T0831: Manipulation of Control
Adversaries may manipulate physical process control within the industrial environment. Methods of manipulating control can include changes to set point values, tags, or other parameters. Adversaries may manipulate control systems devices or possibly leverage their own, to communicate with and command physical control processes. The duration of manipulation may be temporary or longer sustained, depending on operator detection.
Methods of Manipulation of Control include:
* Man-in-the-middle * Spoof command message * Changing setpoints
A Polish student used a remote controller device to interface with the Lodz city tram system in Poland. [1] [2] [3] Using this remote, the student was able to capture and replay legitimate tram signals. As a consequence, four trams were derailed and twelve people injured due to resulting emergency stops. [2] The track controlling commands issued may have also resulted in tram collisions, a further risk to those on board and nearby the areas of impact. [3]
Analyst context for executives and security teams
Manipulation of Control is an ICS behavior where an adversary changes or issues commands that affect the physical process, such as setpoints, tags, parameters, or control messages. For executives, the material issue is not just cyber access; it is whether unauthorized digital commands can translate into unsafe or disruptive physical outcomes before operators notice.
Executive priority
Prioritize this as a cyber-physical resilience issue. Leadership should ask whether critical control commands are authenticated, whether operators can independently verify process state, whether alternate communications exist during integrity failures, and whether recovery images/configurations are ready for key control systems. The supplied ATT&CK relationships tie this technique to notable ICS campaign/software context, including Ukraine electric power activity, Stuxnet, and Industroyer, so it is relevant to risk discussions for environments where physical process control is safety- or continuity-critical.
Technical view
ATT&CK provides no official detection text and no platform scope for this technique, so SOC and IR teams should validate coverage from first principles and from related detection strategy DET0747. Focus on unauthorized or anomalous changes to setpoints, tags, parameters, and command messages; mismatches between expected operator actions and control network activity; and evidence of spoofed or replayed messages. Detection should be tested against normal operations, maintenance windows, and engineering changes to avoid confusing legitimate process control with malicious manipulation.
Likely telemetry
- Control network traffic showing command messages, replay-like patterns, or unexpected sender/receiver pairs
- Historian, HMI, SCADA, controller, or engineering workstation records of setpoint, tag, and parameter changes
- Operator action logs and maintenance/change records for comparison with observed control activity
- Controller/device event logs showing configuration or command activity where available
- Process safety, alarm, and event data indicating unexpected physical process changes
Detection direction
- Validate whether DET0747-style detection exists for command manipulation rather than only IT intrusion activity.
- Correlate control commands with authorized operator sessions, approved change windows, and expected process state.
- Tune for high-risk events such as setpoint changes, tag writes, parameter modifications, and commands from unusual hosts or communication paths.
- Account for false positives from legitimate maintenance, commissioning, failover, and emergency operations.
- Identify blind spots where legacy or unauthenticated protocols prevent reliable sender verification or message integrity checks.
Mitigation priorities
- Prioritize Communication Authenticity (M0802): use secure protocols or mechanisms that authenticate senders and verify message integrity where communications traverse untrusted networks.
- Maintain Out-of-Band Communications Channels (M0810) so operators can coordinate and validate operations during communication failures or data integrity attacks.
- Maintain hardened, separated backups and exercised recovery plans for critical systems and gold-copy configurations, consistent with Data Backup (M0953).
- Pair technical controls with operational procedures for independent verification of high-consequence control changes.
Analyst notes and limits
The official object describes manipulation through man-in-the-middle activity, spoofed command messages, and setpoint changes, and cites the Lodz tram incident as an example of physical consequences from captured and replayed legitimate signals. Relationship context includes one detection strategy, three mitigations, one campaign, and two software objects, but the supplied technique record does not define tactics or platforms.
ATT&CK did not provide official detection guidance, platform scope, or tactic mapping for this object. This take therefore stays at the evidence and control-validation level; local architecture, ICS protocols, asset criticality, safety design, and logging availability are required to determine actual exposure and coverage.
Manipulation of Control
Adversaries may manipulate physical process control within the industrial environment. Methods of manipulating control can include changes to set point values, tags, or other parameters. Adversaries may manipulate control systems devices or possibly leverage their own, to communicate with and command physical control processes. The duration of manipulation may be temporary or longer sustained, depending on operator detection.
Methods of Manipulation of Control include:
* Man-in-the-middle * Spoof command message * Changing setpoints
A Polish student used a remote controller device to interface with the Lodz city tram system in Poland. [1] [2] [3] Using this remote, the student was able to capture and replay legitimate tram signals. As a consequence, four trams were derailed and twelve people injured due to resulting emergency stops. [2] The track controlling commands issued may have also resulted in tram collisions, a further risk to those on board and nearby the areas of impact. [3]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Groups, software, and campaigns
S0604: Industroyer
Industroyer is a sophisticated malware framework designed to cause an impact to the working processes of Industrial Control Systems (ICS), specifically components used in electrical substations.[1] Industroyer was used in the attacks on the Ukrainian power grid in December 2016.[2] This is the first publicly known malware specifically designed to target and impact operations in the electric grid.[3]
S0603: Stuxnet
Stuxnet was the first publicly reported malware to specifically target industrial control systems devices. Stuxnet is a large and complex malware that utilized multiple behaviors, including numerous zero-day vulnerabilities, a sophisticated Windows rootkit, and network infection routines.[1][2][3][4] Stuxnet was discovered in 2010, with some components being used as early as November 2008.[1]
C0028: 2015 Ukraine Electric Power Attack
2015 Ukraine Electric Power Attack was a Sandworm Team campaign during which they used BlackEnergy (specifically BlackEnergy3) and KillDisk to target and disrupt transmission and distribution substations within the Ukrainian power grid. This campaign was the first major public attack conducted against the Ukrainian power grid by Sandworm Team.
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 78450b404369… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
John Bill May 2017
John Bill 2017, May 12 Hacked Cyber Security Railways Retrieved. 2019/10/17
Open source URL -
[2]
Shelley Smith February 2008
Shelley Smith 2008, February 12 Teen Hacker in Poland Plays Trains and Derails City Tram System Retrieved. 2019/10/17
Open source URL -
[3]
Bruce Schneier January 2008
Bruce Schneier 2008, January 17 Hacking Polish Trams Retrieved. 2019/10/17
Open source URL -
[4]
mitre-attack T0831Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.