A0010: Safety Controller
Safety controllers are typically a type of field device used to perform the safety critical function. Safety controllers often support the deployment of custom programs/logic, similar to a PLC, but can also be tailored for sector specific functions/applications. The safety controllers typically utilize redundant hardware and processors to ensure they operate reliably if a component fails.
Analyst context for executives and security teams
A safety controller is an embedded ICS asset responsible for safety-critical functions, often using custom logic and redundant hardware to keep operating during component failure. Its business importance is that compromise, misconfiguration, or unauthorized change can affect the last line of automated protection for industrial operations. The ATT&CK relationship context shows this asset is relevant to behaviors such as program download/upload, I/O manipulation, alarm modification, denial of service, restart/shutdown, firmware update mode abuse, process-state monitoring, network discovery/sniffing, and removable media movement.
Executive priority
Treat safety controllers as high-priority cyber-physical risk assets, not ordinary controllers. Leaders should ask whether these devices are inventoried, change-controlled, segmented, monitored, and included in incident response and safety assurance processes. Budget and audit focus should prioritize evidence that only authorized engineering activity can modify safety logic, that unauthorized discovery or network access would be noticed, and that response plans account for scenarios where safety functions may be unavailable, altered, or placed into maintenance/update states.
Technical view
For SOC, OT engineering, and IR teams, the key validation question is whether you can distinguish approved safety-controller maintenance from unauthorized interaction. ATT&CK provides no official detection text for this asset, so coverage must be derived from local architecture and the related techniques targeting it. Validate monitoring around engineering workstations and vendor tools used for program upload/download, online edits, program append, controller tasking changes, firmware/update modes, restart/shutdown events, I/O and alarm setting changes, process state access, and unusual discovery or sniffing near safety networks. Because the asset platform is Embedded, host-level telemetry may be limited; network, engineering-station, controller audit, historian, and operator-console evidence often decide visibility.
Likely telemetry
- Safety controller inventory, firmware/version, configuration, and logic baselines where available
- Engineering workstation logs and vendor software activity for upload, download, online edit, append, and tasking changes
- Controller event/audit logs for mode changes, restart/shutdown, firmware update mode, alarms, overrides, and configuration changes where supported
- OT network traffic metadata and packet captures for controller communications, discovery, broadcast/multicast, port scanning, and possible adversary-in-the-middle conditions
- Historian, OPC, HMI, alarm, and process-state records showing reads, writes, alarm changes, and abnormal I/O behavior
Detection direction
- Build allowlists of expected engineering stations, protocols, maintenance windows, and accounts that may communicate with safety controllers.
- Alert on program upload/download, online edit, program append, controller tasking changes, alarm setting changes, I/O overrides, restart/shutdown, or firmware/update mode activity outside approved change windows.
- Correlate network discovery, port scans, broadcast or multicast discovery, and sniffing indicators with asset criticality; these may be early-stage behaviors before controller modification.
- Compare controller logic/configuration and alarm settings against known-good baselines after maintenance, incidents, or unexplained process anomalies.
- Tune false positives around legitimate commissioning, testing, vendor maintenance, and safety proof-test activities; require change-ticket correlation rather than treating all engineering activity as malicious.
Mitigation priorities
- Maintain an authoritative inventory of safety controllers, their network locations, approved engineering paths, firmware/configuration state, and responsible process owners.
- Enforce strict change management for safety logic, alarm settings, firmware/update modes, and controller tasking, with independent review for safety-critical changes.
- Limit access to safety controllers to approved engineering workstations, accounts, and maintenance windows; separate safety-system access from general enterprise and control-network access where architecture permits.
- Baseline and periodically verify controller programs, configurations, alarm settings, and I/O-related settings against approved versions.
- Monitor and control removable media and third-party/contractor access for environments where safety controllers are isolated but physically reachable.
Analyst notes and limits
This object is an ATT&CK for ICS asset, not a technique. The practical value comes from treating it as a critical target class and mapping the related techniques to defensive validation. The supplied relationships indicate a broad set of adversary behaviors that may target safety controllers, especially engineering changes, network discovery, process-state observation, I/O and alarm manipulation, device disruption, and removable media movement.
MITRE provides no official detection guidance for A0010, no tactics for the asset itself, and only the Embedded platform. This take does not assert active exploitation, specific vendor exposure, or guaranteed detection. Local safety architecture, controller capabilities, logging support, engineering workflows, and process hazard analysis are required to determine actual risk and coverage.
