D.; Aytes, L.; et al. Unearthing APT44: Russia’s Notorious Cyber Sabotage Unit Sandworm. Available online: https://cloud.google.com/blog/topics/threat-intelligence/apt44-unearthing-sandworm (accessed on 8 February 2025).
  19. Dragos Inc. DYMALLOY. Available online: https://www.dragos.com/threat/dymalloy/ (accessed on 8 February 2025).
  20. Dragos Inc. ELECTRUM. Available online: https://www.dragos.com/threat/electrum/ (accessed on 8 February 2025).
  21. Dragos Inc. KAMACITE Threat Group. Available online: https://www.dragos.com/threat/kamacite/ (accessed on 13 May 2025).
  22. Dragos Inc. XENOTIME. Available online: https://www.dragos.com/threat/xenotime/ (accessed on 8 February 2025).
  23. Dragos Inc. ALLANITE. Available online: https://www.dragos.com/threat/allanite/ (accessed on 8 February 2025).
  24. Cluley, G. US Warns of Ongoing Attacks on Energy Firms and Critical Infrastructure. Available online: https://www.welivesecurity.com/2017/10/22/us-warns-ongoing-attacks-energy-firms-critical-infrastructure/ (accessed on 9 February 2025).
  25. Holt, R. Sandworm: A Tale of Disruption Told Anew. Available online: https://www.welivesecurity.com/2022/03/21/sandworm-tale-disruption-told-anew/ (accessed on 9 February 2025).
  26. Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure. Available online: https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-110a (accessed on 9 February 2025).
  27. Presekal, A.; Ştefanov, A.; Rajkumar, V.S.; Semertzis, I.; Palensky, P. Advanced Persistent Threat Kill Chain for Cyber-Physical Power Systems. IEEE Access 2024, 12, 177746–177771. [Google Scholar] [CrossRef]
  28. Hutchins, E.M.; Cloppert, M.J. The Industrial Control System Cyber Kill Chain; Technical Report; SANS Institute: North Bethesda, MD, USA, 2025. [Google Scholar]
  29. Cyber Kill Chain®. Available online: https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html (accessed on 21 May 2025).
  30. Akbarzadeh, A.; Erdődi, L.; Houmb, S.; Soltvedt, T. Two-stage advanced persistent threat (APT) attack on an IEC 61850 power grid substation. Int. J. Inf. Secur. 2024, 23, 2739–2758. [Google Scholar] [CrossRef]
  31. IEC 61850 Series; Communication Networks and Systems for Power Utility Automation. IEC: Geneva, Switzerland, 2023.
  32. Rocchetto, M.; Tippenhauer, N.O. On Attacker Models and Profiles for Cyber-Physical Systems. In Proceedings of the Computer Security—ESORICS 2016; Askoxylakis, I., Ioannidis, S., Katsikas, S., Meadows, C., Eds.; Springer: Cham, Switzerland, 2016; pp. 427–449. [Google Scholar] [CrossRef]
  33. Akbarzadeh, A.; Erdodi, L.; Houmb, S.H.; Soltvedt, T.G.; Muggerud, H.K. Attacking IEC 61850 Substations by Targeting the PTP Protocol. Electronics 2023, 12, 2596. [Google Scholar] [CrossRef]
  34. Ahmad, S.; Ahn, B.; Alvee, S.R.B.; Trevino, D.; Kim, T.; Youn, Y.W.; Ryu, M.H. Advanced Persistent Threat (APT)-Style Attack Modeling and Testbed for Power Transformer Diagnosis System in a Substation. In Proceedings of the 2022 IEEE Power & Energy Society Innovative Smart Grid Technologies Conference (ISGT); IEEE: Piscataway, NJ, USA, 2022; pp. 1–5. [Google Scholar] [CrossRef]
  35. Zhang, M.; Zonouz, S. Control Corruption without Firmware Infection: Stealthy Supply Chain Attacks via PLC Hardware Implants (MalTag). In Proceedings of the 2024 ACM/IEEE 15th International Conference on Cyber-Physical Systems (ICCPS); IEEE: Piscataway, NJ, USA, 2024; pp. 247–258. [Google Scholar] [CrossRef]
