Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0903: Detection of Block Operational Technology Message

DET0903 is an ICS ATT&CK detection strategy for identifying behavior related to blocking operational technology messages. The business significance is that...

ICSDET0903Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0903 is an ICS ATT&CK detection strategy for identifying behavior related to blocking operational technology messages. The business significance is that OT processes depend on timely reporting telemetry and command messages; if those messages are interrupted, operators may lose visibility or control needed to maintain safe and reliable operations.

Executive priority

Treat this as an operational resilience and cyber-physical risk question rather than only a SOC alerting problem. Leaders should ask whether critical OT message paths are known, monitored, and recoverable, and whether incident responders can distinguish malicious blocking from communications faults or maintenance activity. Because ATT&CK provides no platform, tactic, or detection details for this object, prioritization should be driven by local process criticality and the business consequence of losing reporting or command messages.

Technical view

The only supplied relationship is that DET0903 detects T1691, Block Operational Technology Message, in the ICS domain. SOC, OT security, and IR teams should validate whether they can observe failures or abnormal gaps in communications between systems and devices that carry process telemetry or control commands. Detection engineering should focus on evidence of message interruption across known OT communication paths, while accounting for benign causes such as outages, configuration changes, maintenance windows, or network instability.

Likely telemetry

  • OT/ICS network communications metadata between systems and devices
  • Message timing, loss, gaps, retries, or failed delivery indicators for reporting and command traffic
  • Process telemetry availability and freshness indicators
  • Control command delivery or acknowledgement records where available
  • Network device, firewall, gateway, or segmentation control logs relevant to OT paths

Detection direction

  • Map critical reporting and command message flows before tuning detections; without an asset and process baseline, message blocking can look like normal noise or infrastructure failure.
  • Correlate communication loss with process telemetry gaps and command acknowledgement failures to reduce false positives.
  • Separate planned maintenance, network changes, and known outages from unexplained interruption of OT message paths.
  • Because the ATT&CK object does not provide official detection logic or platforms, validate coverage in the local OT architecture rather than assuming generic IT monitoring is sufficient.
  • Use the relationship to T1691 as the analytic anchor: the detection should help identify conditions where messages between OT systems and devices fail to reach their intended destination.

Mitigation priorities

  • Prioritize documentation of critical OT message paths and dependencies for processes where loss of visibility or control would affect safety, production, or continuity.
  • Ensure monitoring exists at points that can observe both reporting telemetry and command message delivery status.
  • Define incident response procedures for suspected OT message blocking, including coordination between SOC, OT operations, engineering, and site leadership.
  • Maintain change and maintenance records so defenders can quickly distinguish authorized communications interruptions from suspicious activity.
  • Review segmentation, access control, and resilience controls around critical OT communications, using local architecture and risk assessments to determine priority.
Analyst notes and limits

This take is based on the detection strategy object DET0903 and its relationship to ICS technique T1691, Block Operational Technology Message. The supplied ATT&CK fields do not include an official description, official detection text, tactics, or platforms, so recommendations are framed as validation questions and telemetry classes rather than specific analytics.

Source detail is sparse. ATT&CK does not specify platforms, tactics, detection logic, data sources, or mitigation guidance for this detection strategy in the supplied fields. Local OT architecture, process criticality, communication protocols, and available logging are required to determine practical detection coverage and priority.

Official MITRE ATT&CK definition

Detection of Block Operational Technology Message

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
ICS T1691 Block Operational Technology Message This object detects Block Operational Technology Message.
Relationship explorer

All related ATT&CK context

detects · Technique T1691: Block Operational Technology Message ICS
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
db43d2a0d5c5a9f7...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle db43d2a0d5c5…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0903
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use