Safety Controller
Safety controllers are typically a type of field device used to perform the safety critical function. Safety controllers often support the deployment of custom programs/logic, similar to a PLC, but can also be tailored for sector specific functions/applications. The safety controllers typically utilize redundant hardware and processors to ensure they operate reliably if a component fails.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| ICS | T0846.003 | Multicast Discovery Sub-technique | Multicast Discovery targets this object. |
| ICS | T1693.002 | Module Firmware Sub-technique | Module Firmware targets this object. |
| ICS | T0859 | Valid Accounts | Valid Accounts targets this object. |
| ICS | T0846.001 | Port Scan Sub-technique | Port Scan targets this object. |
| ICS | T0884 | Connection Proxy | Connection Proxy targets this object. |
| ICS | T1691 | Block Operational Technology Message | Block Operational Technology Message targets this object. |
| ICS | T0890 | Exploitation for Privilege Escalation | Exploitation for Privilege Escalation targets this object. |
| ICS | T0834 | Native API | Native API targets this object. |
| ICS | T0801 | Monitor Process State | Monitor Process State targets this object. |
| ICS | T1694 | Insecure Credentials | Insecure Credentials targets this object. |
| ICS | T1692.002 | Reporting Message Sub-technique | Reporting Message targets this object. |
| ICS | T0871 | Execution through API | Execution through API targets this object. |
| ICS | T0842 | Network Sniffing | Network Sniffing targets this object. |
| ICS | T0877 | I/O Image | I/O Image targets this object. |
| ICS | T0851 | Rootkit | Rootkit targets this object. |
| ICS | T0809 | Data Destruction | Data Destruction targets this object. |
| ICS | T0845 | Program Upload | Program Upload targets this object. |
| ICS | T0821 | Modify Controller Tasking | Modify Controller Tasking targets this object. |
| ICS | T1693.001 | System Firmware Sub-technique | System Firmware targets this object. |
| ICS | T0866 | Exploitation of Remote Services | Exploitation of Remote Services targets this object. |
| ICS | T0843.001 | Download All Sub-technique | Download All targets this object. |
| ICS | T0874 | Hooking | Hooking targets this object. |
| ICS | T0878 | Alarm Suppression | Alarm Suppression targets this object. |
| ICS | T0830 | Adversary-in-the-Middle | Adversary-in-the-Middle targets this object. |
| ICS | T0814 | Denial of Service | Denial of Service targets this object. |
| ICS | T1692.001 | Command Message Sub-technique | Command Message targets this object. |
| ICS | T1695.002 | Ethernet Sub-technique | Ethernet targets this object. |
| ICS | T0835 | Manipulate I/O Image | Manipulate I/O Image targets this object. |
| ICS | T0843.002 | Online Edit Sub-technique | Online Edit targets this object. |
| ICS | T0843.003 | Program Append Sub-technique | Program Append targets this object. |
| ICS | T0868 | Detect Operating Mode | Detect Operating Mode targets this object. |
| ICS | T0820 | Exploitation for Evasion | Exploitation for Evasion targets this object. |
| ICS | T1694.001 | Default Credentials Sub-technique | Default Credentials targets this object. |
| ICS | T0889 | Modify Program | Modify Program targets this object. |
| ICS | T0840 | Network Connection Enumeration | Network Connection Enumeration targets this object. |
| ICS | T0885 | Commonly Used Port | Commonly Used Port targets this object. |
| ICS | T0843 | Program Download | Program Download targets this object. |
| ICS | T0800 | Activate Firmware Update Mode | Activate Firmware Update Mode targets this object. |
| ICS | T0869 | Standard Application Layer Protocol | Standard Application Layer Protocol targets this object. |
| ICS | T0846 | Remote System Discovery | Remote System Discovery targets this object. |
| ICS | T1693 | Modify Firmware | Modify Firmware targets this object. |
| ICS | T1691.001 | Command Message Sub-technique | Command Message targets this object. |
| ICS | T0861 | Point & Tag Identification | Point & Tag Identification targets this object. |
| ICS | T1692 | Unauthorized Message | Unauthorized Message targets this object. |
| ICS | T0892 | Change Credential | Change Credential targets this object. |
| ICS | T1691.002 | Reporting Message Sub-technique | Reporting Message targets this object. |
| ICS | T1695 | Block Communications | Block Communications targets this object. |
| ICS | T0846.002 | Broadcast Discovery Sub-technique | Broadcast Discovery targets this object. |
| ICS | T0881 | Service Stop | Service Stop targets this object. |
| ICS | T0872 | Indicator Removal on Host | Indicator Removal on Host targets this object. |
| ICS | T0838 | Modify Alarm Settings | Modify Alarm Settings targets this object. |
| ICS | T0862 | Supply Chain Compromise | Supply Chain Compromise targets this object. |
| ICS | T0847 | Replication Through Removable Media | Replication Through Removable Media targets this object. |
| ICS | T0888 | Remote System Information Discovery | Remote System Information Discovery targets this object. |
| ICS | T1695.003 | Wi-Fi Sub-technique | Wi-Fi targets this object. |
| ICS | T0858 | Change Operating Mode | Change Operating Mode targets this object. |
| ICS | T0806 | Brute Force I/O | Brute Force I/O targets this object. |
| ICS | T0816 | Device Restart/Shutdown | Device Restart/Shutdown targets this object. |
| ICS | T0848 | Rogue Master | Rogue Master targets this object. |
| ICS | T1695.001 | Serial COM Sub-technique | Serial COM targets this object. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | daf468fa75f8… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Guidance - NIST SP800-82
Keith Stouffer. (2015, May). Guide to Industrial Control Systems (ICS) Security. Retrieved March 28, 2018.
Open source URL -
[2]
SIGTTO ESD 2021
Society of International Gas Tanker & Terminal Operators Ltd. (2021). ESD Systems: Recommendations for Emergency Shutdown and Related Safety Systems (Second Edition). Retrieved September 28, 2023.
Open source URL -
[3]
mitre-attack A0010Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.