Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T0861: Point & Tag Identification

Adversaries may collect point and tag values to gain a more comprehensive understanding of the process environment. Points may be values such as inputs, memory locations, outputs or other process specific variables. [1] Tags are the identifiers given to points for operator convenience.

Collecting such tags provides valuable context to environmental points and enables an adversary to map inputs, outputs, and other values to their control processes. Understanding the points being collected may inform an adversary on which processes and values to keep track of over the course of an operation.

ICST0861TechniqueObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Point & Tag Identification matters because tags and point values are the “map legend” of an industrial process. If an adversary can collect them, they may better understand which measurements, outputs, alarms, and control variables correspond to real operations. For leadership, this is less about a single alert and more about whether OT systems expose enough process context to help an intruder plan more precise follow-on activity.

Executive priority

Treat this as an OT visibility and access-control risk. Executives and risk owners should ask whether HMIs, PLCs, RTUs, IEDs, historians, control servers, data gateways, safety controllers, DCS controllers, and PACs limit who can read point/tag information and whether access to that information is logged. The business concern is cyber-physical readiness: loss of confidentiality around process context can make incident response harder and can increase the precision of later manipulation, even when no immediate operational impact is observed.

Technical view

ATT&CK does not provide an official detection description for T0861, but a related detection strategy, DET0788 Detection of Point & Tag Identification, is mapped to it. SOC, OT security, and IR teams should validate whether they can see abnormal point/tag browsing, bulk reads, configuration access, historian queries, or control-system enumeration across the targeted ICS assets. Detection should be baselined against legitimate engineering, commissioning, maintenance, backup, and historian collection activity to avoid treating normal operations as malicious.

Likely telemetry

  • Protocol-aware OT network traffic showing reads, browse/enumeration behavior, or unusual access to process variables where supported
  • HMI, control server, historian, data gateway, and engineering/configuration access logs where available
  • Authentication and authorization logs for users, software processes, and devices accessing ICS data
  • Firewall, gateway, segmentation, allowlist, and protocol-filtering logs between enterprise, DMZ, and control networks
  • Configuration/project file access records that may expose tag databases or point mappings

Detection direction

  • Confirm DET0788-aligned monitoring exists for point/tag identification behavior in the local OT architecture.
  • Baseline normal tag and point access by HMIs, historians, control servers, gateways, engineers, and maintenance accounts.
  • Tune for unusual source systems, new user or process identities, abnormal volume or timing of point reads, and access paths crossing segmentation boundaries.
  • Correlate network observations with authentication events; unauthenticated or weakly attributed reads are a coverage gap.
  • Account for false positives from engineering work, commissioning, backups, troubleshooting, and historian synchronization.

Mitigation priorities

  • Prioritize Network Segmentation to restrict access to critical process control systems and limit enterprise-to-OT reachability.
  • Enforce Authorization Enforcement and Access Management so only approved authenticated users, devices, and processes can read or manipulate ICS data.
  • Require Human User Authentication and Software Process and Device Authentication where feasible for the environment.
  • Use Network Allowlists and Filter Network Traffic, including protocol-aware filtering, to limit allowed connections, message types, rates, and expected communication paths.
  • Use Communication Authenticity over untrusted networks to help verify sender identity and message integrity.
Analyst notes and limits

This technique is mapped to many core ICS assets, including HMI, PLC, RTU, IED, Data Historian, Control Server, Data Gateway, Safety Controller, DCS Controller, and PAC. ATT&CK also relates the behavior to Backdoor.Oldrea and INCONTROLLER software entries, but that should be used as threat-intelligence context rather than evidence of current activity in any specific environment.

The supplied ATT&CK object has no platforms, tactics, aliases, or official detection text, so detection and control guidance must be validated against the organization’s actual ICS protocols, asset inventory, logging capability, and operating procedures. This summary does not claim active exploitation or guaranteed detection coverage.

Official MITRE ATT&CK definition

Point & Tag Identification

Adversaries may collect point and tag values to gain a more comprehensive understanding of the process environment. Points may be values such as inputs, memory locations, outputs or other process specific variables. [1] Tags are the identifiers given to points for operator convenience.

Collecting such tags provides valuable context to environmental points and enables an adversary to map inputs, outputs, and other values to their control processes. Understanding the points being collected may inform an adversary on which processes and values to keep track of over the course of an operation.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Associated objects

Groups, software, and campaigns

Malware ICS

S1045: INCONTROLLER

INCONTROLLER is custom malware that includes multiple modules tailored towards ICS devices and technologies, including Schneider Electric and Omron PLCs as well as OPC UA, Modbus, and CODESYS protocols. INCONTROLLER has the ability to discover specific devices, download logic on the devices, and exploit platform-specific vulnerabilities. As of September 2022, some security researchers assessed INCONTROLLER was developed by CHERNOVITE.[1][2][3][4][5]

Engineering WorkstationField Controller/RTU/PLC/IEDSafety Instrumented System/Protection Relay
Relationship explorer