  36. Chen, P.; Desmet, L.; Huygens, C. A Study on Advanced Persistent Threats. In Communications and Multimedia Security; De Decker, B., Zúquete, A., Eds.; Springer: Berlin/Heidelberg, Germany, 2014; pp. 63–72. [Google Scholar] [CrossRef]
  37. Lemay, A.; Calvet, J.; Menet, F.; Fernandez, J.M. Survey of publicly available reports on advanced persistent threat actors. Comput. Secur. 2018, 72, 26–59. [Google Scholar] [CrossRef]
  38. Solheim, I.; Stølen, K. Technology Research Explained; Technical Report; SINTEF ICT: Trondheim, Norway, 2007. [Google Scholar]
  39. Ormrod, J.E.; Leedy, P.D. Practical Research: Planning and Design, 12th ed.; Pearson Education: London, UK, 2021. [Google Scholar]
  40. Garousi, V.; Felderer, M.; Mäntylä, M.V. Guidelines for including grey literature and conducting multivocal literature reviews in software engineering. Inf. Softw. Technol. 2019, 106, 101–121. [Google Scholar] [CrossRef]
  41. Al-Rabiaah, S. The “Stuxnet” Virus of 2010 As an Example of A “APT” and Its “Recent” Variances. In Proceedings of the 2018 21st Saudi Computer Society National Computer Conference (NCC); IEEE: Piscataway, NJ, USA, 2018; pp. 1–5. [Google Scholar] [CrossRef]
  42. Vostoupal, J. Stuxnet vs. WannaCry and Albania: Cyber-attribution on trial. Comput. Law Secur. Rev. 2024, 54, 106008. [Google Scholar] [CrossRef]
  43. Cherepanov, A. A New Threat for Industrial Control Systems; Technical Report; ESET: Bratislava, Slovakia, 2017. [Google Scholar]
  44. Zhang, Y.; Wildemuth, B.M. Qualitative Analysis of Content. In Applications of Social Research Methods to Questions in Information and Library Science, 2nd ed.; Wildemuth, B.M., Ed.; Libraries Unlimited: Exeter, UK, 2017; pp. 318–329. [Google Scholar]
  45. Hopf, C. Qualitative Interviews: An Overview. In A Companion to Qualitative Research; SAGA Publications: Thousand Oaks, CA, USA, 2004. [Google Scholar]
  46. Cabe, M.M. Enhancing MITRE ATT&CK® Framework for Cyber-Physical Systems Using Insights from Advanced Persistent Threats. Master’s Thesis, Norwegian University of Science and Technology, Gjoevik, Norway, 2025. [Google Scholar]
  47. Alexander, O.; Belisle, M.; Steele, J. MITRE ATT&CK® for Industrial Control Systems: Design and Philosophy; Technical Report; MITRE: McLean, VA, USA, 2020. [Google Scholar]
  48. Makrakis, G.M.; Kolias, C.; Kambourakis, G.; Rieger, C.; Benjamin, J. Industrial and Critical Infrastructure Security: Technical Analysis of Real-Life Security Incidents. IEEE Access 2021, 9, 165295–165325. [Google Scholar] [CrossRef]
  49. Cybersecurity Advisory (CSA); Cybersecurity and Infrastructure Security Agency (CISA); Federal Bureau of Investigation (FBI); Department of Energy (DOE). Tactics, Techniques, and Procedures of Indicted State-Sponsored Russian Cyber Actors Targeting the Energy Sector; Technical Report AA22-083A; Cybersecurity and Infrastructure Security Agency: Washington, DC, USA, 2022. [Google Scholar]
  50. Firoozjaei, M.D.; Mahmoudyar, N.; Baseri, Y.; Ghorbani, A.A. An evaluation framework for industrial control system cyber incidents. Int. J. Crit. Infrastruct. Prot. 2022, 36, 100487. [Google Scholar] [CrossRef]
  51. Cybersecurity & Infrastructure Security Agency. Ongoing Sophisticated Malware Campaign Compromising ICS (Update E). Available online: https://www.cisa.gov/news-events/ics-alerts/ics-alert-14-281-01e (accessed on 16 March 2025).
