A0017: Distributed Control System (DCS) Controller
A Distributed Control System (DCS) Controller is a microprocessor unit that is used to manage automation processes. DCS Controllers are often found in plants (chemical, manufacturing, oil and gas, etc.) where large scale continuous automation processes are required. A DCS Controller typically operates as part of a larger networked system with other DCS Controllers where each DCS Controller manages an individual part of a continuous process. In addition to these other controllers, DCS Controllers operate along side multiple other system components including system software, operator stations, and other embedded field controllers. The distributed nature of DCS Controllers provides scalability, redundancy, and improved process reliability. DCS Controllers are programmed using traditional process automation programming languages (IEC-61131).
Analyst context for executives and security teams
A DCS Controller is a core embedded control asset for large, continuous industrial processes such as chemical, manufacturing, oil and gas, and similar plant environments. Its business importance is not just that it runs automation logic, but that many ATT&CK ICS techniques target it for discovery, program changes, parameter changes, I/O manipulation, denial of service, restart/shutdown, and firmware-update-state abuse. For leaders, this asset should be treated as a resilience and safety-relevant control point where weak visibility, unmanaged engineering access, or unverified change control can create material operational risk.
Executive priority
Prioritize DCS Controller protection where interruption or unauthorized change could affect continuous operations, safety response, production quality, or regulatory evidence. Executives should ask whether the organization can prove who can reach controllers, who can change controller logic or parameters, whether engineering workstation activity is monitored, and whether incident responders have a safe plan for validating controller state without disrupting the process. Budget decisions should favor asset inventory, controlled remote access, network visibility, change governance, and recovery readiness for controller programs and configurations.
Technical view
SOC, detection engineering, and IR teams should validate visibility around embedded DCS Controllers and their surrounding DCS ecosystem: operator stations, engineering workstations, system software, other controllers, and field controllers. The relationship set shows material behaviors to monitor: process-state monitoring, automated collection, network sniffing, remote system discovery and port scanning, program upload/download including online edit, download all, and append, parameter and alarm-setting changes, controller tasking changes, I/O manipulation, device restart/shutdown, denial of service, firmware update mode activation, and use of external remote services. Because ATT&CK provides no official detection text for this asset, coverage must be proven locally through controller-aware network telemetry, engineering software logs where available, remote access records, configuration/change records, and operator or historian evidence.
Likely telemetry
- DCS asset inventory and network topology showing embedded controllers and communicating systems
- Network traffic between controllers, operator stations, engineering workstations, historians, OPC-related services, and remote access gateways
- Engineering workstation activity involving program upload, program download, online edit, program append, parameter changes, tasking changes, and alarm-setting changes
- Controller mode, restart, shutdown, firmware update mode, and availability/state indicators where available
- Historian, operator station, and process-state records that can corroborate unexpected I/O or parameter behavior
Detection direction
- Baseline normal controller communications and engineering workflows before tuning alerts; DCS environments often have scheduled maintenance and legitimate engineering changes that can look sensitive without change-window context.
- Correlate program upload/download, online edit, append, parameter, tasking, and alarm changes with approved work orders and known engineering workstations.
- Monitor for discovery and collection behaviors targeting controllers, including network sniffing, connection enumeration, port scanning, OPC/historian-related process-state access, and automated collection patterns.
- Treat unexpected restart, shutdown, firmware update mode, loss of response, high request volume, or unsupported requests as operationally significant signals requiring coordination with control engineers.
- Validate remote access paths into the control environment, because external remote services are explicitly related to this asset and can become a decision point for initial access and privileged engineering activity.
Mitigation priorities
- Establish and maintain authoritative inventory of DCS Controllers, their roles in the continuous process, and their authorized communication paths.
- Restrict and review remote access to control-system networks, especially external remote services used for administration or vendor support.
- Limit controller programming, upload/download, online edit, append, parameter, tasking, and alarm-change capabilities to authorized engineering systems and personnel.
- Implement change-control evidence for controller logic, configuration, parameters, alarms, and firmware-related states so detection teams can distinguish approved work from suspicious activity.
- Segment and monitor controller networks to reduce unnecessary exposure to scanning, sniffing, automated collection, and denial-of-service conditions.
Analyst notes and limits
This object is an ATT&CK ICS asset, not a technique. Its value is in prioritizing defenses around a high-consequence control component and interpreting the many related techniques that target it. The supplied relationships emphasize both intelligence-gathering behaviors and process-impacting changes, so cross-functional review with operations, engineering, SOC, and incident response is essential.
MITRE provides no official detection text, tactics, aliases, or labels for this object. Platforms are limited to Embedded in the supplied fields. The related technique descriptions are partial in some cases, and local controller vendor, architecture, logging, and safety-process details are required before making control or detection conclusions.
Distributed Control System (DCS) Controller
A Distributed Control System (DCS) Controller is a microprocessor unit that is used to manage automation processes. DCS Controllers are often found in plants (chemical, manufacturing, oil and gas, etc.) where large scale continuous automation processes are required. A DCS Controller typically operates as part of a larger networked system with other DCS Controllers where each DCS Controller manages an individual part of a continuous process. In addition to these other controllers, DCS Controllers operate along side multiple other system components including system software, operator stations, and other embedded field controllers. The distributed nature of DCS Controllers provides scalability, redundancy, and improved process reliability. DCS Controllers are programmed using traditional process automation programming languages (IEC-61131).
