A0014: Routers
A computer that is a gateway between two networks at OSI layer 3 and that relays and directs data packets through that inter-network. The most common form of router operates on IP packets.[1]
Analyst context for executives and security teams
Routers are decision points between networks, so in an ICS environment they can become both a dependency for operations and a choke point for adversary activity. The ATT&CK relationships show routers being relevant to discovery, remote access abuse, credential misuse, traffic interception/proxying, communications blocking, restart/shutdown, and data destruction. For leaders, the practical issue is not just whether routers exist, but whether the organization can prove they are inventoried, securely administered, monitored, and recoverable if network paths supporting control operations are disrupted.
Executive priority
Treat ICS routers as resilience-critical infrastructure. They sit at boundaries where remote services, Ethernet/Wi-Fi communications, and inter-network routing can affect operational continuity and incident response access. Priority questions for executives and risk owners: Which routers connect IT, OT, vendor access, wireless, or other trusted networks? Are default or insecure credentials eliminated where possible? Are management paths controlled and logged? Is there a tested recovery path if a router is restarted, shut down, reconfigured, or used to block communications? These answers support control prioritization, audit evidence, and cyber-physical risk discussions.
Technical view
For SOC, detection engineering, and IR teams, validate visibility around Embedded and Network platforms that perform routing in the ICS environment. MITRE provides no official detection text for this asset, so coverage should be built from relationship context: scans and discovery against routers; use of external remote services; exploitation of remote services or vulnerabilities; credential changes or default credential use; unexpected restart/shutdown; proxy-like behavior; communications over commonly used ports; adversary-in-the-middle indicators; and loss or blocking of Ethernet/Wi-Fi communications. Baseline normal routing, management, and remote access behavior before alerting on deviations.
Likely telemetry
- Asset inventory and network topology showing routers between IT, OT, vendor, wireless, and other network segments
- Router configuration backups and change records
- Authentication and administrative access logs for router management interfaces
- Remote access gateway, VPN, or other external remote service logs where they interact with router-controlled paths
- Network flow records across routed boundaries
Detection direction
- Confirm routers are represented as monitored assets, not just passive network infrastructure.
- Baseline expected management sources, administrator accounts, ports, protocols, and maintenance windows; alert on deviations, especially credential changes, configuration changes, restart/shutdown, or unexpected remote access.
- Tune discovery detections for ICS context: port scans, broadcast discovery, and multicast discovery may overlap with legitimate engineering, inventory, or monitoring tools, so source identity and timing matter.
- Look for routed-boundary anomalies such as unusual proxy behavior, traffic interception symptoms, blocked communications, or unexpected use of commonly used ports that differs from the expected protocol or destination pattern.
- Correlate loss of communications with router interface events, routing changes, authentication events, and device restarts before treating it as only a process or endpoint issue.
Mitigation priorities
- Maintain an accurate inventory of ICS routers and the networks, remote services, Ethernet, and Wi-Fi paths they support.
- Restrict and monitor administrative access to router management functions, especially from external remote service paths.
- Review credentials for default, hardcoded, shared, or otherwise insecure use where local device capabilities allow remediation.
- Control and document configuration changes, including routing, access control, interface state, and management service exposure.
- Keep recoverable configuration backups and test restoration procedures for restart, shutdown, destructive change, or lockout scenarios.
Analyst notes and limits
This object is an ICS asset definition, not a technique. Its value comes from the set of techniques that target it: Data Destruction, Device Restart/Shutdown, Exploitation for Evasion, External Remote Services, Adversary-in-the-Middle, Port/Broadcast/Multicast Discovery, Exploitation of Remote Services, Hooking, Connection Proxy, Commonly Used Port, Exploitation for Privilege Escalation, Change Credential, Insecure/Default Credentials, and Block Communications over Ethernet or Wi-Fi. The strongest defensive use is to map these behaviors to the organization’s actual router roles and management paths.
MITRE does not provide tactics or official detection guidance for this asset, and the supplied platform scope is limited to Embedded and Network. This take does not imply active exploitation, attribution, or existing detection coverage. Local topology, device models, management methods, remote access design, and operational procedures are required to determine material risk and feasible monitoring.
Routers
A computer that is a gateway between two networks at OSI layer 3 and that relays and directs data packets through that inter-network. The most common form of router operates on IP packets.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| ICS | T0830 | Adversary-in-the-Middle | Adversary-in-the-Middle targets this object. |
| ICS | T0885 | Commonly Used Port | Commonly Used Port targets this object. |
| ICS | T0809 | Data Destruction | Data Destruction targets this object. |
| ICS | T1694 | Insecure Credentials | Insecure Credentials targets this object. |
| ICS | T0822 | External Remote Services | External Remote Services targets this object. |
| ICS | T0884 | Connection Proxy | Connection Proxy targets this object. |
| ICS | T0816 | Device Restart/Shutdown | Device Restart/Shutdown targets this object. |
| ICS | T0866 | Exploitation of Remote Services | Exploitation of Remote Services targets this object. |
| ICS | T0846.002 | Broadcast Discovery Sub-technique | Broadcast Discovery targets this object. |
| ICS | T1695.003 | Wi-Fi Sub-technique | Wi-Fi targets this object. |
| ICS | T0846.003 | Multicast Discovery Sub-technique | Multicast Discovery targets this object. |
| ICS | T0846.001 | Port Scan Sub-technique | Port Scan targets this object. |
| ICS | T0820 | Exploitation for Evasion | Exploitation for Evasion targets this object. |
| ICS | T0874 | Hooking | Hooking targets this object. |
| ICS | T0890 | Exploitation for Privilege Escalation | Exploitation for Privilege Escalation targets this object. |
| ICS | T1695.002 | Ethernet Sub-technique | Ethernet targets this object. |
| ICS | T1694.001 | Default Credentials Sub-technique | Default Credentials targets this object. |
| ICS | T0892 | Change Credential | Change Credential targets this object. |
| ICS | T1695 | Block Communications | Block Communications targets this object. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.1 | Current bundle | 051ba95b22d7… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
IETF RFC4949 2007
Internet Engineering Task Force. (2007, August). Internet Security Glossary, Version 2. Retrieved September 29, 2023.
Open source URL -
[2]
mitre-attack A0014Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.