  52. Dragos Inc. Crashoverride; Technical Report 2.20170613; Dragos: Hanover, MD, USA, 2017. [Google Scholar]
  53. IEC 60870-5-101; Telecontrol Equipment and Systems—Part 5-101: Telecontrol Equipment and Systems—Part 5-101: Transmissionprotocols—Companion Standard for Basic Telecontrol Tasks. IEC: Geneva, Switzerland, 2003.
  54. IEC 60870-5-104; Telecontrol Equipment and Systems—Part 5-104: Transmission Protocols—Network Access for IEC 60870-5-101 Using Standard Transport Profiles. IEC: Geneva, Switzerland, 2006.
  55. Cybersecurity and Infrastructure Security Agency (CISA). CrashOverride Malware. Available online: https://www.cisa.gov/news-events/alerts/2017/06/12/crashoverride-malware (accessed on 24 September 2024).
  56. Proska, K.; Wolfram, J.; Wilson, J.; Black, D.; Lunden, K.; Zafra, D.K.; Brubaker, N.; McLellan, T.; Sistrunk, C. Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology. Available online: https://cloud.google.com/blog/topics/threat-intelligence/sandworm-disrupts-power-ukraine-operational-technology (accessed on 17 March 2025).
  57. Dragos Inc. ELECTRUM Targeted Ukrainian Electric Entity Using Custom Tools and CaddyWiper Malware. October 2022. Available online: https://www.dragos.com/blog/new-details-electrum-ukraine-electric-sector-compromise-2022/ (accessed on 24 March 2025).
  58. IEC 62443 Series; Industrial Communication Networks—Network and System Security. IEC: Geneva, Switzerland, 2023.
  59. Hahn, A.; Cyprus, J.; Keppler, D.; Collins, M.; Harvey, C.; Pearson, N.L.T.; Ford, W.; Cui, A.; Locasto, M. The EMB3D™ Threat Model for Embedded Devices. Available online: https://emb3d.mitre.org/assets/EMB3D_Paper_09-23-24.pdf (accessed on 10 May 2025).
  60. Kayan, H.; Nunes, M.; Rana, O.; Burnap, P.; Perera, C. Cybersecurity of Industrial Cyber-Physical Systems: A Review In ACM Comput. Surv. 54, 11s; Association for Computing Machinery: New York, NY, USA, 2022; pp. 1–35. [Google Scholar] [CrossRef]
  61. Wohlin, C.; Runeson, P.; Höst, M.; Ohlsson, M.C.; Regnell, B.; Wesslén, A. Experimentation in Software Engineering, 2nd ed.; Springer: Berlin/Heidelberg, Germany, 2024. [Google Scholar]
  62. Cyber-Attack Against Ukrainian Critical Infrastructure. Available online: https://www.cisa.gov/news-events/ics-alerts/ir-alert-h-16-056-01 (accessed on 24 September 2024).
  63. Loss of Safety, Technique T0880. Available online: https://attack.mitre.org/techniques/T0880/ (accessed on 6 March 2025).
  64. Busby, J.W.; Baker, K.; Bazilian, M.D.; Gilbert, A.Q.; Grubert, E.; Rai, V.; Rhodes, J.D.; Shidore, S.; Smith, C.A.; Webber, M.E. Cascading risks: Understanding the 2021 winter blackout in Texas. Energy Res. Soc. Sci. 2021, 77, 102106. [Google Scholar] [CrossRef]
  65. Hedgecoe, G.; Lamche, A. At Least Three Deaths Linked to Massive Spain Power Cut; British Broadcasting Corporation: London, UK, 2025. [Google Scholar]
  66. Blackburn, G. ‘It Won’t Happen Again,’ Spain’s Grid Operator Says in Iberian Blackout Aftermath; Euronew: Lyon, France, 2025. [Google Scholar]
  67. Hasan, S.; Chhokra, A.; Dubey, A.; Mahadevan, N.; Karsai, G.; Jain, R.; Lukic, S. A simulation testbed for cascade analysis. In Proceedings of the 2017 IEEE Power & Energy Society Innovative Smart Grid Technologies Conference (ISGT); IEEE: Piscataway, NJ, USA, 2017; pp. 1–5. [Google Scholar] [CrossRef]
  68. Lockout/Tagout. Available online: https://www.osha.gov/sites/default/files/publications/OSHAFS3529.pdf (accessed on 30 May 2025).