All related ATT&CK context

uses · Malware S1045: INCONTROLLER ICS mitigates · Mitigation M0800: Authorization Enforcement ICS mitigates · Mitigation M0807: Network Allowlists ICS detects · Detection Strategy DET0788: Detection of Point & Tag Identification ICS mitigates · Mitigation M0937: Filter Network Traffic ICS targets · ICS Asset A0004: Remote Terminal Unit (RTU) ICS mitigates · Mitigation M0804: Human User Authentication ICS targets · ICS Asset A0017: Distributed Control System (DCS) Controller ICS uses · Malware S0093: Backdoor.Oldrea ICS mitigates · Mitigation M0813: Software Process and Device Authentication ICS targets · ICS Asset A0009: Data Gateway ICS mitigates · Mitigation M0801: Access Management ICS targets · ICS Asset A0010: Safety Controller ICS mitigates · Mitigation M0930: Network Segmentation ICS targets · ICS Asset A0007: Control Server ICS mitigates · Mitigation M0802: Communication Authenticity ICS targets · ICS Asset A0002: Human-Machine Interface (HMI) ICS targets · ICS Asset A0005: Intelligent Electronic Device (IED) ICS targets · ICS Asset A0006: Data Historian ICS targets · ICS Asset A0018: Programmable Automation Controller (PAC) ICS targets · ICS Asset A0003: Programmable Logic Controller (PLC) ICS
Mitigations

Mitigation direction

Mitigation ICS

M0800: Authorization Enforcement

The device or system should restrict read, manipulate, or execute privileges to only authenticated users who require access based on approved security policies. Role-based Access Control (RBAC) schemes can help reduce the overhead of assigning permissions to the large number of devices within an ICS. For example, IEC 62351 provides examples of roles used to support common system operations within the electric power sector [1], while IEEE 1686 defines standard permissions for users of IEDs. [2]

Mitigation ICS

M0807: Network Allowlists

Network allowlists can be implemented through either host-based files or system hosts files to specify what connections (e.g., IP address, MAC address, port, protocol) can be made from a device. Allowlist techniques that operate at the application layer (e.g., DNP3, Modbus, HTTP) are addressed in Filter Network Traffic mitigation.

Mitigation ICS

M0937: Filter Network Traffic

Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic. Perform inline allow/denylisting of network messages based on the application layer (OSI Layer 7) protocol, especially for automation protocols. Application allowlists are beneficial when there are well-defined communication sequences, types, rates, or patterns needed during expected system operations. Application denylists may be needed if all acceptable communication sequences cannot be defined, but instead a set of known malicious uses can be denied (e.g., excessive communication attempts, shutdown messages, invalid commands). Devices performing these functions are often referred to as deep-packet inspection (DPI) firewalls, context-aware firewalls, or firewalls blocking specific automation/SCADA protocol aware firewalls. [1]

Mitigation ICS

M0804: Human User Authentication

Require user authentication before allowing access to data or accepting commands to a device. While strong multi-factor authentication is preferable, it is not always feasible within ICS environments. Performing strong user authentication also requires additional security controls and processes which are often the target of related adversarial techniques (e.g., Valid Accounts, Default Credentials). Therefore, associated ATT&CK mitigations should be considered in addition to this, including Multi-factor Authentication, Account Use Policies, Password Policies, User Account Management, Privileged Account Management, and User Account Control.

Mitigation ICS

M0813: Software Process and Device Authentication

Require the authentication of devices and software processes where appropriate. Devices that connect remotely to other systems should require strong authentication to prevent spoofing of communications. Furthermore, software processes should also require authentication when accessing APIs.

Mitigation ICS

M0801: Access Management

Access Management technologies can be used to enforce authorization polices and decisions, especially when existing field devices do not provide sufficient capabilities to support user identification and authentication. [1] These technologies typically utilize an in-line network device or gateway system to prevent access to unauthenticated users, while also integrating with an authentication service to first verify user credentials. [2]

Mitigation ICS

M0930: Network Segmentation

Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Restrict network access to only required systems and services. In addition, prevent systems from other networks or business functions (e.g., enterprise) from accessing critical process control systems. For example, in IEC 62443, systems within the same secure level should be grouped into a zone, and access to that zone is restricted by a conduit, or mechanism to restrict data flows between zones by segmenting the network. [1] [2]

Mitigation ICS

M0802: Communication Authenticity

When communicating over an untrusted network, utilize secure network protocols that both authenticate the message sender and can verify its integrity. This can be done either through message authentication codes (MACs) or digital signatures, to detect spoofed network messages and unauthorized connections.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
54c196c84d14c38b...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle 54c196c84d14…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Dennis L. Sloatman September 2016

    Dennis L. Sloatman 2016, September 16 Understanding PLC Programming Methods and the Tag Database System Retrieved. 2017/12/19

    Open source URL
  2. [2]
    mitre-attack T0861
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use