M0801: Access Management
Access Management technologies can be used to enforce authorization polices and decisions, especially when existing field devices do not provide sufficient capabilities to support user identification and authentication. [1] These technologies typically utilize an in-line network device or gateway system to prevent access to unauthenticated users, while also integrating with an authentication service to first verify user credentials. [2]
Analyst context for executives and security teams
Access Management (M0801) matters in ICS because many field devices may not provide strong user identification, authentication, or authorization on their own. MITRE describes using in-line network devices or gateway systems tied to an authentication service to verify users before allowing access. For business leaders, this is a control that helps reduce the chance that unauthorized or compromised access can reach engineering functions, controller modes, firmware update functions, remote services, or sensitive process information.
Executive priority
Prioritize this where unauthorized access to control-system functions could affect safety, production continuity, or incident response decisions. The relationship set shows this mitigation is relevant to high-consequence ICS behaviors such as device restart/shutdown, firmware modification/update mode, program download/upload, alarm setting changes, operating mode changes, remote services, valid accounts, and insecure credentials. It also supports compliance evidence aligned to IEC 62443 SR/CR 2.1 and NIST SP 800-53 Rev. 5 AC-3 by demonstrating that access decisions are enforced rather than assumed at the endpoint.
Technical view
For SOC, IR, OT engineering, and IAM teams, the key validation question is whether access to ICS assets and engineering functions is actually mediated by an access management point, especially where field devices lack native authentication or authorization. Validate authentication-service integration, authorization policy enforcement, and gateway coverage for remote access, engineering workstations, PLC/controller interactions, firmware/update workflows, API-driven functions, and access paths used for program upload/download or operating-mode changes. Because ATT&CK provides no detection guidance for this mitigation, local architecture, asset inventory, and control-path mapping are required to determine where coverage exists or where users can bypass the gateway.
Likely telemetry
- Authentication service logs for successful and failed user verification events
- Access gateway or in-line network device allow/deny logs
- Remote access session records for ICS environments
- Engineering workstation activity related to vendor programming software where available
- Controller or device management events for mode changes, program upload/download, firmware update activity, restart/shutdown, and alarm setting changes where available
Detection direction
- Do not treat the presence of an access gateway as detection coverage; validate that logs are generated, retained, monitored, and correlated with authentication decisions.
- Tune monitoring around denied access, repeated failed verification, access outside approved maintenance windows, and authenticated sessions that attempt sensitive engineering functions.
- Map protected and unprotected paths to controllers, field devices, engineering workstations, remote services, and authentication services; bypass paths are the material blind spot for this mitigation.
- Correlate identity events with ICS change events such as program download/upload, online edit, operating mode change, firmware update mode, restart/shutdown, and alarm setting modification.
- Account for legitimate maintenance activity to reduce false positives; many related behaviors can be authorized during planned engineering work.
Mitigation priorities
- Inventory ICS assets and access paths where devices lack sufficient native user identification, authentication, or authorization.
- Place enforcement as close to the control path as practical using in-line network devices or gateway systems where supported by architecture and operations.
- Integrate access enforcement with an authentication service and define authorization policies for users, service accounts, remote access, engineering functions, and maintenance workflows.
- Prioritize controls around functions linked by ATT&CK relationships: firmware changes, controller mode changes, program upload/download, remote services, alarm changes, and device restart/shutdown.
- Review and reduce exposure from valid accounts, default credentials, hardcoded credentials, and other insecure credential conditions where feasible.
Analyst notes and limits
This is an ICS mitigation object, not a technique. Its value is strongest where legacy or field devices cannot independently enforce identity and authorization. The relationship context indicates broad relevance to preventing or constraining unauthorized access to sensitive control-system functions, but implementation details must be validated against the local OT architecture.
MITRE provides no official detection text, no specific platforms, and no tactic mapping for this object. The supplied data supports access-control and authorization guidance, but not claims of active exploitation, specific adversaries, guaranteed prevention, or complete detection coverage.