  69. Salazar, L.; López-Morales, E.; Lozano, J.; Rubio-Medrano, C.; Cárdenas, A.A. ICSNet: A Hybrid-Interaction Honeynet for Industrial Control Systems. In CPSIoTSec’24: Proceedings of the Sixth Workshop on CPS&IoT Security and Privacy; Association for Computing Machinery: New York, NY, USA, 2024; pp. 68–79. [Google Scholar] [CrossRef]
  70. Team82. Unpacking the Blackjack Group’s Fuxnet Malware; Technical Report; Claroty: New York, NY, USA, 2024. [Google Scholar]
Applsci 16 01815 g001
Figure 1. Russian Intelligence Services cyber program. Figure copied from [15], used under Open Government Licence v3.0.
Figure 1. Russian Intelligence Services cyber program. Figure copied from [15], used under Open Government Licence v3.0.
Applsci 16 01815 g001
Applsci 16 01815 g003
Figure 3. Extension to the ATT&CK ICS framework with Inhibit Recovery in the physical domain.
Figure 3. Extension to the ATT&CK ICS framework with Inhibit Recovery in the physical domain.
Applsci 16 01815 g003
Table 2. Search plan, searching for relevant keywords.
Table 2. Search plan, searching for relevant keywords.
PurposeThe purpose of this search is to identify keywords from titles and keywords tagged by authors in relevant articles
Dates≤25 January 2025
DatabasesIEEE Explore, JSTOR, ACM DL, ScienceDirect, Springerlink, ArXiv, Web of Science, Scopus
Search criteriaLanguage: English
Criteria: names contained in title/publication title.
If a multi-category database, select the following categories: engineering, information and computer sciences, cybersecurity, and privacy
Document type: Research article OR Conference paper
Search keywords
  • Stuxnet
  • “sandworm” OR “telebots” OR “iron viking” OR “blackenergy” OR “quedagh” OR “voodoo bear” OR “apt44” OR “seashell blizzard” or “frozenbarents”
Inclusion criteriaThe research papers should analyse, elaborate on improvements or model the specific attack/group.
Exclusion criteriaOverlapping data from other databases
Table 3. Summary of each search with the result and relevant articles.
Table 3. Summary of each search with the result and relevant articles.
Search QueryDatabaseResultRelevant
1IEEE1710
1JSTOR51
1ACM DL00
1SciensDirect33
1SpringerLink44
1ArXive00
1Web of science52
1Scopus5614
Table 4. Summary of keywords counted each time they were tagged by the author. Keywords referenced more than once are listed. Similar keywords are summarised and written in parentheses.
Table 4. Summary of keywords counted each time they were tagged by the author. Keywords referenced more than once are listed. Similar keywords are summarised and written in parentheses.
WordsKeyword CountTitle Count
Attack (cyber attack, stealthy attack)109
Stuxnet (Stuxnet virus, Stuxnet analysis)18-
Attacks name (Duqu, Shamoon, Triton, Wannacry)95
Physical/CPS (Cyber physical system)64
Virus24
Worm24
Industrial/ICS (industrial systems)33
Table 5. Search criteria, searching research databases for APTs.
Table 5. Search criteria, searching research databases for APTs.
PurposeIdentify relevant articles on selected Russian APT in order to analyse capabilities to attack CPS
Dates≤1 March 2025
DatabasesIEEE Explore, Web of science, Scopus
Search criteriaLanguage: English. Searching for APT names in all metadata.
Search keywords
  • “dragonfly” OR “temp.isotope” OR “dymalloy” OR “berserk bear” OR “tg-4192” OR “crouching yeti” OR “iron liberty” OR “energetic bear” OR “ghost blizzard” OR “casstle” [9]
  • “sandworm” OR “selebots” OR “iron viking” OR “blackenergy” OR “quedagh” OR “boodoo bear” OR “apt44” OR “seashell blizzard” OR “frozenbarents” [10]
  • “temp.veles” OR “xenotime” [11]
  • allanite [12]
Each of the queries above are combined with (AND):
Author Keyword/title: (CPS OR cyber-physical OR “cyber physical” OR ics OR industrial OR malware OR virus OR worm OR attack)
Inclusion criteriaFocus on the papers’ contribution to describe the capabilities of APTs. Assess the relevance—first titles and abstract are assessed, and then conclusion.
