A0004: Remote Terminal Unit (RTU)
A Remote Terminal Unit (RTU) is a device that typically resides between field devices (e.g., PLCs, IEDs) and control/SCADA servers and supports various communication interfacing and data aggregation functions. RTUs are typically responsible for forwarding commands from the control server and the collection of telemetry, events, and alerts from the field devices. An RTU can be implemented as a dedicated embedded device, as software platform that runs on a hardened/ruggedized computer, or using a custom application program on a PLC.
Analyst context for executives and security teams
A Remote Terminal Unit (RTU) is a critical ICS intermediary between field devices such as PLCs/IEDs and control or SCADA servers. Its business importance is that it can carry commands toward the process and return telemetry, events, and alarms back to operators. If an RTU is unavailable, misconfigured, impersonated, or manipulated, organizations may lose trustworthy visibility or control over physical operations.
Executive priority
Treat RTUs as high-value operational resilience assets, not just network endpoints. Leadership should ask whether RTUs are inventoried, segmented, backed up where applicable, monitored for command/telemetry integrity, and included in incident response and recovery plans. The relationship context shows RTUs are relevant to discovery, credential misuse, remote service exploitation, protocol abuse, denial of service, parameter or alarm modification, firmware update mode abuse, and rogue master scenarios, so control priorities should align to safety, uptime, and evidence needs for audits and incident decisions.
Technical view
SOC, OT, and IR teams should validate visibility across RTU communications with SCADA/control servers and field devices. Because MITRE provides no official detection text for this asset, detections should be built from relationship-driven behaviors: unexpected discovery scans or broadcast/multicast enumeration, abnormal use of standard ICS/application protocols, unauthorized remote service access, valid-account activity inconsistent with normal operations, unexpected restart/shutdown or denial-of-service symptoms, changes to parameters or alarm settings, firmware update mode activation, and traffic patterns suggesting adversary-in-the-middle or rogue master behavior. Platforms listed for this asset are Embedded, Linux, and Windows, so host-level visibility may vary significantly by implementation.
Likely telemetry
- Authoritative RTU asset inventory, firmware/software version, role, network location, and approved communication peers
- Network flow and packet/protocol telemetry between RTUs, SCADA/control servers, PLCs/IEDs, and engineering workstations
- ICS protocol command, read/write, alarm, event, point/tag, and telemetry records where available
- Authentication and account-use logs for RTU management interfaces, remote services, and supporting operating systems
- Configuration, parameter, alarm setting, firmware/update-mode, restart, and shutdown change records
Detection direction
- Baseline normal RTU peers and protocol behavior; alert on new masters, unexpected control servers, unusual source systems, or communication paths inconsistent with the RTU role.
- Correlate network discovery indicators such as port scans, broadcast discovery, multicast discovery, and connection enumeration with authorized maintenance windows to reduce false positives.
- Monitor for write actions, repeated I/O changes, parameter changes, alarm setting changes, firmware update mode activation, and restart/shutdown events that are not tied to approved engineering activity.
- Validate credential controls and logging for RTU administration because Valid Accounts is a related technique and default or compromised credentials can undermine network-only defenses.
- Look for integrity gaps: adversary-in-the-middle or rogue master activity may appear as legitimate protocol traffic unless peer identity, timing, command type, and process context are inspected.
Mitigation priorities
- Start with a verified RTU inventory and communication map covering SCADA/control servers, field devices, engineering access paths, and remote services.
- Restrict RTU management and control paths to approved systems and accounts; remove default credentials and enforce least-privilege access where supported.
- Segment RTU networks and limit unnecessary services or application-layer protocols to reduce discovery, exploitation, and command-and-control opportunities.
- Establish change control for firmware/update mode, parameter changes, alarm settings, restarts, shutdowns, and maintenance media use.
- Build recovery evidence: known-good configurations, approved firmware/software records, maintenance procedures, and incident playbooks for loss of visibility, loss of control, or suspected manipulation.
Analyst notes and limits
This is an ATT&CK for ICS asset object, not a technique. The strongest decision value comes from the RTU’s position between field devices and control/SCADA servers and from the listed techniques that target it. Use this object to drive asset criticality, telemetry validation, segmentation reviews, credential governance, and OT incident response planning.
MITRE provides no official detection text, no tactics for the asset, and no vendor-specific implementation details. The relationship descriptions are truncated in places, and actual monitoring options depend on the RTU model, whether it is embedded or runs on Linux/Windows, available protocol decoding, and local operational constraints.
