A0011: Virtual Private Network (VPN) Server
A VPN server is a device that is used to establish a secure network tunnel between itself and other remote VPN devices, including field VPNs. VPN servers can be used to establish a secure connection with a single remote device, or to securely bridge all traffic between two separate networks together by encapsulating all data between those networks. VPN servers typically support remote network services that are used by field VPNs to initiate the establishment of the secure VPN tunnel between the field device and server.
Analyst context for executives and security teams
An ICS VPN server is a high-value boundary asset because it can securely bridge remote devices or entire networks into a control-system environment. The ATT&CK relationships show that adversary behaviors targeting this asset include external remote service abuse, exploitation of public-facing or remote services, valid account use, discovery, network sniffing, lateral tool transfer, service stop, restart/shutdown, data destruction, and internet-accessible device access. For leaders, the practical issue is not simply “do we have a VPN,” but whether the organization can prove who can reach it, how it is maintained, what it exposes into OT, and whether abnormal use would be visible before operational disruption occurs.
Executive priority
Treat ICS VPN servers as resilience-critical access infrastructure. They may enable remote operations and vendor access, but they also concentrate risk at the IT/OT boundary. Priority questions should include: which VPN servers connect into control-system networks, whether any are internet-accessible, whether access depends on valid accounts, whether patch and configuration ownership is clear across Embedded, Linux, and Windows deployments, and whether logs are sufficient for incident response and compliance evidence. Because related ATT&CK techniques include device shutdown/restart, service stop, and data destruction, weak governance of this asset can become an operational-continuity and cyber-physical risk issue, not only an IT access issue.
Technical view
For SOC, detection engineering, and IR teams, validate visibility around VPN authentication, remote service exposure, administrative actions, service state changes, system restarts, file transfers, network discovery, and traffic inspection points around the VPN server. ATT&CK provides no official detection text for this asset, so coverage must be built from the behaviors that target it: T0822 External Remote Services, T0819 Exploit Public-Facing Application, T0866 Exploitation of Remote Services, T0859 Valid Accounts, T0846 Remote System Discovery and sub-techniques, T0842 Network Sniffing, T0867 Lateral Tool Transfer, T0881 Service Stop, T0816 Device Restart/Shutdown, T0872 Indicator Removal on Host, and T0883 Internet Accessible Device. Validation should be platform-aware for Embedded, Linux, and Windows VPN servers and should account for legitimate remote administration and field VPN activity.
Likely telemetry
- VPN server authentication and session logs, including successful and failed remote access attempts
- Administrative login and configuration-change records for the VPN server
- Operating system and service logs from Embedded, Linux, or Windows implementations where available
- Network flow metadata between remote VPN devices, the VPN server, and internal ICS networks
- Perimeter exposure data showing whether the VPN server or related services are internet-accessible
Detection direction
- Start by confirming the asset inventory: every ICS VPN server, platform type, management interface, exposed service, connected field VPN, and network segment it bridges.
- Because ATT&CK provides no official detection guidance for A0011, map detections to related targeting behaviors rather than to the asset name alone.
- Tune VPN authentication monitoring for unusual successful use, repeated failures, unexpected source locations or devices, use outside maintenance windows, and access by accounts that should not reach ICS networks; account for legitimate vendor and operator access to reduce false positives.
- Correlate external exposure and vulnerability findings with logs for T0819, T0822, T0866, and T0883 so internet-facing or remote-service risk is not handled separately from SOC monitoring.
- Monitor for discovery from or through the VPN server, including port scanning, broadcast discovery, multicast discovery, and unusual enumeration of internal systems.
Mitigation priorities
- Prioritize complete inventory and ownership of all ICS VPN servers, including field VPN relationships and any internet-accessible services.
- Restrict remote access paths to only required users, devices, vendors, and network destinations; review whether the VPN bridges more traffic than operationally necessary.
- Strengthen identity controls for VPN access, especially around valid account risk, default credential exposure, privileged access, and vendor access governance.
- Maintain patch, firmware, and configuration management for VPN server software, operating systems, and exposed remote services, using vulnerability management evidence to prioritize public-facing or remotely reachable weaknesses.
- Segment VPN-connected traffic so remote access does not automatically provide broad reachability into control-system networks.
