A0005: Intelligent Electronic Device (IED)
An Intelligent Electronic Device (IED) is a type of specialized field device that is designed to perform specific operational functions, frequently for protection, monitoring, or control within the electric sector. IEDs are typically used to both acquire telemetry and execute tailored control algorithms/actions based on customizable parameters/settings. An IED is usually implemented as a dedicated embedded device and supports various network automation protocols to communicate with RTUs and Control Servers.
Analyst context for executives and security teams
Intelligent Electronic Devices are embedded field devices used in the electric sector for protection, monitoring, and control. Their business importance is that they sit close to the physical process: if their settings, communications, availability, or operating mode are manipulated, operators may lose trusted telemetry or expected response functions. For executives, this makes IED coverage a resilience and cyber-physical risk issue, not just an OT asset inventory detail.
Executive priority
Prioritize IED visibility where they support safety, protection, monitoring, or control functions. Leaders should ask whether the organization has an accurate inventory of IEDs, knows which RTUs and Control Servers they communicate with, can evidence change control for parameters and alarm settings, and can respond if devices enter unexpected modes, restart, stop responding, or show abnormal network behavior. Because ATT&CK lists many techniques targeting this asset, IEDs should be part of OT incident response planning, vulnerability prioritization, supplier assurance, and compliance evidence for critical operational environments.
Technical view
ATT&CK does not provide a detection section for A0005, so SOC and OT teams should validate coverage from the relationship context. Relevant behaviors include firmware update mode activation, process-state monitoring, brute-force I/O changes, data destruction, denial of service, restart or shutdown, exploitation for evasion or remote services, adversary-in-the-middle activity, parameter and alarm setting modification, network discovery, sniffing, rogue master activity, valid account use, point and tag identification, removable media replication, rootkit behavior, and supply chain compromise. Detection engineering should focus on whether embedded IED communications, configuration changes, management access, protocol activity, and device state changes are observable and correlated with authorized work orders or engineering activity.
Likely telemetry
- IED asset inventory and configuration baselines
- Network automation protocol traffic between IEDs, RTUs, and Control Servers
- Device mode, restart, shutdown, and availability events where available
- Parameter, alarm setting, firmware, and configuration change records
- Authentication and account-use logs for engineering or device-management access
Detection direction
- Start by mapping which IEDs support critical protection, monitoring, or control functions and which communications are normal for each device.
- Baseline expected protocol peers, polling patterns, command sources, and maintenance windows; alert on deviations such as new masters, unexpected discovery traffic, or unusual request volume.
- Correlate parameter, alarm, firmware, and mode changes with approved engineering change records to reduce false positives from legitimate maintenance.
- Treat device restarts, shutdowns, unresponsiveness, or update-mode transitions as high-context OT events requiring process-owner validation, not purely IT alerts.
- Validate whether monitoring can see embedded-device traffic directly; a common blind spot is assuming enterprise EDR or server logs cover field devices.
Mitigation priorities
- Maintain an authoritative IED inventory with ownership, criticality, firmware/software versions, communications peers, and supported management paths.
- Enforce formal change control for parameter, alarm, firmware, and mode changes, including operational approval and post-change verification.
- Restrict and monitor management access, valid account use, and remote service exposure to only required engineering and operations paths.
- Segment and monitor IED communications with RTUs and Control Servers so unexpected masters, discovery, or abnormal traffic volumes are visible.
- Include IED restart, denial-of-service, firmware-mode, and configuration-manipulation scenarios in OT incident response playbooks.
Analyst notes and limits
This object is an ATT&CK ICS asset, not a technique. The strongest decision value comes from its relationship context: many ICS techniques target IEDs, spanning discovery, credential use, configuration modification, denial of service, firmware/update behavior, and supply-chain or removable-media pathways. The supplied description specifically places IEDs in the electric sector and identifies embedded implementation and communication with RTUs and Control Servers.
MITRE provides no official detection text, no tactics, no aliases, and only the Embedded platform for this asset. Local architecture, vendor implementation, protocol use, logging capability, safety role, and maintenance practices are required before assessing actual exposure, control effectiveness, or detection coverage.