Access Management
Access Management technologies can be used to enforce authorization polices and decisions, especially when existing field devices do not provide sufficient capabilities to support user identification and authentication. [1] These technologies typically utilize an in-line network device or gateway system to prevent access to unauthenticated users, while also integrating with an authentication service to first verify user credentials. [2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| ICS | T0859 | Valid Accounts | Authenticate all access to field controllers before authorizing access to, or modification of, a device's state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS. |
| ICS | T1694.001 | Default Credentials Sub-technique | Ensure embedded controls and network devices are protected through access management, as these devices often have unknown default accounts which could be used to gain unauthorized access. |
| ICS | T1694.002 | Hardcoded Credentials Sub-technique | Ensure embedded controls and network devices are protected through access management, as these devices often have unknown hardcoded accounts which could be used to gain unauthorized access. |
| ICS | T0845 | Program Upload | Authenticate all access to field controllers before authorizing access to, or modification of, a device's state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS. |
| ICS | T0843.001 | Download All Sub-technique | Authenticate all access to field controllers before authorizing access to, or modification of, a device's state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS. |
| ICS | T0868 | Detect Operating Mode | Authenticate all access to field controllers before authorizing access to, or modification of, a device's state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS. |
| ICS | T1693.001 | System Firmware Sub-technique | All devices or systems changes, including all administrative functions, should require authentication. Consider using access management technologies to enforce authorization on all management interface access attempts, especially when the device does not inherently provide strong authentication and authorization functions. |
| ICS | T0843.002 | Online Edit Sub-technique | Authenticate all access to field controllers before authorizing access to, or modification of, a device's state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS. |
| ICS | T0858 | Change Operating Mode | Authenticate all access to field controllers before authorizing access to, or modification of, a device's state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS. |
| ICS | T1693.002 | Module Firmware Sub-technique | All devices or systems changes, including all administrative functions, should require authentication. Consider using access management technologies to enforce authorization on all management interface access attempts, especially when the device does not inherently provide strong authentication and authorization functions. |
| ICS | T1694 | Insecure Credentials | Ensure embedded controls and network devices are protected through access management, as these devices often have insecure credentials which could be used to gain unauthorized access. |
| ICS | T0800 | Activate Firmware Update Mode | All devices or systems changes, including all administrative functions, should require authentication. Consider using access management technologies to enforce authorization on all management interface access attempts, especially when the device does not inherently provide strong authentication and authorization functions. |
| ICS | T0861 | Point & Tag Identification | Authenticate all access to field controllers before authorizing access to, or modification of, a device's state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS. |
| ICS | T0886 | Remote Services | Access Management technologies can help enforce authentication on critical remote service, examples include, but are not limited to, device management services (e.g., telnet, SSH), data access servers (e.g., HTTP, Historians), and HMI sessions (e.g., RDP, VNC). |
| ICS | T0843.003 | Program Append Sub-technique | Authenticate all access to field controllers before authorizing access to, or modification of, a device's state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS. |
| ICS | T1693 | Modify Firmware | All devices or systems changes, including all administrative functions, should require authentication. Consider using access management technologies to enforce authorization on all management interface access attempts, especially when the device does not inherently provide strong authentication and authorization functions. |
| ICS | T0816 | Device Restart/Shutdown | All devices or systems changes, including all administrative functions, should require authentication. Consider using access management technologies to enforce authorization on all management interface access attempts, especially when the device does not inherently provide strong authentication and authorization functions. |
| ICS | T0843 | Program Download | Authenticate all access to field controllers before authorizing access to, or modification of, a device's state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS. |
| ICS | T0871 | Execution through API | Access Management technologies can be used to enforce authorization policies and decisions, especially when existing field devices do not provide capabilities to support user identification and authentication. CitationMcCarthy, J et al. July 2018 These technologies typically utilize an in-line network device or gateway system to prevent access to unauthenticated users, while also integrating with an authentication service to first verify user credentials. |
| ICS | T0838 | Modify Alarm Settings | All devices or systems changes, including all administrative functions, should require authentication. Consider using access management technologies to enforce authorization on all management interface access attempts, especially when the device does not inherently provide strong authentication and authorization functions. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 9aed51a236c0… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
McCarthy, J et al. July 2018
McCarthy, J et al. 2018, July NIST SP 1800-2 Identity and Access Management for Electric Utilities Retrieved. 2020/09/17
Open source URL -
[2]
Centre for the Protection of National Infrastructure November 2010
Centre for the Protection of National Infrastructure 2010, November Configuring and Managing Remote Access for Industrial Control Systems Retrieved. 2020/09/25
Open source URL -
[3]
mitre-attack M0801Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.