Table 6. Summary of each search with the number of search results and relevant articles found.
Table 6. Summary of each search with the number of search results and relevant articles found.
DatabaseQuery 1Query 2Query 4Query 4
(Res./Rel.)(Res./Rel.)(Res./Rel.)(Res./Rel.)
IEEE11/08/10/00/0
Web of science26/01/10/00/0
Scopus263/2234/310/01/0
Table 7. Search criteria, searching research for APTs in grey literature.
Table 7. Search criteria, searching research for APTs in grey literature.
PurposeIdentify relevant articles on selected Russian APT in order to analyse capabilities to attack CPS
Dates≤13 March 2025
DatabasesCyber security companies: ESET, Dragos. Governmental: CISA
Search criteriaSearching for analysis and threat reports of the selected actors
Search keywords
  • Dragonfly OR TEMP.Isotope OR DYMALLOY OR “Berserk Bear” OR TG-4192 OR “Crouching Yeti” OR “IRON LIBERTY” OR “Energetic Bear” OR “Ghost Blizzard” OR CASSTLE OR Dymalloy (Dragos) [9]
  • Sandworm OR Telebots OR “IRON Viking” OR Blackenergy OR Quedagh OR “Boodoo Bear” OR APT44 OR “Seashell Blizzard” OR FROZENBARENTS OR ELECTRUM (Dragos) [10]
  • TEMP.Veles OR XENOTIME OR TsNIIKhM (CISA) [11]
  • ALLANITE [12]
Inclusion criteriaAssessing search results by first assessing relevance from the title. Further skim the paper, and then perform a full read through. Paper types: Threat Intelligence or cyber attack reports.
Exclusion criteriaDuplicate results are ignored.
Table 8. Summary of each search with the number of search results and relevant articles found grey literature.
Table 8. Summary of each search with the number of search results and relevant articles found grey literature.
DatabaseQuery 1Query 2Query 4Query 4
(Res./Rel.)(Res./Rel.)(Res./Rel.)(Res./Rel.)
ESET5/0120/10/00/0
Dragos18/029/218/045/0
CISA30/1110/213/10/0
Table 9. Overview of cyber attacks and their targets, related to levels in the Purdue model.
Table 9. Overview of cyber attacks and their targets, related to levels in the Purdue model.
AttackAPTTargetingPurdue Level
TritonTEMP.VELESTriconex Safety instrument systems5 to 1
HavexDragonflyCritical infrastructure5 to 3 [48]
Ukraine 2015 (BlackEnergy3 and Killdisk)SandwormPower grid4 to 1 [48]
Ukraine 2016 (Industroyer)SandwormPower grid4 to 0 [48]
Ukraine 2022SandwormPower grid4 to 0
VPNFilterSandwormRouters4 to 3 [48]
Table 10. Overview of searches and number of articles found relevant from the literature review.
Table 10. Overview of searches and number of articles found relevant from the literature review.
DatabaseQuery 1Query 2Query 4Query 4
(Res./Rel.)(Res./Rel.)(Res./Rel.)(Res./Rel.)
IEEE11/08/10/00/0
Web of science26/01/10/00/0
Scopus263/2234/310/01/0
ESET5/0120/10/00/0
Dragos18/029/218/045/0
CISA30/1110/213/10/0
Table 11. Definition of enhancements explored to ATT&CK framework.
Table 11. Definition of enhancements explored to ATT&CK framework.
NameTypeDefinitionContribution
Societal impactNew Sub-Technique
(Parent: Loss of Availability (T0826))		The adversary affecting societal services, specifically results in disruption/destruction of critical infrastructures.Existing techniques emphasise impact in the ICS domain and its loss of services, but this encompasses the cascading societal consequences of impacts of attacks in the physical domain.
Cascading effectNew Technique
(Parent: Impact (TA0105))		A cyber attack on one part of an infrastructure triggers a chain reaction, leading to compounded failures across interconnected systems within a CPS.Illustrating how an adversary exploits interdependencies in CPS, specifically processes and safety mechanisms.
Exploiting process controlNew TacticAdversary exploits processes in a CPS that fundamentally needs to be stable for safety and continuous operations.The tactic highlights why and how the adversary targets processes in the physical domain.