Analyst notes and limits
This take is based on the ATT&CK ICS asset A0011 Virtual Private Network (VPN) Server, its official description, supported platforms, external references, and listed relationships where multiple ICS techniques target the asset. The relationship set makes the VPN server material as an access, discovery, lateral movement, evasion, and disruption-relevant asset. Defensive value depends heavily on local architecture: whether the VPN server is internet-accessible, how it authenticates users and field devices, what networks it bridges, and whether its logs are usable during an OT incident.
MITRE does not provide official detection text, tactics, aliases, or labels for this asset in the supplied fields. The related technique descriptions are partial in some cases, and the asset record does not specify products, protocols, configuration requirements, or active threat activity. Local validation is required before drawing conclusions about exposure, exploitability, monitoring coverage, or operational impact.
Virtual Private Network (VPN) Server
A VPN server is a device that is used to establish a secure network tunnel between itself and other remote VPN devices, including field VPNs. VPN servers can be used to establish a secure connection with a single remote device, or to securely bridge all traffic between two separate networks together by encapsulating all data between those networks. VPN servers typically support remote network services that are used by field VPNs to initiate the establishment of the secure VPN tunnel between the field device and server.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| ICS | T1693.001 | System Firmware Sub-technique | System Firmware targets this object. |
| ICS | T0851 | Rootkit | Rootkit targets this object. |
| ICS | T0867 | Lateral Tool Transfer | Lateral Tool Transfer targets this object. |
| ICS | T0892 | Change Credential | Change Credential targets this object. |
| ICS | T0816 | Device Restart/Shutdown | Device Restart/Shutdown targets this object. |
| ICS | T1695.001 | Serial COM Sub-technique | Serial COM targets this object. |
| ICS | T0840 | Network Connection Enumeration | Network Connection Enumeration targets this object. |
| ICS | T0846.003 | Multicast Discovery Sub-technique | Multicast Discovery targets this object. |
| ICS | T0809 | Data Destruction | Data Destruction targets this object. |
| ICS | T0885 | Commonly Used Port | Commonly Used Port targets this object. |
| ICS | T1695.002 | Ethernet Sub-technique | Ethernet targets this object. |
| ICS | T0846 | Remote System Discovery | Remote System Discovery targets this object. |
| ICS | T0881 | Service Stop | Service Stop targets this object. |
| ICS | T0890 | Exploitation for Privilege Escalation | Exploitation for Privilege Escalation targets this object. |
| ICS | T0883 | Internet Accessible Device | Internet Accessible Device targets this object. |
| ICS | T0822 | External Remote Services | External Remote Services targets this object. |
| ICS | T0819 | Exploit Public-Facing Application | Exploit Public-Facing Application targets this object. |
| ICS | T0830 | Adversary-in-the-Middle | Adversary-in-the-Middle targets this object. |
| ICS | T1694.001 | Default Credentials Sub-technique | Default Credentials targets this object. |
| ICS | T1695.003 | Wi-Fi Sub-technique | Wi-Fi targets this object. |
| ICS | T0820 | Exploitation for Evasion | Exploitation for Evasion targets this object. |
| ICS | T0862 | Supply Chain Compromise | Supply Chain Compromise targets this object. |
| ICS | T0842 | Network Sniffing | Network Sniffing targets this object. |
| ICS | T0859 | Valid Accounts | Valid Accounts targets this object. |
| ICS | T1695 | Block Communications | Block Communications targets this object. |
| ICS | T0846.002 | Broadcast Discovery Sub-technique | Broadcast Discovery targets this object. |
| ICS | T0847 | Replication Through Removable Media | Replication Through Removable Media targets this object. |
| ICS | T0886 | Remote Services | Remote Services targets this object. |
| ICS | T0846.001 | Port Scan Sub-technique | Port Scan targets this object. |
| ICS | T0888 | Remote System Information Discovery | Remote System Information Discovery targets this object. |
| ICS | T0866 | Exploitation of Remote Services | Exploitation of Remote Services targets this object. |
| ICS | T0869 | Standard Application Layer Protocol | Standard Application Layer Protocol targets this object. |
| ICS | T0874 | Hooking | Hooking targets this object. |
| ICS | T0872 | Indicator Removal on Host | Indicator Removal on Host targets this object. |
| ICS | T0834 | Native API | Native API targets this object. |
| ICS | T0884 | Connection Proxy | Connection Proxy targets this object. |
| ICS | T1694 | Insecure Credentials | Insecure Credentials targets this object. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 42648591e555… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
IEC February 2019
IEC 2019, February Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components Retrieved. 2020/09/25
Open source URL -
[2]
mitre-attack A0011Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.