Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T0878: Alarm Suppression

Adversaries may target protection function alarms to prevent them from notifying operators of critical conditions. Alarm messages may be a part of an overall reporting system and of particular interest for adversaries. Disruption of the alarm system does not imply the disruption of the reporting system as a whole.

A Secura presentation on targeting OT notes a dual fold goal for adversaries attempting alarm suppression: prevent outgoing alarms from being raised and prevent incoming alarms from being responded to. [1] The method of suppression may greatly depend on the type of alarm in question:

* An alarm raised by a protocol message * An alarm signaled with I/O * An alarm bit set in a flag (and read)

In ICS environments, the adversary may have to suppress or contend with multiple alarms and/or alarm propagation to achieve a specific goal to evade detection or prevent intended responses from occurring. [1] Methods of suppression may involve tampering or altering device displays and logs, modifying in memory code to fixed values, or even tampering with assembly level instruction code.

ICST0878TechniqueObject v1.2 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Alarm Suppression matters because it targets the operator’s ability to see and respond to critical industrial conditions. In an ICS environment, alarms may originate from protocol messages, I/O signaling, or alarm bits/flags, and suppression can affect HMIs, controllers, historians, gateways, and safety-related devices. For leaders, the key risk is not only loss of monitoring visibility, but delayed or incorrect operational response during abnormal process conditions.

Executive priority

Treat this as an operational resilience and safety-readiness concern, not just a monitoring issue. Executives should ask whether critical alarms have independent paths, whether alarm evidence is retained outside the affected control path, and whether SOC/OT responders can distinguish a quiet process from a suppressed alarm stream. The ATT&CK relationship to the Maroochy Water Breach reinforces that alarm manipulation has historical relevance in ICS incidents, but the supplied data does not indicate current active exploitation.

Technical view

SOC, OT security, and IR teams should validate coverage across the assets ATT&CK identifies as targets: HMI, PLC, RTU, IED, data historian, control server, data gateway, safety controller, DCS controller, and PAC. Because no official ATT&CK detection text is provided, teams should use the related DET0728 detection strategy as a pointer and build local logic around alarm-path integrity: mismatches between field state, controller flags, protocol alarm messages, HMI display state, historian records, and operator notifications. Investigations should consider that suppressing one alarm channel may not suppress the whole reporting system.

Likely telemetry

  • HMI alarm/event logs and display state records
  • Data historian alarm, event, and telemetry records
  • Control server and gateway communication logs
  • ICS protocol traffic that carries alarms or status changes
  • Controller, RTU, IED, safety controller, DCS controller, and PAC configuration or logic change records

Detection direction

  • Validate whether critical alarm conditions can be cross-checked across independent sources, such as field telemetry, controller state, HMI display, and historian records.
  • Tune for inconsistencies: alarm-relevant process values without corresponding alarm messages, missing alarm propagation, or alarms present in one system but absent in another.
  • Account for false positives from maintenance, engineering changes, commissioning, communication failures, or known alarm-management changes.
  • Prioritize monitoring on assets in the ATT&CK relationships, especially systems that aggregate, translate, display, or store alarm data.
  • Because ATT&CK provides no official detection details for this technique, detection quality depends on local process knowledge, asset inventory, alarm design, and available OT telemetry.

Mitigation priorities

  • Segment critical process control systems and restrict access to required systems and services, consistent with Network Segmentation (M0930).
  • Use network allowlists where feasible to constrain which devices, addresses, ports, and protocols can communicate with alarm-relevant assets, consistent with Network Allowlists (M0807).
  • Use static network configuration where practical to reduce manipulation opportunities involving dynamic discovery or addressing, consistent with Static Network Configuration (M0814).
  • Maintain out-of-band communication channels for communication failures and data integrity attacks, consistent with Out-of-Band Communications Channel (M0810).
  • Prioritize controls around alarm aggregation and operator-facing systems such as HMIs, historians, gateways, and control servers, while also considering embedded field and safety devices.
Analyst notes and limits

This object is ICS-specific and focuses on protection-function alarms. The supplied relationships show broad target coverage across operator interfaces, embedded controllers, safety-related devices, historians, gateways, and control infrastructure. Detection should be engineered around alarm-path integrity rather than assuming one log source is authoritative.

