M0941: Encrypt Sensitive Information
Protect sensitive data-at-rest with strong encryption.
Analyst context for executives and security teams
Encrypting sensitive data at rest matters in ICS because operational designs, schematics, project files, local configuration data, firmware packages, and repository data can materially improve an adversary’s ability to understand or manipulate an environment. For leaders, this is not just a privacy control; it is a resilience control that reduces the value of stolen engineering and operational information if repositories, local systems, or transient assets are accessed.
Executive priority
Prioritize encryption where loss of confidentiality would expose control system layouts, device/process details, operational schedules, project files, or firmware-related assets. This mitigation maps to compliance-oriented control language including IEC 62443 SR/CR 4.1 and NIST SP 800-53 SC-28, making it useful evidence for audit and risk governance. Executives should ask whether sensitive ICS data-at-rest is identified, encrypted, and governed consistently across corporate repositories, process-environment databases, local engineering systems, and transient assets.
Technical view
MITRE provides this as an ICS mitigation, not a detection analytic. SOC, IR, and engineering teams should validate encryption coverage for data stores and file locations implicated by the mitigated techniques: information repositories, local system sources, project files including Siemens project formats, operational information stores, transient assets, and firmware/package storage. Treat encryption as a confidentiality control; it does not by itself prove integrity, stop malicious project-file modification, or validate firmware trust.
Likely telemetry
- Inventory of repositories, databases, local file stores, project-file locations, firmware/package storage, and transient assets that contain sensitive ICS information
- Encryption configuration and compliance state for data-at-rest locations
- Access logs for sensitive repositories, local engineering systems, and operational information stores
- Audit evidence for removable or transient asset storage handling where sensitive data may reside
- Administrative records showing who can decrypt or access protected data
Detection direction
- Because ATT&CK provides no official detection for this mitigation, measure control coverage rather than claiming adversary detection.
- Tune monitoring around access to sensitive ICS repositories, local files, project files, and firmware stores, especially where encryption is absent or exceptions exist.
- Watch for blind spots where engineering workstations, shared folders, portable/transient assets, backups, or exported project files fall outside encryption policy.
- Separate confidentiality validation from integrity validation: encrypted storage may reduce exposure but does not necessarily detect infected project files or modified firmware.
Mitigation priorities
- Identify sensitive ICS data-at-rest first, including operational information, schematics, diagrams, control layouts, project files, local configuration data, and firmware-related files.
- Apply strong encryption to prioritized repositories, local systems, databases, backups, and transient storage that hold this data.
- Validate that encryption exceptions are documented and risk accepted, especially for transient assets and engineering workflows.
- Maintain audit-ready evidence aligned to IEC 62443 SR/CR 4.1 and NIST SP 800-53 SC-28 where applicable.
- Pair encryption with separate access, integrity, and change-control processes where project files or firmware modification risk is material.
Analyst notes and limits
The relationship set shows this mitigation reducing exposure across ICS data collection, operational information theft, transient assets, project-file infection, and firmware-related techniques. Its decision value is highest where sensitive engineering and operational artifacts are broadly stored or moved between environments.
The ATT&CK object has no platforms, tactics, or official detection text. Local asset inventories, data classification, encryption implementation details, and access evidence are required to judge real coverage. Encryption at rest should not be interpreted as guaranteed prevention of theft, tampering, persistence, or firmware compromise.
Encrypt Sensitive Information
Protect sensitive data-at-rest with strong encryption.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| ICS | T0893 | Data from Local System | Information which is sensitive to the operation and architecture of the process environment may be encrypted to ensure confidentiality and restrict access to only those who need to know. CitationKeith Stouffer May 2015 CitationNational Institute of Standards and Technology April 2013 |
| ICS | T0864 | Transient Cyber Asset | Consider implementing full disk encryption, especially if engineering workstations are transient assets that are more likely to be lost, stolen, or tampered with. CitationNational Institute of Standards and Technology April 2013 |
| ICS | T0811 | Data from Information Repositories | Information which is sensitive to the operation and architecture of the process environment may be encrypted to ensure confidentiality and restrict access to only those who need to know. CitationKeith Stouffer May 2015 CitationNational Institute of Standards and Technology April 2013 |
| ICS | T1693.001 | System Firmware Sub-technique | The encryption of firmware should be considered to prevent adversaries from identifying possible vulnerabilities within the firmware. |
| ICS | T0873 | Project File Infection | When at rest, project files should be encrypted to prevent unauthorized changes.CitationNational Institute of Standards and Technology April 2013 |
| ICS | T0882 | Theft of Operational Information | Encrypt any operational data with strong confidentiality requirements, including organizational trade-secrets, recipes, and other intellectual property (IP). |
| ICS | T1693 | Modify Firmware | The encryption of firmware should be considered to prevent adversaries from identifying possible vulnerabilities within the firmware. |
| ICS | T0873.001 | Siemens Project File Format Sub-technique | When at rest, project files should be encrypted to prevent unauthorized changes.CitationNational Institute of Standards and Technology April 2013 |
| ICS | T1693.002 | Module Firmware Sub-technique | The encryption of firmware should be considered to prevent adversaries from identifying possible vulnerabilities within the firmware. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 50a5564767d2… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack M0941Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.