Remote Terminal Unit (RTU)
A Remote Terminal Unit (RTU) is a device that typically resides between field devices (e.g., PLCs, IEDs) and control/SCADA servers and supports various communication interfacing and data aggregation functions. RTUs are typically responsible for forwarding commands from the control server and the collection of telemetry, events, and alerts from the field devices. An RTU can be implemented as a dedicated embedded device, as software platform that runs on a hardened/ruggedized computer, or using a custom application program on a PLC.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| ICS | T0846.003 | Multicast Discovery Sub-technique | Multicast Discovery targets this object. |
| ICS | T0884 | Connection Proxy | Connection Proxy targets this object. |
| ICS | T0848 | Rogue Master | Rogue Master targets this object. |
| ICS | T0809 | Data Destruction | Data Destruction targets this object. |
| ICS | T0862 | Supply Chain Compromise | Supply Chain Compromise targets this object. |
| ICS | T0842 | Network Sniffing | Network Sniffing targets this object. |
| ICS | T0888 | Remote System Information Discovery | Remote System Information Discovery targets this object. |
| ICS | T1691 | Block Operational Technology Message | Block Operational Technology Message targets this object. |
| ICS | T0847 | Replication Through Removable Media | Replication Through Removable Media targets this object. |
| ICS | T1695.003 | Wi-Fi Sub-technique | Wi-Fi targets this object. |
| ICS | T1695.002 | Ethernet Sub-technique | Ethernet targets this object. |
| ICS | T0846 | Remote System Discovery | Remote System Discovery targets this object. |
| ICS | T1691.002 | Reporting Message Sub-technique | Reporting Message targets this object. |
| ICS | T0881 | Service Stop | Service Stop targets this object. |
| ICS | T0866 | Exploitation of Remote Services | Exploitation of Remote Services targets this object. |
| ICS | T1695.001 | Serial COM Sub-technique | Serial COM targets this object. |
| ICS | T0892 | Change Credential | Change Credential targets this object. |
| ICS | T0801 | Monitor Process State | Monitor Process State targets this object. |
| ICS | T0861 | Point & Tag Identification | Point & Tag Identification targets this object. |
| ICS | T0834 | Native API | Native API targets this object. |
| ICS | T0872 | Indicator Removal on Host | Indicator Removal on Host targets this object. |
| ICS | T1693.001 | System Firmware Sub-technique | System Firmware targets this object. |
| ICS | T0871 | Execution through API | Execution through API targets this object. |
| ICS | T0816 | Device Restart/Shutdown | Device Restart/Shutdown targets this object. |
| ICS | T0874 | Hooking | Hooking targets this object. |
| ICS | T1694.001 | Default Credentials Sub-technique | Default Credentials targets this object. |
| ICS | T1694 | Insecure Credentials | Insecure Credentials targets this object. |
| ICS | T1692.002 | Reporting Message Sub-technique | Reporting Message targets this object. |
| ICS | T0878 | Alarm Suppression | Alarm Suppression targets this object. |
| ICS | T1692.001 | Command Message Sub-technique | Command Message targets this object. |
| ICS | T0800 | Activate Firmware Update Mode | Activate Firmware Update Mode targets this object. |
| ICS | T1695 | Block Communications | Block Communications targets this object. |
| ICS | T0846.001 | Port Scan Sub-technique | Port Scan targets this object. |
| ICS | T0814 | Denial of Service | Denial of Service targets this object. |
| ICS | T0846.002 | Broadcast Discovery Sub-technique | Broadcast Discovery targets this object. |
| ICS | T0869 | Standard Application Layer Protocol | Standard Application Layer Protocol targets this object. |
| ICS | T0840 | Network Connection Enumeration | Network Connection Enumeration targets this object. |
| ICS | T0836 | Modify Parameter | Modify Parameter targets this object. |
| ICS | T0838 | Modify Alarm Settings | Modify Alarm Settings targets this object. |
| ICS | T1691.001 | Command Message Sub-technique | Command Message targets this object. |
| ICS | T0806 | Brute Force I/O | Brute Force I/O targets this object. |
| ICS | T0885 | Commonly Used Port | Commonly Used Port targets this object. |
| ICS | T0830 | Adversary-in-the-Middle | Adversary-in-the-Middle targets this object. |
| ICS | T1692 | Unauthorized Message | Unauthorized Message targets this object. |
| ICS | T0859 | Valid Accounts | Valid Accounts targets this object. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 0bb67234186a… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack A0004Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.