Intelligent Electronic Device (IED)
An Intelligent Electronic Device (IED) is a type of specialized field device that is designed to perform specific operational functions, frequently for protection, monitoring, or control within the electric sector. IEDs are typically used to both acquire telemetry and execute tailored control algorithms/actions based on customizable parameters/settings. An IED is usually implemented as a dedicated embedded device and supports various network automation protocols to communicate with RTUs and Control Servers.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| ICS | T0830 | Adversary-in-the-Middle | Adversary-in-the-Middle targets this object. |
| ICS | T0846 | Remote System Discovery | Remote System Discovery targets this object. |
| ICS | T0806 | Brute Force I/O | Brute Force I/O targets this object. |
| ICS | T0851 | Rootkit | Rootkit targets this object. |
| ICS | T0871 | Execution through API | Execution through API targets this object. |
| ICS | T0869 | Standard Application Layer Protocol | Standard Application Layer Protocol targets this object. |
| ICS | T0816 | Device Restart/Shutdown | Device Restart/Shutdown targets this object. |
| ICS | T0890 | Exploitation for Privilege Escalation | Exploitation for Privilege Escalation targets this object. |
| ICS | T1694.001 | Default Credentials Sub-technique | Default Credentials targets this object. |
| ICS | T1695.002 | Ethernet Sub-technique | Ethernet targets this object. |
| ICS | T0881 | Service Stop | Service Stop targets this object. |
| ICS | T1695.001 | Serial COM Sub-technique | Serial COM targets this object. |
| ICS | T0820 | Exploitation for Evasion | Exploitation for Evasion targets this object. |
| ICS | T0842 | Network Sniffing | Network Sniffing targets this object. |
| ICS | T0888 | Remote System Information Discovery | Remote System Information Discovery targets this object. |
| ICS | T0801 | Monitor Process State | Monitor Process State targets this object. |
| ICS | T1691 | Block Operational Technology Message | Block Operational Technology Message targets this object. |
| ICS | T0836 | Modify Parameter | Modify Parameter targets this object. |
| ICS | T0846.003 | Multicast Discovery Sub-technique | Multicast Discovery targets this object. |
| ICS | T0866 | Exploitation of Remote Services | Exploitation of Remote Services targets this object. |
| ICS | T0878 | Alarm Suppression | Alarm Suppression targets this object. |
| ICS | T0846.002 | Broadcast Discovery Sub-technique | Broadcast Discovery targets this object. |
| ICS | T0874 | Hooking | Hooking targets this object. |
| ICS | T1694 | Insecure Credentials | Insecure Credentials targets this object. |
| ICS | T0846.001 | Port Scan Sub-technique | Port Scan targets this object. |
| ICS | T0872 | Indicator Removal on Host | Indicator Removal on Host targets this object. |
| ICS | T0838 | Modify Alarm Settings | Modify Alarm Settings targets this object. |
| ICS | T0885 | Commonly Used Port | Commonly Used Port targets this object. |
| ICS | T0848 | Rogue Master | Rogue Master targets this object. |
| ICS | T1693.001 | System Firmware Sub-technique | System Firmware targets this object. |
| ICS | T1692.002 | Reporting Message Sub-technique | Reporting Message targets this object. |
| ICS | T0834 | Native API | Native API targets this object. |
| ICS | T1691.001 | Command Message Sub-technique | Command Message targets this object. |
| ICS | T0859 | Valid Accounts | Valid Accounts targets this object. |
| ICS | T0814 | Denial of Service | Denial of Service targets this object. |
| ICS | T1695.003 | Wi-Fi Sub-technique | Wi-Fi targets this object. |
| ICS | T1692 | Unauthorized Message | Unauthorized Message targets this object. |
| ICS | T0840 | Network Connection Enumeration | Network Connection Enumeration targets this object. |
| ICS | T1692.001 | Command Message Sub-technique | Command Message targets this object. |
| ICS | T1691.002 | Reporting Message Sub-technique | Reporting Message targets this object. |
| ICS | T0800 | Activate Firmware Update Mode | Activate Firmware Update Mode targets this object. |
| ICS | T0892 | Change Credential | Change Credential targets this object. |
| ICS | T1695 | Block Communications | Block Communications targets this object. |
| ICS | T0847 | Replication Through Removable Media | Replication Through Removable Media targets this object. |
| ICS | T0861 | Point & Tag Identification | Point & Tag Identification targets this object. |
| ICS | T0862 | Supply Chain Compromise | Supply Chain Compromise targets this object. |
| ICS | T0884 | Connection Proxy | Connection Proxy targets this object. |
| ICS | T0809 | Data Destruction | Data Destruction targets this object. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | e6801a3a0ef2… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack A0005Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.