DET0779: Detection of Loss of Safety
DET0779 is an ICS detection strategy for identifying potential Loss of Safety behavior: compromise or degradation of safety functions intended to keep an i...
Analyst context for executives and security teams
DET0779 is an ICS detection strategy for identifying potential Loss of Safety behavior: compromise or degradation of safety functions intended to keep an industrial process in a safe state when dangerous conditions occur. For executives and plant/security leaders, the practical issue is not just cyber intrusion; it is whether the organization can recognize when safety protections may no longer respond quickly enough to prevent serious operational or physical consequences.
Executive priority
Treat this as a high-consequence validation area for cyber-physical resilience. Leaders should ask whether safety-related events, safety system state changes, and process conditions are visible to the SOC or incident response process, and whether evidence exists for audits and post-incident decisions. Because the ATT&CK object provides no platform, tactic, or official detection logic, priority should be on confirming local coverage around the related technique T0880, not assuming generic IT monitoring will detect it.
Technical view
SOC, OT security, and IR teams should map this strategy to local safety system architecture and the related ATT&CK technique Loss of Safety. Validate whether monitoring can distinguish expected safety operations, maintenance, testing, bypasses, trips, inhibited functions, abnormal process states, and unauthorized or unexpected changes affecting safety functions. Detection engineering should be built from site-specific baselines and engineering context because the official detection field is not provided.
Likely telemetry
- Safety system alarms, trips, inhibits, bypasses, overrides, and status changes where available
- Engineering workstation or safety controller configuration/change records where collected
- Historian or process data showing unsafe or abnormal process conditions
- Operator action logs and maintenance/testing records used to explain legitimate safety activity
- OT network or asset communications involving safety-related devices where monitored
Detection direction
- Validate that safety-related telemetry is collected, retained, time-synchronized, and accessible to OT/SOC responders before relying on this strategy.
- Tune detections with engineering-approved baselines so legitimate proof testing, maintenance windows, and process upsets do not create excessive false positives.
- Correlate safety function state changes with process conditions and authorized work records; isolated alerts may lack enough context to determine risk.
- Look for blind spots where safety systems are segmented, proprietary, manually inspected, or excluded from centralized monitoring.
- Because the MITRE object does not include official detection analytics, derive local logic from the related Loss of Safety technique and site-specific safety requirements.
Mitigation priorities
- Prioritize inventory and ownership of safety-related assets, data sources, and change-control evidence.
- Ensure safety system changes, bypasses, inhibits, testing, and maintenance activities are formally authorized and reviewable.
- Establish OT incident response procedures that include engineering, operations, and safety stakeholders for rapid triage of suspected safety degradation.
- Validate backup, comparison, and restoration processes for safety logic/configuration where applicable.
- Use tabletop or controlled validation exercises to confirm that SOC and plant teams can recognize and escalate Loss of Safety indicators without disrupting operations.
Analyst notes and limits
This take is based on the ATT&CK detection strategy DET0779 and its relationship to ICS technique T0880, Loss of Safety. The strongest decision value is in using the object as a prompt to verify cyber-physical monitoring, engineering context, and response readiness rather than as a ready-made analytic.
The supplied ATT&CK object has no official description, no official detection text, no tactics, and no platforms. Recommendations therefore remain high-level and must be validated against the local ICS architecture, safety system design, available telemetry, and operational procedures.
Detection of Loss of Safety
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| ICS | T0880 | Loss of Safety | This object detects Loss of Safety. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | d529f1980ae4… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0779Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.