M0805: Mechanical Protection Layers
Utilize a layered protection design based on physical or mechanical protection systems to prevent damage to property, equipment, human safety, or the environment. Examples include interlocks, rupture disk, release values, etc. [1]
Analyst context for executives and security teams
Mechanical protection layers are the last line of defense when an industrial process moves toward a dangerous physical state. For executives and risk owners, this mitigation matters because some cyber events in ICS environments can become safety, environmental, or equipment-damage events faster than people or digital controls can respond. Interlocks, rupture disks, relief valves, and similar mechanical protections help preserve safe failure behavior even when control-system functions are disrupted.
Executive priority
Prioritize this as an operational resilience and safety assurance control, not just an engineering detail. Leaders should ask whether critical processes have independent physical or mechanical safeguards for scenarios that could cause property damage or loss of safety, and whether those safeguards are included in risk reviews, incident response planning, audit evidence, and capital planning. The key business question is whether the organization can prevent or limit physical harm when digital monitoring, operator response, or control logic is insufficient.
Technical view
For SOC, IR, and OT engineering teams, this object provides mitigation context rather than detection logic. Validate that high-consequence ICS processes mapped to Damage to Property (T0879) and Loss of Safety (T0880) have documented mechanical protection layers and that responders understand their role during an incident. Because ATT&CK provides no detection guidance for M0805, coverage should be assessed through engineering documentation, safety design reviews, test records, maintenance evidence, and process hazard context rather than assuming cyber telemetry alone proves protection.
Likely telemetry
- Safety and engineering design documentation for interlocks, rupture disks, relief valves, and other mechanical protection systems
- Inspection, maintenance, calibration, and proof-test records for mechanical safeguards
- Process alarms, safety-system event logs, and historian data showing activation or abnormal process conditions where available
- Incident response and operations logs documenting protective action, equipment shutdown, or safe-state transitions
- Asset and process criticality records identifying systems where property damage or loss of safety could occur
Detection direction
- Do not treat M0805 as a cyber detection analytic; ATT&CK provides no official detection text for this mitigation.
- Validate whether SOC and IR playbooks identify when mechanical protection activation indicates a possible high-consequence ICS event.
- Correlate abnormal process conditions, safety events, and equipment protection activations with cyber and operational timelines when investigating potential T0879 or T0880 scenarios.
- Watch for blind spots where mechanical safeguards exist physically but are not represented in asset inventories, incident procedures, monitoring views, or audit evidence.
- Tune investigations to distinguish routine maintenance or authorized testing from unexpected protective-layer activation.
Mitigation priorities
- Identify processes where damage to property or loss of safety would create unacceptable business, human safety, environmental, or operational consequences.
- Confirm layered protection design includes appropriate physical or mechanical safeguards such as interlocks, rupture disks, or relief valves where engineering analysis supports them.
- Maintain evidence that safeguards are inspected, tested, and managed through change control.
- Ensure incident response and operations teams understand which mechanical protections are expected to act independently of digital control functions.
- Use the mitigation as part of broader ICS safety and resilience planning rather than as a substitute for secure control systems, monitoring, or operator procedures.
Analyst notes and limits
This is an ICS mitigation with a safety and physical-process focus. Its decision value is strongest for organizations operating industrial processes where cyber compromise of control or safety functions could contribute to property damage or unsafe conditions. The relationship context links it specifically to Damage to Property (T0879) and Loss of Safety (T0880).
ATT&CK does not specify platforms, tactics, or detection guidance for this object. The description is high level, so local engineering analysis is required to determine which mechanical protection layers are appropriate, whether they are independent enough for the risk scenario, and what evidence proves they are maintained and effective.
Mechanical Protection Layers
Utilize a layered protection design based on physical or mechanical protection systems to prevent damage to property, equipment, human safety, or the environment. Examples include interlocks, rupture disk, release values, etc. [1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| ICS | T0880 | Loss of Safety | Protection devices should have minimal digital components to prevent exposure to related adversarial techniques. Examples include interlocks, rupture disks, release valves, etc. CitationA G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004 |
| ICS | T0879 | Damage to Property | Protection devices should have minimal digital components to prevent exposure to related adversarial techniques. Examples include interlocks, rupture disks, release valves, etc. CitationA G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | b2b1e2161283… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004
A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004 APPLYING THE LATEST STANDARD FOR FUNCTIONAL SAFETY IEC 61511 Retrieved. 2020/09/17
Open source URL -
[2]
mitre-attack M0805Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.