M0811: Redundancy of Service
Redundancy could be provided for both critical ICS devices and services, such as back-up devices or hot-standbys.
Analyst context for executives and security teams
Redundancy of Service is an ICS resilience control: critical devices and services should have backups or hot-standby capability so operations are not dependent on a single HMI, controller path, service, or device. Its business value is continuity during conditions that deny operators control or visibility, reduce availability, or block responder access through credential changes.
Executive priority
Treat this as an operational resilience and audit-evidence priority, not only an engineering preference. Leaders should ask which industrial services are business-critical, whether redundant devices or services are actually available and tested, and whether evidence exists for continuity planning aligned to NIST SP 800-53 Rev. 5 CP-9. The control is most material where loss of view, loss of control, or loss of availability could interrupt product or service delivery or require local hands-on recovery.
Technical view
For SOC, IR, OT engineering, and resilience teams, validate redundancy around the ATT&CK-related failure modes: Denial of Control, Denial of View, Loss of Availability, Loss of Control, Loss of View, and Change Credential. Because ATT&CK provides no detection text and no specific platform list for M0811, coverage should be assessed through local architecture and operational evidence: identify critical ICS devices and services, confirm backup or hot-standby designs, test failover behavior, and verify operators can maintain visibility and control when primary systems or credentials are unavailable.
Likely telemetry
- ICS asset inventory and criticality records for devices and services with redundant or standby counterparts
- Failover, switchover, heartbeat, and service-health logs from redundant ICS components where available
- HMI, workstation, database, engineering workstation, and control-service availability events
- Network communication status between operator interfaces, control sources, and control devices
- Operator alarm, event, and historian records showing loss or restoration of view/control
Detection direction
- Do not treat redundancy itself as a detection. Validate monitoring that proves redundant services are healthy before an incident and that alerts when primary or standby components are unavailable.
- Tune alerting around loss of communication, loss of operator visibility, failed control interactions, service unavailability, and unexpected credential changes affecting management access.
- Correlate availability events with operator reports and engineering change records to reduce false positives from planned maintenance, testing, or authorized failover.
- Look for blind spots where standby systems exist but are not monitored, not patched/configured equivalently, not reachable during segmentation events, or require credentials that may be changed or unavailable during response.
- Use relationship context to prioritize detections that distinguish temporary denial of view/control from sustained loss of view/control requiring local intervention.
Mitigation priorities
- Inventory critical ICS devices and services and identify where loss of control, view, or availability would disrupt operations.
- Prioritize redundancy for the most critical control and visibility paths, including backup devices or hot-standby services where operationally appropriate.
- Define and test failover procedures, including operator decision points, manual-operation requirements, and recovery roles.
- Maintain evidence for backup, standby, and recovery testing to support continuity and compliance expectations such as NIST SP 800-53 Rev. 5 CP-9.
- Ensure credential-management and break-glass procedures support access to primary and redundant components during incident response.
Analyst notes and limits
M0811 is a mitigation in the ICS ATT&CK domain. The official description is concise and centers on backup devices or hot-standbys for critical ICS devices and services. Its relationship context makes the control especially relevant to loss or denial of operator control, loss or denial of operator view, loss of availability, and credential changes that could block access.
ATT&CK provides no official detection guidance, tactics, platforms, aliases, or detailed implementation requirements for this mitigation. Local architecture, engineering constraints, safety requirements, and recovery testing are required to determine what redundancy is feasible and whether it actually reduces operational risk.
Redundancy of Service
Redundancy could be provided for both critical ICS devices and services, such as back-up devices or hot-standbys.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| ICS | T0827 | Loss of Control | Hot-standbys in diverse locations can ensure continued operations if the primarily system are compromised or unavailable. At the network layer, protocols such as the Parallel Redundancy Protocol can be used to simultaneously use redundant and diverse communication over a local network. CitationM. Rentschler and H. Heine |
| ICS | T0829 | Loss of View | Hot-standbys in diverse locations can ensure continued operations if the primarily system are compromised or unavailable. At the network layer, protocols such as the Parallel Redundancy Protocol can be used to simultaneously use redundant and diverse communication over a local network. CitationM. Rentschler and H. Heine |
| ICS | T0813 | Denial of Control | Hot-standbys in diverse locations can ensure continued operations if the primarily system are compromised or unavailable. At the network layer, protocols such as the Parallel Redundancy Protocol can be used to simultaneously use redundant and diverse communication over a local network. CitationM. Rentschler and H. Heine |
| ICS | T0826 | Loss of Availability | Hot-standbys in diverse locations can ensure continued operations if the primarily system is compromised or unavailable. At the network layer, protocols such as the Parallel Redundancy Protocol can be used to simultaneously use redundant and diverse communication over a local network. CitationM. Rentschler and H. Heine |
| ICS | T0892 | Change Credential | Retain cold-standby or replacement hardware of similar models to ensure continued operations of critical functions if the primary system is compromised or unavailable. CitationM. Rentschler and H. Heine |
| ICS | T0815 | Denial of View | Hot-standbys in diverse locations can ensure continued operations if the primarily system are compromised or unavailable. At the network layer, protocols such as the Parallel Redundancy Protocol can be used to simultaneously use redundant and diverse communication over a local network. CitationM. Rentschler and H. Heine |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 4ee4a187b32c… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack M0811Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.