Official ATT&CK detection text, tactics, and platforms are not provided for the technique itself. Platform context is only available through related ICS assets. Local engineering diagrams, alarm philosophy, asset inventory, protocol usage, and logging capabilities are required to turn this into reliable detections or audit evidence.

Official MITRE ATT&CK definition

Alarm Suppression

Adversaries may target protection function alarms to prevent them from notifying operators of critical conditions. Alarm messages may be a part of an overall reporting system and of particular interest for adversaries. Disruption of the alarm system does not imply the disruption of the reporting system as a whole.

A Secura presentation on targeting OT notes a dual fold goal for adversaries attempting alarm suppression: prevent outgoing alarms from being raised and prevent incoming alarms from being responded to. [1] The method of suppression may greatly depend on the type of alarm in question:

* An alarm raised by a protocol message * An alarm signaled with I/O * An alarm bit set in a flag (and read)

In ICS environments, the adversary may have to suppress or contend with multiple alarms and/or alarm propagation to achieve a specific goal to evade detection or prevent intended responses from occurring. [1] Methods of suppression may involve tampering or altering device displays and logs, modifying in memory code to fixed values, or even tampering with assembly level instruction code.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Associated objects

Groups, software, and campaigns

Campaign ICS

C0020: Maroochy Water Breach

Maroochy Water Breach was an incident in 2000 where an adversary leveraged the local government’s wastewater control system and stolen engineering equipment to disrupt and eventually release 800,000 liters of raw sewage into the local community.[1]

Relationship explorer

All related ATT&CK context

targets · ICS Asset A0018: Programmable Automation Controller (PAC) ICS targets · ICS Asset A0002: Human-Machine Interface (HMI) ICS targets · ICS Asset A0009: Data Gateway ICS targets · ICS Asset A0017: Distributed Control System (DCS) Controller ICS targets · ICS Asset A0007: Control Server ICS targets · ICS Asset A0005: Intelligent Electronic Device (IED) ICS mitigates · Mitigation M0814: Static Network Configuration ICS targets · ICS Asset A0010: Safety Controller ICS targets · ICS Asset A0004: Remote Terminal Unit (RTU) ICS mitigates · Mitigation M0807: Network Allowlists ICS targets · ICS Asset A0006: Data Historian ICS mitigates · Mitigation M0930: Network Segmentation ICS targets · ICS Asset A0003: Programmable Logic Controller (PLC) ICS uses · Campaign C0020: Maroochy Water Breach ICS mitigates · Mitigation M0810: Out-of-Band Communications Channel ICS detects · Detection Strategy DET0728: Detection of Alarm Suppression ICS
Mitigations

Mitigation direction

Mitigation ICS

M0814: Static Network Configuration

Configure hosts and devices to use static network configurations when possible, protocols that require dynamic discovery/addressing (e.g., ARP, DHCP, DNS) can be used to manipulate network message forwarding and enable various AiTM attacks. This mitigation may not always be usable due to limited device features or challenges introduced with different network configurations.

Mitigation ICS

M0807: Network Allowlists

Network allowlists can be implemented through either host-based files or system hosts files to specify what connections (e.g., IP address, MAC address, port, protocol) can be made from a device. Allowlist techniques that operate at the application layer (e.g., DNP3, Modbus, HTTP) are addressed in Filter Network Traffic mitigation.

Mitigation ICS

M0930: Network Segmentation

Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Restrict network access to only required systems and services. In addition, prevent systems from other networks or business functions (e.g., enterprise) from accessing critical process control systems. For example, in IEC 62443, systems within the same secure level should be grouped into a zone, and access to that zone is restricted by a conduit, or mechanism to restrict data flows between zones by segmenting the network. [1] [2]

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.2
Created
Modified
Raw hash
b17faf79c92fcafa...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.2 Current bundle b17faf79c92f…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Jos Wetzels, Marina Krotofil 2019

    Jos Wetzels, Marina Krotofil 2019 A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded Devices Retrieved. 2019/11/01

    Open source URL
  2. [2]
    mitre-attack T0878
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use