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| ICS | T1693.001 | System Firmware Sub-technique | System Firmware targets this object. |
| ICS | T0843.003 | Program Append Sub-technique | Program Append targets this object. |
| ICS | T1694 | Insecure Credentials | Insecure Credentials targets this object. |
| ICS | T0847 | Replication Through Removable Media | Replication Through Removable Media targets this object. |
| ICS | T1693 | Modify Firmware | Modify Firmware targets this object. |
| ICS | T0845 | Program Upload | Program Upload targets this object. |
| ICS | T0802 | Automated Collection | Automated Collection targets this object. |
| ICS | T1692.001 | Command Message Sub-technique | Command Message targets this object. |
| ICS | T0884 | Connection Proxy | Connection Proxy targets this object. |
| ICS | T0830 | Adversary-in-the-Middle | Adversary-in-the-Middle targets this object. |
| ICS | T1694.001 | Default Credentials Sub-technique | Default Credentials targets this object. |
| ICS | T0866 | Exploitation of Remote Services | Exploitation of Remote Services targets this object. |
| ICS | T0848 | Rogue Master | Rogue Master targets this object. |
| ICS | T1691.002 | Reporting Message Sub-technique | Reporting Message targets this object. |
| ICS | T0878 | Alarm Suppression | Alarm Suppression targets this object. |
| ICS | T0871 | Execution through API | Execution through API targets this object. |
| ICS | T0843.002 | Online Edit Sub-technique | Online Edit targets this object. |
| ICS | T1695.002 | Ethernet Sub-technique | Ethernet targets this object. |
| ICS | T0846.001 | Port Scan Sub-technique | Port Scan targets this object. |
| ICS | T0821 | Modify Controller Tasking | Modify Controller Tasking targets this object. |
| ICS | T0835 | Manipulate I/O Image | Manipulate I/O Image targets this object. |
| ICS | T1695 | Block Communications | Block Communications targets this object. |
| ICS | T0834 | Native API | Native API targets this object. |
| ICS | T0838 | Modify Alarm Settings | Modify Alarm Settings targets this object. |
| ICS | T0809 | Data Destruction | Data Destruction targets this object. |
| ICS | T0843 | Program Download | Program Download targets this object. |
| ICS | T0886 | Remote Services | Remote Services targets this object. |
| ICS | T0822 | External Remote Services | External Remote Services targets this object. |
| ICS | T0820 | Exploitation for Evasion | Exploitation for Evasion targets this object. |
| ICS | T0846 | Remote System Discovery | Remote System Discovery targets this object. |
| ICS | T0846.002 | Broadcast Discovery Sub-technique | Broadcast Discovery targets this object. |
| ICS | T0843.001 | Download All Sub-technique | Download All targets this object. |
| ICS | T1692 | Unauthorized Message | Unauthorized Message targets this object. |
| ICS | T1693.002 | Module Firmware Sub-technique | Module Firmware targets this object. |
| ICS | T0889 | Modify Program | Modify Program targets this object. |
| ICS | T1691.001 | Command Message Sub-technique | Command Message targets this object. |
| ICS | T1695.003 | Wi-Fi Sub-technique | Wi-Fi targets this object. |
| ICS | T0858 | Change Operating Mode | Change Operating Mode targets this object. |
| ICS | T0840 | Network Connection Enumeration | Network Connection Enumeration targets this object. |
| ICS | T1691 | Block Operational Technology Message | Block Operational Technology Message targets this object. |
| ICS | T0885 | Commonly Used Port | Commonly Used Port targets this object. |
| ICS | T0869 | Standard Application Layer Protocol | Standard Application Layer Protocol targets this object. |
| ICS | T0861 | Point & Tag Identification | Point & Tag Identification targets this object. |
| ICS | T0814 | Denial of Service | Denial of Service targets this object. |
| ICS | T0801 | Monitor Process State | Monitor Process State targets this object. |
| ICS | T0816 | Device Restart/Shutdown | Device Restart/Shutdown targets this object. |
| ICS | T0800 | Activate Firmware Update Mode | Activate Firmware Update Mode targets this object. |
| ICS | T0842 | Network Sniffing | Network Sniffing targets this object. |
| ICS | T1695.001 | Serial COM Sub-technique | Serial COM targets this object. |
| ICS | T0806 | Brute Force I/O | Brute Force I/O targets this object. |
| ICS | T0890 | Exploitation for Privilege Escalation | Exploitation for Privilege Escalation targets this object. |
| ICS | T0877 | I/O Image | I/O Image targets this object. |
| ICS | T0859 | Valid Accounts | Valid Accounts targets this object. |
| ICS | T0888 | Remote System Information Discovery | Remote System Information Discovery targets this object. |
| ICS | T0874 | Hooking | Hooking targets this object. |
| ICS | T0836 | Modify Parameter | Modify Parameter targets this object. |
| ICS | T0862 | Supply Chain Compromise | Supply Chain Compromise targets this object. |
| ICS | T0872 | Indicator Removal on Host | Indicator Removal on Host targets this object. |
| ICS | T0851 | Rootkit | Rootkit targets this object. |
| ICS | T1692.002 | Reporting Message Sub-technique | Reporting Message targets this object. |
| ICS | T0892 | Change Credential | Change Credential targets this object. |
| ICS | T0868 | Detect Operating Mode | Detect Operating Mode targets this object. |
| ICS | T0846.003 | Multicast Discovery Sub-technique | Multicast Discovery targets this object. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | dc7a7374d965… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack A0017Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.