T0826: Loss of Availability
Adversaries may attempt to disrupt essential components or systems to prevent owner and operator from delivering products or services. [1] [2] [3]
Adversaries may leverage malware to delete or encrypt critical data on HMIs, workstations, or databases.
In the 2021 Colonial Pipeline ransomware incident, pipeline operations were temporally halted on May 7th and were not fully restarted until May 12th. [4]
Analyst context for executives and security teams
Loss of Availability is an ICS-focused impact behavior where an adversary disrupts essential systems or components so the operator cannot reliably deliver products or services. For executives, the material issue is operational continuity: ransomware, destructive activity, or disruption of HMIs, workstations, databases, control systems, or supporting communications can turn a cyber incident into service interruption, safety escalation, customer impact, and regulatory scrutiny.
Executive priority
Treat this as a resilience and recovery priority, not only a SOC alerting problem. Leaders should ask whether critical operational services have tested redundancy, recoverable backups, alternate communications, and incident response procedures that work when normal control, view, or availability is impaired. The supplied ATT&CK relationships tie this behavior to public ICS campaigns and incidents, including electric power, PLC/HMI defacement, district heating disruption, and the Colonial Pipeline operational halt example, which makes it relevant to business continuity planning and evidence for audit or board-level risk discussions.
Technical view
ATT&CK provides no official detection text and no platform scope for T0826, so defenders should validate coverage through environment-specific ICS monitoring and incident response exercises. SOC and IR teams should focus on evidence of degradation or loss of essential services, destructive or encrypting activity affecting HMIs, engineering workstations, databases, or key servers, abnormal loss of control or view, and failures in communications paths. The related detection strategy DET0729 indicates ATT&CK recognizes a detection approach for Loss of Availability, but the supplied fields do not provide its detection logic; teams should therefore map local telemetry and runbooks to the availability outcomes they must detect and recover from.
Likely telemetry
- ICS asset availability and health status for HMIs, PLC-facing systems, engineering workstations, servers, and databases
- Operational alarms indicating loss of view, loss of control, or service interruption
- Endpoint and server events showing file deletion, encryption, service stoppage, or abnormal process behavior on critical systems
- Backup job status, restore-test evidence, and integrity of gold-copy images and configurations
- Network and communications availability logs, including failures affecting operator communications or control-system connectivity
Detection direction
- Validate that monitoring can distinguish cyber-driven loss of availability from routine equipment failure, maintenance, or process faults.
- Tune detections around availability-impacting outcomes: sudden service loss, inaccessible HMIs or workstations, database unavailability, mass file modification or deletion, and loss of operator view/control.
- Correlate SOC telemetry with operations data; cyber logs alone may miss the business impact if control-room or process telemetry is not integrated.
- Use the related public campaign context as scenario material for tabletop and detection validation, without assuming the same tools or actors are present locally.
- Because ATT&CK provides no official detection details for this object, document local assumptions, telemetry gaps, and escalation thresholds explicitly.
Mitigation priorities
- Prioritize tested redundancy for critical ICS devices and services, including backup devices or hot-standby capabilities where appropriate, consistent with M0811.
- Maintain hardened, separated backups for end-user systems and critical servers, including gold-copy images and configurations, and regularly exercise restoration procedures, consistent with M0953.
- Establish out-of-band communications channels for operational coordination during communications failures or data integrity attacks, consistent with M0810.
- Integrate these controls into incident response plans so operations, IT, SOC, and executive decision-makers know how to sustain or safely restore service during availability loss.
- Use recovery-time objectives, restore-test results, and communications exercise outcomes as practical evidence for resilience, compliance readiness, and budget prioritization.
Analyst notes and limits
This ATT&CK object is broad and impact-oriented. Its value is in driving resilience validation: can the organization detect, communicate through, and recover from disruption to essential ICS-supported services? The most useful local analysis will come from mapping critical services to the systems, backups, communications paths, and operational procedures required to maintain or restore them.
The supplied ATT&CK fields do not specify tactics, platforms, aliases, or official detection text for T0826. Relationship descriptions provide useful context and mitigations, but they do not prove exposure, active exploitation, or detection coverage in any specific environment. Local architecture, process criticality, and telemetry availability are required to assess risk and control effectiveness.
Loss of Availability
Adversaries may attempt to disrupt essential components or systems to prevent owner and operator from delivering products or services. [1] [2] [3]
Adversaries may leverage malware to delete or encrypt critical data on HMIs, workstations, or databases.
In the 2021 Colonial Pipeline ransomware incident, pipeline operations were temporally halted on May 7th and were not fully restarted until May 12th. [4]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Groups, software, and campaigns
S0608: Conficker
C0031: Unitronics Defacement Campaign
The Unitronics Defacement Campaign was a collection of intrusions across multiple sectors by the CyberAv3ngers, where threat actors engaged in a seemingly opportunistic and global targeting and defacement of Unitronics Vision Series Programmable Logic Controller (PLC) with Human-Machine Interface (HMI). The sectors that these PLCs can be commonly found in are water and wastewater, energy, food and beverage manufacturing, and healthcare. The most notable feature of this attack was the defacement of the PLCs' HMIs.[1][2]
C0028: 2015 Ukraine Electric Power Attack
2015 Ukraine Electric Power Attack was a Sandworm Team campaign during which they used BlackEnergy (specifically BlackEnergy3) and KillDisk to target and disrupt transmission and distribution substations within the Ukrainian power grid. This campaign was the first major public attack conducted against the Ukrainian power grid by Sandworm Team.
C0041: FrostyGoop Incident
FrostyGoop Incident took place in January 2024 against a municipal district heating company in Ukraine. Following initial access via likely exploitation of external facing services, FrostyGoop was used to manipulate ENCO control systems via legitimate Modbus commands to impact the delivery of heating services to Ukrainian civilians.[1][2]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | ef1a1b8100a0… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Corero
Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04
Open source URL -
[2]
Michael J. Assante and Robert M. Lee
Michael J. Assante and Robert M. Lee SANS Industrial Control System (ICS) Security; The Industrial Control System Cyber Kill Chain Retrieved 2024/11/25
Open source URL -
[3]
Tyson Macaulay
Tyson Macaulay Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 RIoT Control: Understanding and Managing Risks and the Internet of Things Retrieved. 2019/11/04
Open source URL -
[4]
Colonial Pipeline Company May 2021
Colonial Pipeline Company 2021, May Media Statement Update: Colonial Pipeline System Disruption Retrieved. 2021/10/08
Open source URL -
[5]
mitre-attack T0826Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.