A0016: Firewall
A gateway that limits access between networks in accordance with local security policy.
In ICS networks, firewalls can exist in multiple locations in the network architecture and serve a variety of purposes. The first, and often the most important, is the firewall segmenting the ICS network from the business network. This firewall acts as the primary network boundary point that controls the ingress/egress of network traffic between the ICS and business networks. This firewall may also be a single device connected to multiple network segments, where the firewall defines individual zones for the different network segments and can control access to the zones and between the zones. This can limit the ability of an adversary to traverse a network.
Analyst context for executives and security teams
In an ICS environment, a firewall is often the control point that separates business IT from control system networks and enforces traffic between zones. Its value is not just blocking traffic; it is a dependency for operational resilience because many ATT&CK techniques target it as a path for access, discovery, remote administration, evasion, command and control, or disruption. Executives should treat firewall governance as both a security and continuity issue: if rules, remote access paths, credentials, or logging are weak, defenders may lose visibility into the boundary that is meant to limit adversary movement into industrial operations.
Executive priority
Prioritize evidence that ICS firewalls are intentionally segmented, governed by local security policy, monitored, and included in incident response planning. This asset is related to techniques involving public-facing application exploitation, external remote services, valid accounts, discovery, network sniffing, adversary-in-the-middle activity, denial of service, device restart/shutdown, and data destruction. That relationship context makes firewall control assurance relevant to business continuity, vendor/remote access risk, vulnerability prioritization, audit evidence, and cyber-physical risk management. Leaders should ask who owns rule approval, how emergency changes are reviewed, what remote access is permitted, whether logs are retained centrally, and whether operations can continue if the firewall becomes unavailable or misconfigured.
Technical view
For SOC, detection engineering, and IR teams, validate the firewall as a monitored ICS boundary asset across Embedded, Windows, Linux, and Network platforms where applicable. ATT&CK provides no official detection text for this asset, so coverage should be derived from its role and related techniques: command-line or GUI administration, external remote services, valid-account use, public-facing exposure, remote service exploitation, network discovery, port/broadcast/multicast discovery, standard application-layer protocols, network sniffing, adversary-in-the-middle conditions, evasion through exploitation, indicator removal, restart/shutdown, denial of service, and destructive activity. Confirm that firewall management events, rule changes, authentication events, interface status, traffic denies/allows, remote administration sessions, and anomalous protocol flows are available to investigators before an incident.
Likely telemetry
- Firewall allow/deny traffic logs across ICS-to-business and inter-zone boundaries
- Firewall rule, policy, NAT, route, and object change records
- Administrator authentication, authorization, session, CLI, and GUI access logs
- Remote access and external remote service connection records where the firewall participates in access control
- System health telemetry such as interface state, CPU/memory, restart/shutdown events, and service availability
Detection direction
- Baseline expected traffic between the business network, ICS network, and internal firewall zones; alert on new paths, unusual protocols, and unexpected ingress/egress patterns.
- Monitor administrative access for unusual source locations, times, accounts, failed logons, successful privileged sessions, and changes made through CLI or GUI interfaces.
- Tune discovery detections for port scanning, broadcast discovery, and multicast discovery with awareness that legitimate engineering, inventory, and monitoring tools may generate similar traffic.
- Correlate firewall events with remote access, valid-account use, public-facing service exposure, and exploitation-related vulnerability evidence to improve triage value.
- Watch for loss of visibility signals: logging disabled, configuration changes without approval, indicator removal behavior, unexpected restart/shutdown, interface flaps, or denial-of-service symptoms.
Mitigation priorities
- Establish and document the firewall’s intended role as the ICS/business boundary and, where applicable, as an inter-zone control point.
- Maintain least-privilege rule sets that allow only required communications between ICS, business, vendor, and management zones.
- Restrict and monitor administrative access, including CLI, GUI, and remote service access; review default, shared, and privileged accounts.
- Include firewall software, firmware, public-facing services, and remote access components in vulnerability and patch prioritization based on exposure and operational criticality.
- Centralize logs, preserve configuration history, and test that logs remain available during incident response.
Analyst notes and limits
This take is based on the ATT&CK ICS asset A0016 Firewall and the supplied relationships showing many ICS techniques targeting this asset. The object is an asset, not a technique, and ATT&CK lists no tactics and no official detection guidance. The most defensible use of this object is to drive control validation: segmentation, remote access governance, administrative monitoring, vulnerability exposure review, and IR readiness for a critical ICS boundary device.
