A0006: Data Historian
Data historians, or historian, are systems used to collect and store data, including telemetry, events, alerts, and alarms about the operational process and supporting devices. The historian typically utilizes a database to store this data, and commonly provide tools and interfaces to support the analysis of the data. Data historians are often used to support various engineering or business analysis functions and therefore commonly needs access from the corporate network. Data historians often work in a hierarchical paradigm where lower/site level historians collect and store data which is then aggregated into a site/plant level historian. Therefore, data historians often have remote services that can be accessed externally from the ICS network. Many data historian vendors have designed their software to securely transfer data between the ICS and business networks instead of requiring business systems to access the data historian in the ICS network directly.
Analyst context for executives and security teams
A data historian is often the bridge between operational process data and business or engineering analysis. That makes it important beyond “just another OT server”: it may hold telemetry, events, alerts, alarms, and process history, and it commonly needs some form of corporate-network access or data transfer path. If poorly governed, it can become a place to observe process state, collect sensitive operational information, or disrupt the availability and integrity of data that operators and business teams rely on.
Executive priority
Treat historians as high-value ICS assets because they connect operational visibility with business use cases. Leaders should ask whether historian access paths between ICS and corporate networks are explicitly designed, documented, monitored, and justified; whether remote services are limited to approved use; and whether the organization can prove who accessed historian data, from where, and for what purpose. This matters for operational resilience, audit evidence, incident scoping, and cyber-physical risk decisions when process telemetry or alarms are part of safety, reliability, or production workflows.
Technical view
For SOC, detection engineering, and IR teams, validate visibility around Windows, Linux, and embedded historian deployments and the network paths that aggregate lower/site-level historians into plant or site historians. Relationship context shows this asset can be targeted by process-state monitoring, automated collection, information repository collection, remote services, CLI/GUI access, discovery, port/broadcast/multicast scanning, network sniffing, adversary-in-the-middle activity, valid accounts, scripting, masquerading, rootkits, data destruction, denial of service, and restart/shutdown behavior. Because MITRE provides no official detection guidance for this asset, local baselines are essential: normal historian queries, approved engineering/business analytics jobs, expected data-transfer services, and sanctioned remote access should be clearly distinguishable from unusual enumeration, bulk access, administrative sessions, or destructive changes.
Likely telemetry
- Historian application logs, database access logs, query history, export activity, and alarm/event access records
- Authentication and authorization logs for users, service accounts, remote services, and corporate-to-ICS access paths
- Windows and Linux endpoint telemetry: process execution, command-line use, scripting activity, service changes, file creation/deletion, and system restart/shutdown events
- Network flow and packet metadata between lower/site historians, plant/site historians, ICS segments, and corporate network consumers
- Remote access, GUI, VPN/Citrix or other external remote service session logs where applicable
Detection direction
- Start with an approved communications map: which systems may query, administer, replicate, or receive data from each historian tier.
- Baseline normal business analytics, engineering analysis, vendor transfer tools, and scheduled aggregation jobs to reduce false positives from legitimate high-volume historian access.
- Tune for unusual access patterns: new source hosts, new accounts, off-hours sessions, unexpected remote services, abnormal query/export volume, or access to process-state data outside known workflows.
- Correlate endpoint and network signals: CLI/GUI sessions, scripting, native API activity, file changes, and remote sessions should be reviewed alongside historian queries and network discovery.
- Watch for discovery around historian assets, including port scans, broadcast discovery, multicast discovery, network connection enumeration, and sniffing-related indicators where sensors support it.
Mitigation priorities
- Inventory historians, their operating platforms, tiers, databases, interfaces, remote services, and approved corporate-network dependencies.
- Prefer controlled historian data-transfer architectures over broad direct corporate access to historians inside the ICS network, consistent with the asset description.
- Restrict remote services and administrative interfaces to approved users, systems, and network paths; review valid accounts and service accounts for least privilege.
- Maintain segmentation and access control between corporate networks, site/plant historians, and lower/site-level historians while preserving required operational data flows.
- Harden Windows, Linux, and embedded historian hosts by reducing unnecessary services, controlling CLI/GUI administration paths, and monitoring scripting and file changes.
Analyst notes and limits
The most important decision point is whether the historian is treated as a monitored boundary asset between operations and business users, not merely as an engineering database. The relationships show a broad set of possible adversary interactions, but they do not prove that every historian exposes every interface or risk. Local architecture, vendor implementation, account model, and data-transfer design determine which controls and detections matter most.
MITRE provides an asset description, platforms, and relationships, but no official detection guidance, tactics, aliases, or vendor-specific implementation details. This take does not assert active exploitation, attribution, or guaranteed detection coverage. Validation requires environment-specific evidence from historian architecture, logs, network flows, identity systems, and remote access controls.
Data Historian
Data historians, or historian, are systems used to collect and store data, including telemetry, events, alerts, and alarms about the operational process and supporting devices. The historian typically utilizes a database to store this data, and commonly provide tools and interfaces to support the analysis of the data. Data historians are often used to support various engineering or business analysis functions and therefore commonly needs access from the corporate network. Data historians often work in a hierarchical paradigm where lower/site level historians collect and store data which is then aggregated into a site/plant level historian. Therefore, data historians often have remote services that can be accessed externally from the ICS network. Many data historian vendors have designed their software to securely transfer data between the ICS and business networks instead of requiring business systems to access the data historian in the ICS network directly.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| ICS | T0862 | Supply Chain Compromise | Supply Chain Compromise targets this object. |
| ICS | T0872 | Indicator Removal on Host | Indicator Removal on Host targets this object. |
| ICS | T0811 | Data from Information Repositories | Data from Information Repositories targets this object. |
| ICS | T0823 | Graphical User Interface | Graphical User Interface targets this object. |
| ICS | T0885 | Commonly Used Port | Commonly Used Port targets this object. |
| ICS | T0846 | Remote System Discovery | Remote System Discovery targets this object. |
| ICS | T0892 | Change Credential | Change Credential targets this object. |
| ICS | T0830 | Adversary-in-the-Middle | Adversary-in-the-Middle targets this object. |
| ICS | T0842 | Network Sniffing | Network Sniffing targets this object. |
| ICS | T0874 | Hooking | Hooking targets this object. |
| ICS | T0814 | Denial of Service | Denial of Service targets this object. |
| ICS | T0853 | Scripting | Scripting targets this object. |
| ICS | T0816 | Device Restart/Shutdown | Device Restart/Shutdown targets this object. |
| ICS | T0881 | Service Stop | Service Stop targets this object. |
| ICS | T0801 | Monitor Process State | Monitor Process State targets this object. |
| ICS | T0893 | Data from Local System | Data from Local System targets this object. |
| ICS | T0820 | Exploitation for Evasion | Exploitation for Evasion targets this object. |
| ICS | T0847 | Replication Through Removable Media | Replication Through Removable Media targets this object. |
| ICS | T0846.002 | Broadcast Discovery Sub-technique | Broadcast Discovery targets this object. |
| ICS | T0846.003 | Multicast Discovery Sub-technique | Multicast Discovery targets this object. |
| ICS | T0866 | Exploitation of Remote Services | Exploitation of Remote Services targets this object. |
| ICS | T0849 | Masquerading | Masquerading targets this object. |
| ICS | T0895 | Autorun Image | Autorun Image targets this object. |
| ICS | T1694.001 | Default Credentials Sub-technique | Default Credentials targets this object. |
| ICS | T1695.002 | Ethernet Sub-technique | Ethernet targets this object. |
| ICS | T0878 | Alarm Suppression | Alarm Suppression targets this object. |
| ICS | T0840 | Network Connection Enumeration | Network Connection Enumeration targets this object. |
| ICS | T0869 | Standard Application Layer Protocol | Standard Application Layer Protocol targets this object. |
| ICS | T0884 | Connection Proxy | Connection Proxy targets this object. |
| ICS | T0848 | Rogue Master | Rogue Master targets this object. |
| ICS | T1695 | Block Communications | Block Communications targets this object. |
| ICS | T0859 | Valid Accounts | Valid Accounts targets this object. |
| ICS | T0807 | Command-Line Interface | Command-Line Interface targets this object. |
| ICS | T0851 | Rootkit | Rootkit targets this object. |
| ICS | T0894 | System Binary Proxy Execution | System Binary Proxy Execution targets this object. |
| ICS | T0886 | Remote Services | Remote Services targets this object. |
| ICS | T1695.003 | Wi-Fi Sub-technique | Wi-Fi targets this object. |
| ICS | T1694 | Insecure Credentials | Insecure Credentials targets this object. |
| ICS | T0846.001 | Port Scan Sub-technique | Port Scan targets this object. |
| ICS | T0834 | Native API | Native API targets this object. |
| ICS | T0822 | External Remote Services | External Remote Services targets this object. |
| ICS | T0890 | Exploitation for Privilege Escalation | Exploitation for Privilege Escalation targets this object. |
| ICS | T0861 | Point & Tag Identification | Point & Tag Identification targets this object. |
| ICS | T0809 | Data Destruction | Data Destruction targets this object. |
| ICS | T0888 | Remote System Information Discovery | Remote System Information Discovery targets this object. |
| ICS | T0802 | Automated Collection | Automated Collection targets this object. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.1 | Current bundle | b84fa8dd662e… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack A0006Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.