Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1900: Analytic 1900

Monitor ICS automation network protocols for functions related to reading an asset’s operating mode. In some cases, there may be multiple ways to detect a device’s operating mode, one of which is typically used in the operational environment. Monitor for the operating mode being checked in unexpected ways.

ICSAN1900AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because an ICS asset’s operating mode can be operationally sensitive: knowing or probing whether equipment is in a particular mode may precede or accompany activity that affects process availability or safety. The practical decision point is whether the organization can see how operating mode is queried on automation networks, and whether it can distinguish normal engineering or monitoring behavior from unusual ways of checking that mode.

Executive priority

For security and operations leaders, this is a cyber-physical visibility question rather than a generic IT alert. Prioritize confirming that SOC and OT teams have agreed visibility into ICS automation protocol activity, understand the normal method used in the environment to read device operating mode, and can investigate deviations without disrupting operations. This can support incident response readiness, operational resilience, and compliance evidence around monitoring of critical control-system networks.

Technical view

MITRE describes monitoring ICS automation network protocols for functions related to reading an asset’s operating mode, with attention to cases where multiple protocol functions or methods can reveal the same mode and only one is normally used in production. SOC, detection engineering, and OT teams should baseline expected operating-mode read behavior by asset, protocol, engineering workstation, HMI, historian, or other authorized source where applicable, then look for unexpected query methods, unusual sources, timing, or destination assets. No platforms, tactics, relationships, or formal detection logic were supplied, so implementation must be based on local ICS protocol knowledge and environment-specific baselines.

Likely telemetry

  • ICS automation network protocol logs or packet captures
  • Network sensor metadata for OT/ICS segments
  • Protocol function codes or service requests related to operating-mode reads
  • Source and destination asset identity for engineering workstations, HMIs, controllers, and monitoring systems where locally known
  • Timing, frequency, and sequence of operating-mode queries

Detection direction

  • Validate whether current OT network monitoring can parse the relevant ICS automation protocols deeply enough to identify operating-mode read functions or equivalent methods.
  • Establish the normal method used in the operational environment to check operating mode, then alert or review when alternative methods appear.
  • Tune detections with OT operations input to avoid flagging legitimate engineering, commissioning, maintenance, or vendor-support activity as malicious by default.
  • Look for deviations by source, destination, function, timing, or frequency rather than relying only on the existence of an operating-mode read.
  • Document blind spots where traffic is encrypted, not mirrored to sensors, not parsed, or where asset identity is incomplete.

Mitigation priorities

  • Start with OT asset and communication-baseline validation: know which systems are expected to query operating mode and by what method.
  • Ensure passive monitoring or other approved collection exists on relevant ICS network paths before building alerts.
  • Restrict and review access to systems that can query control assets, using existing OT change-control and remote-access governance where applicable.
  • Create an investigation playbook that involves both SOC and operations personnel before taking response actions that could affect process continuity.
  • Use detection results as evidence for monitoring coverage and control-system security governance, while acknowledging that local protocol and process context is required.
Analyst notes and limits

This is an ATT&CK ICS detection analytic, AN1900, focused on monitoring for unexpected ways of reading an asset’s operating mode over ICS automation protocols. The strongest use is as a validation prompt for OT visibility, baselining, and SOC/operations coordination rather than as a ready-made rule.

The supplied ATT&CK object provides no platform, tactic, relationship context, or official detection logic. It does not identify specific protocols, assets, adversaries, impacts, or exploitation activity. Local architecture, protocol parsing capability, and OT operational baselines are required before this can become a reliable detection.

Official MITRE ATT&CK definition

Analytic 1900

Monitor ICS automation network protocols for functions related to reading an asset’s operating mode. In some cases, there may be multiple ways to detect a device’s operating mode, one of which is typically used in the operational environment. Monitor for the operating mode being checked in unexpected ways.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
ffa3e798f2d106a5...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle ffa3e798f2d1…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1900
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use