State manipulationNew Technique
(Parent: Exploiting process control)		The adversary altering or falsifying the physical state of a system, either through binary changes (e.g., on/off substations) or by manipulating continuous state values (e.g., pressures or flow rates).Manipulation of state describes how the adversary exploits states in CPSs and cyber-physical devices to cause operational failures.
Inhibit RecoveryNew TacticThe adversary deliberately obstruct or delays recovery actions following an attack.Highlights the attacker’s ability to prolong disruptions, escalate costs, and exacerbate the impact of an attack when the physical domain is included.
Brute force I/O and such techniques (integration Purdue level 0)--Discusses the unique vulnerabilities of CPS, such as direct manipulation in the physical domain.
Table 12. Overview of the feedback from the subjects. * Subject highlighted physical aspect/EMB3D framework.
Table 12. Overview of the feedback from the subjects. * Subject highlighted physical aspect/EMB3D framework.
1234
Societal impactAgreeAgreeAgreeAgree
Cascading effectAgreeAgreeAgreeNeither or
Exploiting process controlStrongly agreeAgreeNeither orStrongly agree
State manipulationAgreeNeither orNeither orNeither or
Inhibit recoveryAgreeAgreeAgreeAgree
Brute force I/O (T0806)No opinionNo opinionNo opinionNeither or *
Table 13. Enhancements in context of attack behaviour and possible existing tactic(s)/technique(s).
Table 13. Enhancements in context of attack behaviour and possible existing tactic(s)/technique(s).
ATT&CK ICS EnhancementCyber AttackAttack BehaviourImpact/OutcomeExisting ATT&CK ICS Tactic(s)/Technique(s)
Societal impactUkraine 2015Attackers target substations, attempting to cause lasting power outages. In the context of the Ukraine-Russia war, we can assume it is conflict-oriented   Power outage for thousands of customers for hours(T0826) Loss of Availability
Ukraine 2016Power outage in Kiev
Ukraine 2022Disconnected Substations from power grid
Cascading effectUkraine 2015Attackers creating fluctuation by connecting and disconnecting substations or generators to the power grid, can potentially cause blackoutsRolling effect and process instabilities, trigger safety mechanisms shutting down substations(T0826) Loss of Availability
(T0813) Denial of Control
Exploiting process controlUkraine 2016APT allegedly attempted to cause “islanding”-effects, create frequency fluctuationPotentially induce to blackouts or physical destruction(TA0107) Inhibit Response Function
(TA0106) Impair Process Control
State manipulationUkraine 2015Open circuit breakerSystem state changed(T0881) Service Stop
(T0816) Device Restart/shutdown
Ukraine 2016Open circuit breaker when attempting closure
Ukraine 2022Open circuit breakers
Inhibit RecoveryUkraine 2015
Ukraine 2022		Disabled backup power system, hindered remote closing of circuit breakers. Interruption of power flows for process impairmentDelayed recovery of substations(T0809) Data Destruction
(T0813) Denial of Control
Impact (TA0105)
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Mc Cabe, M.; Houmb, S.H. Enhancing the MITRE ATT&CK® Framework for Cyber-Physical Systems Using Insights from Advanced Persistent Threats. Appl. Sci. 2026, 16, 1815. https://doi.org/10.3390/app16041815

AMA Style

Mc Cabe M, Houmb SH. Enhancing the MITRE ATT&CK® Framework for Cyber-Physical Systems Using Insights from Advanced Persistent Threats. Applied Sciences. 2026; 16(4):1815. https://doi.org/10.3390/app16041815

Chicago/Turabian Style

Mc Cabe, Michael, and Siv Hilde Houmb. 2026. "Enhancing the MITRE ATT&CK® Framework for Cyber-Physical Systems Using Insights from Advanced Persistent Threats" Applied Sciences 16, no. 4: 1815. https://doi.org/10.3390/app16041815

APA Style

Mc Cabe, M., & Houmb, S. H. (2026). Enhancing the MITRE ATT&CK® Framework for Cyber-Physical Systems Using Insights from Advanced Persistent Threats. Applied Sciences, 16(4), 1815. https://doi.org/10.3390/app16041815

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop