M0930: Network Segmentation
Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Restrict network access to only required systems and services. In addition, prevent systems from other networks or business functions (e.g., enterprise) from accessing critical process control systems. For example, in IEC 62443, systems within the same secure level should be grouped into a zone, and access to that zone is restricted by a conduit, or mechanism to restrict data flows between zones by segmenting the network. [1] [2]
Analyst context for executives and security teams
Network Segmentation matters in ICS because many high-consequence actions depend first on reaching sensitive control assets, engineering functions, remote services, or OT protocols. The business value is not just “better network design”; it is reducing the chance that exposure from internet-facing services, enterprise networks, remote access paths, or transient assets can become direct access to process control systems.
Executive priority
Treat this as a resilience and governance control. Leaders should ask whether critical process control systems are grouped into defensible zones, whether access between zones is limited to required conduits, and whether internet-facing services are contained in a DMZ rather than exposed to internal control networks. The supplied ATT&CK labels also make this useful for compliance evidence against IEC 62443 SR/CR 5.1 and NIST SP 800-53 AC-3.
Technical view
For SOC, IR, and OT engineering teams, the validation point is whether segmentation actually restricts traffic needed for the related ICS techniques: external remote services, public-facing application exposure, discovery, network sniffing, OPC-style collection, program upload/download, operating mode changes, device restart/shutdown, rogue master activity, and use of standard protocols such as HTTP(S), OPC, RDP, telnet, DNP3, and Modbus. ATT&CK provides no detection text for this mitigation, so teams should evaluate control enforcement and monitoring at zone boundaries rather than assume detection coverage.
Likely telemetry
- Network zone and conduit diagrams or asset inventory showing critical systems, engineering workstations, DMZ services, enterprise networks, and process control networks
- Firewall, router, ACL, and segmentation policy configurations
- Firewall and boundary device allow/deny logs between enterprise, DMZ, remote access, and ICS zones
- Remote access gateway or VPN connection logs where external remote services are used
- Network flow records or packet metadata for OT and standard application protocols crossing zone boundaries
Detection direction
- Validate that monitoring exists at segmentation boundaries, not only on enterprise endpoints.
- Baseline approved traffic between zones and tune alerts for new conduits, unexpected protocols, or unexpected source/destination pairs involving critical process control systems.
- Review whether broadcast, multicast, port scan, and protocol enumeration activity can be observed within and across ICS zones.
- Correlate remote service access with any subsequent connections into engineering or control zones.
- Expect false positives during authorized maintenance, firmware work, engineering changes, and vendor support; require change context rather than suppressing all such activity.
Mitigation priorities
- Identify critical systems, functions, and resources, then group systems with similar security requirements into zones.
- Restrict traffic between zones through defined conduits and allow only required systems and services.
- Place internet-facing services in a DMZ rather than exposing internal control networks.
- Prevent enterprise networks or unrelated business functions from directly accessing critical process control systems unless explicitly required and controlled.
- Prioritize segmentation around remote access, engineering workstations, PLC/controller access paths, and protocols used for control, discovery, and management.
Analyst notes and limits
The relationship set shows this mitigation is broadly relevant across ICS behaviors involving initial access, discovery, collection, remote services, control protocol use, and engineering changes. Its practical value depends on whether segmentation is enforced and monitored, not merely documented.
Platforms and tactics are not specified, and ATT&CK provides no official detection guidance for M0930. Local architecture, asset inventory, protocol use, and maintenance workflows are required to determine exact control gaps and telemetry needs.
Network Segmentation
Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Restrict network access to only required systems and services. In addition, prevent systems from other networks or business functions (e.g., enterprise) from accessing critical process control systems. For example, in IEC 62443, systems within the same secure level should be grouped into a zone, and access to that zone is restricted by a conduit, or mechanism to restrict data flows between zones by segmenting the network. [1] [2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| ICS | T0869 | Standard Application Layer Protocol | Ensure proper network segmentation between higher level corporate resources and the control process environment. |
| ICS | T1693.002 | Module Firmware Sub-technique | Segment operational network and systems to restrict access to critical system functions to predetermined management systems.CitationDepartment of Homeland Security September 2016 |
| ICS | T0838 | Modify Alarm Settings | Segment operational network and systems to restrict access to critical system functions to predetermined management systems. CitationDepartment of Homeland Security September 2016 CitationN/A |
| ICS | T1693 | Modify Firmware | Segment operational network and systems to restrict access to critical system functions to predetermined management systems.CitationDepartment of Homeland Security September 2016 |
| ICS | T0822 | External Remote Services | Deny direct remote access to internal systems through the use of network proxies, gateways, and firewalls. Consider a jump server or host into the DMZ for greater access control. Leverage this DMZ or corporate resources for vendor access. CitationKeith Stouffer May 2015 |
| ICS | T0883 | Internet Accessible Device | Deny direct remote access to internal systems through the use of network proxies, gateways, and firewalls. Steps should be taken to periodically inventory internet accessible devices to determine if it differs from the expected. |
| ICS | T0842 | Network Sniffing | Segment networks and systems appropriately to reduce access to critical system and services communications. |
| ICS | T1692.002 | Reporting Message Sub-technique | Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment.CitationKaren Scarfone; Paul Hoffman September 2009CitationKeith Stouffer May 2015CitationDepartment of Homeland Security September 2016CitationDwight Anderson 2014 |
| ICS | T0830 | Adversary-in-the-Middle | Network segmentation can be used to isolate infrastructure components that do not require broad network access. This may mitigate, or at least alleviate, the scope of AiTM activity. |
| ICS | T0846.003 | Multicast Discovery Sub-technique | Ensure proper network segmentation is followed to protect critical servers and devices. |
| ICS | T1695.003 | Wi-Fi Sub-technique | Segment operational networks to isolate critical systems and devices that do not require broad network access. |
| ICS | T0816 | Device Restart/Shutdown | Segment operational network and systems to restrict access to critical system functions to predetermined management systems. CitationDepartment of Homeland Security September 2016 |
| ICS | T0846.001 | Port Scan Sub-technique | Ensure proper network segmentation is followed to protect critical systems and devices. |
| ICS | T1695.001 | Serial COM Sub-technique | Restrict unauthorized devices from accessing serial comm ports. |
| ICS | T0886 | Remote Services | Segment and control software movement between business and OT environments by way of one directional DMZs. Web access should be restricted from the OT environment. Engineering workstations, including transient cyber assets (TCAs) should have minimal connectivity to external networks, including Internet and email, further limit the extent to which these devices are dual-homed to multiple networks. CitationNorth America Transmission Forum December 2019 |
| ICS | T0843.002 | Online Edit Sub-technique | Segment operational network and systems to restrict access to critical system functions to predetermined management systems.CitationDepartment of Homeland Security September 2016 |
| ICS | T0806 | Brute Force I/O | Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment. CitationKaren Scarfone; Paul Hoffman September 2009 CitationKeith Stouffer May 2015 CitationDepartment of Homeland Security September 2016 CitationDwight Anderson 2014 |
| ICS | T0848 | Rogue Master | Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment. CitationKaren Scarfone; Paul Hoffman September 2009 CitationKeith Stouffer May 2015 CitationDepartment of Homeland Security September 2016 CitationDwight Anderson 2014 |
| ICS | T0866 | Exploitation of Remote Services | Segment networks and systems appropriately to reduce access to critical system and services communications. |
| ICS | T0845 | Program Upload | Segment operational network and systems to restrict access to critical system functions to predetermined management systems. CitationDepartment of Homeland Security September 2016 |
| ICS | T0864 | Transient Cyber Asset | Segment and control software movement between business and OT environments by way of one directional DMZs. Web access should be restricted from the OT environment. Engineering workstations, including transient cyber assets (TCAs) should have minimal connectivity to external networks, including Internet and email, further limit the extent to which these devices are dual-homed to multiple networks. CitationNorth America Transmission Forum December 2019 |
| ICS | T0846.002 | Broadcast Discovery Sub-technique | Ensure proper network segmentation is followed to protect critical systems and devices. |
| ICS | T0843 | Program Download | Segment operational network and systems to restrict access to critical system functions to predetermined management systems.CitationDepartment of Homeland Security September 2016 |
| ICS | T0843.001 | Download All Sub-technique | Segment operational network and systems to restrict access to critical system functions to predetermined management systems.CitationDepartment of Homeland Security September 2016 |
| ICS | T0881 | Service Stop | Segment operational network and systems to restrict access to critical system functions to predetermined management systems. CitationDepartment of Homeland Security September 2016 |
| ICS | T0802 | Automated Collection | Prevent unauthorized systems from accessing control servers or field devices containing industrial information, especially services used for common automation protocols (e.g., DNP3, OPC). |
| ICS | T1695.002 | Ethernet Sub-technique | Segment operational networks to isolate critical systems and devices that do not require broad network access. |
| ICS | T1693.001 | System Firmware Sub-technique | Segment operational network and systems to restrict access to critical system functions to predetermined management systems.CitationDepartment of Homeland Security September 2016 |
| ICS | T1695 | Block Communications | Segment operational networks to isolate critical systems and devices that do not require broad network access. |
| ICS | T0878 | Alarm Suppression | Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment. CitationKaren Scarfone; Paul Hoffman September 2009 CitationKeith Stouffer May 2015 CitationDepartment of Homeland Security September 2016 CitationDwight Anderson 2014 |
| ICS | T0885 | Commonly Used Port | Configure internal and external firewalls to block traffic using common ports that associate to network protocols that may be unnecessary for that particular network segment. |
| ICS | T0861 | Point & Tag Identification | Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment. CitationKaren Scarfone; Paul Hoffman September 2009 CitationKeith Stouffer May 2015 CitationDepartment of Homeland Security September 2016 CitationDwight Anderson 2014 |
| ICS | T0843.003 | Program Append Sub-technique | Segment operational network and systems to restrict access to critical system functions to predetermined management systems.CitationDepartment of Homeland Security September 2016 |
| ICS | T1692 | Unauthorized Message | Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment.CitationKaren Scarfone; Paul Hoffman September 2009CitationKeith Stouffer May 2015CitationDepartment of Homeland Security September 2016CitationDwight Anderson 2014 |
| ICS | T0858 | Change Operating Mode | Segment operational network and systems to restrict access to critical system functions to predetermined management systems. CitationDepartment of Homeland Security September 2016 |
| ICS | T0868 | Detect Operating Mode | Segment operational network and systems to restrict access to critical system functions to predetermined management systems. CitationDepartment of Homeland Security September 2016 |
| ICS | T0800 | Activate Firmware Update Mode | Segment operational network and systems to restrict access to critical system functions to predetermined management systems. CitationDepartment of Homeland Security September 2016 |
| ICS | T0819 | Exploit Public-Facing Application | Segment externally facing servers and services from the rest of the network with a DMZ or on separate hosting infrastructure. |
| ICS | T1692.001 | Command Message Sub-technique | Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment.CitationKaren Scarfone; Paul Hoffman September 2009CitationKeith Stouffer May 2015CitationDepartment of Homeland Security September 2016CitationDwight Anderson 2014 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | e85a4895dc49… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
IEC February 2019
IEC 2019, February Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components Retrieved. 2020/09/25
Open source URL -
[2]
IEC August 2013
IEC 2013, August Industrial communication networks - Network and system security - Part 3-3: System security requirements and security levels Retrieved. 2020/09/25
Open source URL -
[3]
mitre-attack M0930Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.