ATT&CK does not provide official detection content for this asset, and the supplied relationships do not prove that any specific environment is exposed, compromised, or monitored. Local architecture, firewall product capabilities, rule sets, remote access design, logging configuration, and operational safety requirements are required to determine actual risk and coverage.
Firewall
A gateway that limits access between networks in accordance with local security policy.
In ICS networks, firewalls can exist in multiple locations in the network architecture and serve a variety of purposes. The first, and often the most important, is the firewall segmenting the ICS network from the business network. This firewall acts as the primary network boundary point that controls the ingress/egress of network traffic between the ICS and business networks. This firewall may also be a single device connected to multiple network segments, where the firewall defines individual zones for the different network segments and can control access to the zones and between the zones. This can limit the ability of an adversary to traverse a network.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| ICS | T0872 | Indicator Removal on Host | Indicator Removal on Host targets this object. |
| ICS | T0871 | Execution through API | Execution through API targets this object. |
| ICS | T1695.002 | Ethernet Sub-technique | Ethernet targets this object. |
| ICS | T0822 | External Remote Services | External Remote Services targets this object. |
| ICS | T0814 | Denial of Service | Denial of Service targets this object. |
| ICS | T0809 | Data Destruction | Data Destruction targets this object. |
| ICS | T0820 | Exploitation for Evasion | Exploitation for Evasion targets this object. |
| ICS | T0842 | Network Sniffing | Network Sniffing targets this object. |
| ICS | T0893 | Data from Local System | Data from Local System targets this object. |
| ICS | T0883 | Internet Accessible Device | Internet Accessible Device targets this object. |
| ICS | T0823 | Graphical User Interface | Graphical User Interface targets this object. |
| ICS | T0830 | Adversary-in-the-Middle | Adversary-in-the-Middle targets this object. |
| ICS | T0881 | Service Stop | Service Stop targets this object. |
| ICS | T1693.001 | System Firmware Sub-technique | System Firmware targets this object. |
| ICS | T1695.003 | Wi-Fi Sub-technique | Wi-Fi targets this object. |
| ICS | T0840 | Network Connection Enumeration | Network Connection Enumeration targets this object. |
| ICS | T0892 | Change Credential | Change Credential targets this object. |
| ICS | T0846.003 | Multicast Discovery Sub-technique | Multicast Discovery targets this object. |
| ICS | T0859 | Valid Accounts | Valid Accounts targets this object. |
| ICS | T0853 | Scripting | Scripting targets this object. |
| ICS | T0890 | Exploitation for Privilege Escalation | Exploitation for Privilege Escalation targets this object. |
| ICS | T0866 | Exploitation of Remote Services | Exploitation of Remote Services targets this object. |
| ICS | T0862 | Supply Chain Compromise | Supply Chain Compromise targets this object. |
| ICS | T0846.002 | Broadcast Discovery Sub-technique | Broadcast Discovery targets this object. |
| ICS | T0885 | Commonly Used Port | Commonly Used Port targets this object. |
| ICS | T1694.001 | Default Credentials Sub-technique | Default Credentials targets this object. |
| ICS | T0834 | Native API | Native API targets this object. |
| ICS | T0819 | Exploit Public-Facing Application | Exploit Public-Facing Application targets this object. |
| ICS | T0884 | Connection Proxy | Connection Proxy targets this object. |
| ICS | T1694 | Insecure Credentials | Insecure Credentials targets this object. |
| ICS | T0851 | Rootkit | Rootkit targets this object. |
| ICS | T0816 | Device Restart/Shutdown | Device Restart/Shutdown targets this object. |
| ICS | T0846.001 | Port Scan Sub-technique | Port Scan targets this object. |
| ICS | T0869 | Standard Application Layer Protocol | Standard Application Layer Protocol targets this object. |
| ICS | T0807 | Command-Line Interface | Command-Line Interface targets this object. |
| ICS | T1695 | Block Communications | Block Communications targets this object. |
| ICS | T0874 | Hooking | Hooking targets this object. |
| ICS | T0846 | Remote System Discovery | Remote System Discovery targets this object. |
| ICS | T0888 | Remote System Information Discovery | Remote System Information Discovery targets this object. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 2f9e18f0e1ed… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack A0016Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.