A0002: Human-Machine Interface (HMI)
Human-Machine Interfaces (HMIs) are systems used by an operator to monitor the real-time status of an operational process and to perform necessary control functions, including the adjustment of device parameters. An HMI can take various forms, including a dedicated screen or control panel integrated with a specific device/controller, or a customizable software GUI application running on a standard operating system (e.g., MS Windows) that interfaces with a control/SCADA server. The HMI is critical to ensuring operators have sufficient visibility and control over the operational process.
Analyst context for executives and security teams
An HMI is the operator’s window into an industrial process and, in many environments, a control point for changing parameters. That makes it a business-critical asset: loss of visibility, misleading displays, unauthorized control actions, or alarm manipulation can directly affect operational resilience and safety decisions. For leaders, the key issue is not just whether the HMI exists, but whether the organization can prove who can access it, what changes are logged, how it is monitored, and how operations continue if it becomes unavailable or untrusted.
Executive priority
Treat HMIs as priority ICS assets for resilience, audit evidence, and incident decision-making. The supplied ATT&CK relationships show HMIs can be targeted by behaviors involving process-state monitoring, GUI/CLI access, discovery, network sniffing, removable media, masquerading, rootkits, screen capture, alarm-setting modification, denial of service, restart/shutdown, and data destruction. Executives should ask whether HMI access paths, alarm integrity, backup/restore procedures, removable-media handling, and network visibility are explicitly tested in OT security reviews and incident response exercises.
Technical view
This object is an ICS asset, not a technique, and MITRE does not provide detection guidance for it. SOC, OT security, and IR teams should validate HMI coverage around the supplied platforms, Linux and Windows, and the relationship set. Practical validation should include authentication and session evidence for local and remote GUI/CLI access, OS and application logs, HMI configuration and alarm-change records, process/OPC/historian-related visibility where available, network communications to control/SCADA servers and field devices, discovery/scan indicators, removable-media activity, file/process anomalies consistent with masquerading or scripting, and availability events such as unexpected shutdown, restart, or denial-of-service conditions.
Likely telemetry
- HMI operating system security, system, application, process, service, and command-line logs on Windows or Linux
- HMI application logs, operator action logs, configuration-change records, and alarm-setting change records
- Authentication, authorization, and session records for local access, remote GUI access, and CLI access
- Network flow, packet, and protocol telemetry between HMIs, control/SCADA servers, historians, OPC sources, and other ICS devices
- Discovery-related telemetry such as port scans, broadcast discovery, multicast discovery, and remote system enumeration
Detection direction
- Because MITRE provides no official detection text for this asset, start by building a local HMI behavior baseline: expected users, expected remote-access paths, expected peer systems, expected protocols, expected vendor applications, and normal alarm/configuration workflows.
- Tune monitoring for relationship-driven scenarios: process-state collection, GUI or CLI access, network sniffing, discovery, rogue master-like communications, alarm setting changes, screen capture, removable-media execution, unexpected restart/shutdown, denial-of-service symptoms, and destructive file activity.
- Correlate host and network evidence. HMI compromise or misuse may appear as legitimate-looking operator actions unless paired with identity, session, change-management, and network context.
- Review false positives carefully in OT environments. Engineering maintenance, vendor support, firmware work, and operator troubleshooting can resemble discovery, scripting, GUI access, CLI use, or configuration changes.
- Identify blind spots that commonly decide coverage: unmanaged HMI hosts, limited endpoint agents in OT, missing HMI application audit logs, remote-access tools outside SOC visibility, lack of packet/flow monitoring on control networks, and incomplete removable-media logging.
Mitigation priorities
- Prioritize asset ownership and criticality: maintain an inventory of HMI systems, operating systems, connected control/SCADA dependencies, users, and remote-access methods.
- Restrict and review HMI access paths, including local accounts, remote GUI access, CLI access, vendor support access, and removable-media use.
- Protect HMI integrity with change control for application configuration, alarm settings, operator displays, and authorized software.
- Segment and monitor HMI communications so expected control/SCADA relationships are known and deviations can be investigated.
- Prepare operational resilience procedures for HMI outage or loss of trust, including backup/restore, alternate operator visibility, and incident escalation paths.
Analyst notes and limits
The relationship context is broad and makes the HMI a high-value defensive focal point rather than a single behavior. The most useful Glexia assessment work would map each local HMI to its normal users, software, network peers, alarm/configuration workflow, and recovery dependencies, then test whether SOC and OT teams can distinguish authorized engineering activity from suspicious activity.
This take is based only on the supplied ATT&CK asset record, external references, and relationships. The object has no ATT&CK tactics and no official detection guidance. The supplied relationships indicate techniques that target HMIs, but they do not prove activity in any specific environment, vendor product, or customer network. Local architecture, HMI software, logging configuration, safety requirements, and operational procedures are required to determine actual risk and coverage.
