TA0105: Impact

The adversary is trying to manipulate, interrupt, or destroy your ICS systems, data, and their surrounding environment.

Impact consists of techniques that adversaries use to disrupt, compromise, destroy, and manipulate the integrity and availability of control system operations, processes, devices, and data. These techniques encompass the influence and effects resulting from adversarial efforts to attack the ICS environment or that tangentially impact it. Impact techniques can result in more instantaneous disruption to control processes and the operator, or may result in more long term damage or loss to the ICS environment and related operations. The adversary may leverage Impair Process Control techniques, which often manifest in more self-revealing impacts on operations, or Impair Process Control techniques to hinder safeguards and alarms in order to follow through with and provide cover for Impact. In some scenarios, control system processes can appear to function as expected, but may have been altered to benefit the adversary’s goal over the course of a longer duration. These techniques might be used by adversaries to follow through on their end goal or to provide cover for a confidentiality breach.

Loss of Productivity and Revenue, Theft of Operational Information, and Damage to Property are meant to encompass some of the more granular goals of adversaries in targeted and untargeted attacks. These techniques in and of themselves are not necessarily detectable, but the associated adversary behavior can potentially be mitigated and/or detected.

ICSTA0105TacticObject v1.0 Modified Apr 16, 2025, 21:26 UTC (UTC+00:00)

Impact in ICS is the point where cyber activity can translate into operational disruption, manipulated processes, damaged equipment, lost productivity, revenue loss, or theft of operational information. For leaders, this tactic matters because it connects security events to business continuity, safety-adjacent operations, and cyber-physical risk rather than only IT compromise.

Executive priority

Treat this as a resilience and consequence-management priority. The key executive question is not only “can we detect an intrusion?” but “would we know quickly if control system operations, safeguards, alarms, devices, data integrity, or production processes were being manipulated or interrupted?” Budget and governance should prioritize visibility, incident response plans, recovery procedures, and evidence that operational and security teams can jointly recognize and manage ICS impact scenarios.

Technical view

Because the ATT&CK object provides no specific platforms or detection guidance, SOC, OT, and IR teams should validate coverage around the outcomes described by the tactic: disruption, manipulation, destruction, or compromise of control system operations, processes, devices, and data. Detection engineering should focus on correlating control-system state changes, operator observations, alarms, process anomalies, device availability, and security telemetry where available. Analysts should also consider that some impact may be immediate and obvious, while other changes may leave processes appearing normal while being altered over time.

Likely telemetry

Control system event and alarm records
Historian or process data showing operational state changes
Operator workstation and engineering workstation activity logs where available
Controller, device, or process availability and health indicators
Change records for control logic, setpoints, configurations, and safety or alarm-related settings

Detection direction

Validate whether the organization can distinguish expected process variation from suspicious manipulation or interruption of ICS operations.
Tune monitoring to correlate cyber events with operational effects, not only isolated IT alerts.
Account for blind spots where impact is not directly detectable and must be inferred from associated adversary behavior or operational anomalies.
Include scenarios where processes appear to function normally but have been altered over a longer duration.
Use related outcome categories named by ATT&CK, such as loss of productivity and revenue, theft of operational information, and damage to property, as consequence lenses for detection and response exercises.

Mitigation priorities

Prioritize consequence-driven incident response planning for ICS environments, including decision paths between security, operations, engineering, safety, and business leadership.
Establish and test recovery procedures for affected control operations, devices, data, and configurations.
Maintain trustworthy baselines for process behavior, control logic, alarms, safeguards, and operational data integrity where feasible.
Strengthen change governance and evidence collection around control system modifications and operational anomalies.
Use tabletop and technical exercises to test whether teams can identify, escalate, and contain suspected ICS impact without relying on a single alert source.

Analyst notes and limits

This is a tactic-level ICS ATT&CK object, so it describes adversary objectives and consequences rather than a single observable procedure. The official text explicitly notes that some impact techniques are not necessarily detectable on their own; associated behavior and operational effects provide the practical detection path.

No ATT&CK platforms, official detection guidance, aliases, labels, or relationship context were supplied. Local architecture, telemetry availability, process engineering knowledge, and operational baselines are required before making coverage, exposure, or risk claims.

Official MITRE ATT&CK definition

Impact

The adversary is trying to manipulate, interrupt, or destroy your ICS systems, data, and their surrounding environment.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Mar 14, 2019, 18:44 UTC (UTC+00:00)
Modified: Apr 16, 2025, 21:26 UTC (UTC+00:00)
Raw hash: 92f609f1763845b9...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Apr 16, 2025, 21:26 UTC (UTC+00:00)	Current bundle	`92f609f17638…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack TA0105
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use