Human-Machine Interface (HMI)
Human-Machine Interfaces (HMIs) are systems used by an operator to monitor the real-time status of an operational process and to perform necessary control functions, including the adjustment of device parameters. An HMI can take various forms, including a dedicated screen or control panel integrated with a specific device/controller, or a customizable software GUI application running on a standard operating system (e.g., MS Windows) that interfaces with a control/SCADA server. The HMI is critical to ensuring operators have sufficient visibility and control over the operational process.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| ICS | T0816 | Device Restart/Shutdown | Device Restart/Shutdown targets this object. |
| ICS | T0807 | Command-Line Interface | Command-Line Interface targets this object. |
| ICS | T0800 | Activate Firmware Update Mode | Activate Firmware Update Mode targets this object. |
| ICS | T0878 | Alarm Suppression | Alarm Suppression targets this object. |
| ICS | T1691.002 | Reporting Message Sub-technique | Reporting Message targets this object. |
| ICS | T0838 | Modify Alarm Settings | Modify Alarm Settings targets this object. |
| ICS | T0823 | Graphical User Interface | Graphical User Interface targets this object. |
| ICS | T0866 | Exploitation of Remote Services | Exploitation of Remote Services targets this object. |
| ICS | T0874 | Hooking | Hooking targets this object. |
| ICS | T0847 | Replication Through Removable Media | Replication Through Removable Media targets this object. |
| ICS | T1694 | Insecure Credentials | Insecure Credentials targets this object. |
| ICS | T1692.002 | Reporting Message Sub-technique | Reporting Message targets this object. |
| ICS | T0848 | Rogue Master | Rogue Master targets this object. |
| ICS | T0881 | Service Stop | Service Stop targets this object. |
| ICS | T0801 | Monitor Process State | Monitor Process State targets this object. |
| ICS | T0840 | Network Connection Enumeration | Network Connection Enumeration targets this object. |
| ICS | T0888 | Remote System Information Discovery | Remote System Information Discovery targets this object. |
| ICS | T0846.001 | Port Scan Sub-technique | Port Scan targets this object. |
| ICS | T0863 | User Execution | User Execution targets this object. |
| ICS | T0884 | Connection Proxy | Connection Proxy targets this object. |
| ICS | T0834 | Native API | Native API targets this object. |
| ICS | T0830 | Adversary-in-the-Middle | Adversary-in-the-Middle targets this object. |
| ICS | T0846.002 | Broadcast Discovery Sub-technique | Broadcast Discovery targets this object. |
| ICS | T0849 | Masquerading | Masquerading targets this object. |
| ICS | T0890 | Exploitation for Privilege Escalation | Exploitation for Privilege Escalation targets this object. |
| ICS | T0871 | Execution through API | Execution through API targets this object. |
| ICS | T0872 | Indicator Removal on Host | Indicator Removal on Host targets this object. |
| ICS | T0814 | Denial of Service | Denial of Service targets this object. |
| ICS | T0893 | Data from Local System | Data from Local System targets this object. |
| ICS | T0842 | Network Sniffing | Network Sniffing targets this object. |
| ICS | T0859 | Valid Accounts | Valid Accounts targets this object. |
| ICS | T0869 | Standard Application Layer Protocol | Standard Application Layer Protocol targets this object. |
| ICS | T0886 | Remote Services | Remote Services targets this object. |
| ICS | T1692.001 | Command Message Sub-technique | Command Message targets this object. |
| ICS | T1693.001 | System Firmware Sub-technique | System Firmware targets this object. |
| ICS | T1692 | Unauthorized Message | Unauthorized Message targets this object. |
| ICS | T0851 | Rootkit | Rootkit targets this object. |
| ICS | T1694.001 | Default Credentials Sub-technique | Default Credentials targets this object. |
| ICS | T0894 | System Binary Proxy Execution | System Binary Proxy Execution targets this object. |
| ICS | T1695.001 | Serial COM Sub-technique | Serial COM targets this object. |
| ICS | T0852 | Screen Capture | Screen Capture targets this object. |
| ICS | T0806 | Brute Force I/O | Brute Force I/O targets this object. |
| ICS | T0820 | Exploitation for Evasion | Exploitation for Evasion targets this object. |
| ICS | T1695.002 | Ethernet Sub-technique | Ethernet targets this object. |
| ICS | T0892 | Change Credential | Change Credential targets this object. |
| ICS | T1691.001 | Command Message Sub-technique | Command Message targets this object. |
| ICS | T0846.003 | Multicast Discovery Sub-technique | Multicast Discovery targets this object. |
| ICS | T0846 | Remote System Discovery | Remote System Discovery targets this object. |
| ICS | T0862 | Supply Chain Compromise | Supply Chain Compromise targets this object. |
| ICS | T0853 | Scripting | Scripting targets this object. |
| ICS | T0885 | Commonly Used Port | Commonly Used Port targets this object. |
| ICS | T0861 | Point & Tag Identification | Point & Tag Identification targets this object. |
| ICS | T0809 | Data Destruction | Data Destruction targets this object. |
| ICS | T1695.003 | Wi-Fi Sub-technique | Wi-Fi targets this object. |
| ICS | T1691 | Block Operational Technology Message | Block Operational Technology Message targets this object. |
| ICS | T1695 | Block Communications | Block Communications targets this object. |
| ICS | T0895 | Autorun Image | Autorun Image targets this object. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 25b9614ccf5c… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
IEC February 2019
IEC 2019, February Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components Retrieved. 2020/09/25
Open source URL -
[2]
mitre-attack A0002Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.