Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T0880: Loss of Safety

Adversaries may compromise safety system functions designed to maintain safe operation of a process when unacceptable or dangerous conditions occur. Safety systems are often composed of the same elements as control systems but have the sole purpose of ensuring the process fails in a predetermined safe manner.

Many unsafe conditions in process control happen too quickly for a human operator to react to. Speed is critical in correcting these conditions to limit serious impacts such as Loss of Control and Property Damage.

Adversaries may target and disable safety system functions as a prerequisite to subsequent attack execution or to allow for future unsafe conditionals to go unchecked. Detection of a Loss of Safety by operators can result in the shutdown of a process due to strict policies regarding safety systems. This can cause a Loss of Productivity and Revenue and may meet the technical goals of adversaries seeking to cause process disruptions.

ICST0880TechniqueObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Loss of Safety is an ICS technique where an adversary compromises functions meant to force an industrial process into a safe state when dangerous conditions occur. This matters beyond cybersecurity because safety functions may be the last automated barrier before property damage, human safety risk, environmental harm, or forced process shutdown. For leaders, the key issue is whether safety protection is truly independent and resilient enough that a cyber incident in operations cannot silently remove or weaken the safety layer.

Executive priority

Prioritize this as a cyber-physical resilience issue, not just an SOC detection problem. The supplied ATT&CK description notes that unsafe process conditions can develop too quickly for human operators to correct, and that detection of safety loss can require shutdown under strict safety policies, creating productivity and revenue impact. Executives should ask whether Safety Instrumented Systems and mechanical protection layers are independently governed, segmented from operational networks, tested, and evidenced for audit, safety, and incident decision-making.

Technical view

ATT&CK does not provide a detection description, platforms, or tactics for T0880, so defenders should validate coverage from the related detection strategy DET0779 and from local engineering evidence. SOC and IR teams should focus on whether they can observe degradation, disablement, configuration change, loss of communication, or abnormal state in safety-related functions without depending only on the same operational network that may be compromised. The relationship to Triton is important context: ATT&CK identifies Triton as software built to interact with Triconex SIS controllers and using this technique, so environments with SIS technologies should treat safety-controller visibility, segmentation, and incident runbooks as critical validation areas.

Likely telemetry

  • Safety Instrumented System status, alarms, trips, bypasses, inhibits, and fault indications where available
  • Engineering workstation and controller configuration change records for safety-related systems
  • Operational network and segmentation logs showing access paths to safety systems
  • Process historian or control-system records showing safety function state changes and abnormal process conditions
  • Operator console alarms and shutdown records tied to safety system health

Detection direction

  • Map DET0779, Detection of Loss of Safety, to site-specific SIS and safety-layer telemetry; do not assume generic IT monitoring covers this behavior.
  • Validate alerting for safety function disablement, bypass, abnormal fault state, unexpected configuration change, or loss of safety-system communication.
  • Tune detections with engineering input because maintenance, testing, and planned safety bypasses can create false positives but still require strong authorization and evidence.
  • Review whether telemetry remains available if operational networks are disrupted or if safety systems are segmented, since segmentation can also create monitoring blind spots.
  • Use the Triton relationship as threat-intelligence context for SIS-focused monitoring, without assuming the presence of Triton or active exploitation.

Mitigation priorities

  • Maintain layered physical or mechanical protection systems, consistent with M0805, to help prevent damage to property, equipment, human safety, or the environment even if cyber controls fail.
  • Use Safety Instrumented Systems as an additional protection layer for hazardous scenarios, consistent with M0812.
  • Ensure SIS environments are segmented from operational networks as specifically noted in M0812, reducing the chance that broader operational compromise can directly target safety functions.
  • Require documented testing, change control, and incident response procedures for safety functions so shutdown decisions can be made quickly and defensibly.
  • Align safety, operations, engineering, SOC, and executive crisis-management teams on when suspected Loss of Safety requires process shutdown or escalation.
Analyst notes and limits

This object is especially material for organizations where cyber events can affect industrial processes. The strongest decision value is cross-functional: security teams need evidence and monitoring, engineering teams need validated safety-layer independence, and leaders need predefined shutdown and business-continuity criteria.

The ATT&CK object supplies no official detection text, platforms, tactics, aliases, or labels. Recommendations above are constrained to the official description and the listed relationships to DET0779, M0805, M0812, and Triton; local architecture, SIS vendor details, process hazards, and safety policy are required to determine actual exposure and coverage.

Official MITRE ATT&CK definition

Loss of Safety

Adversaries may compromise safety system functions designed to maintain safe operation of a process when unacceptable or dangerous conditions occur. Safety systems are often composed of the same elements as control systems but have the sole purpose of ensuring the process fails in a predetermined safe manner.

Many unsafe conditions in process control happen too quickly for a human operator to react to. Speed is critical in correcting these conditions to limit serious impacts such as Loss of Control and Property Damage.

Adversaries may target and disable safety system functions as a prerequisite to subsequent attack execution or to allow for future unsafe conditionals to go unchecked. Detection of a Loss of Safety by operators can result in the shutdown of a process due to strict policies regarding safety systems. This can cause a Loss of Productivity and Revenue and may meet the technical goals of adversaries seeking to cause process disruptions.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Associated objects

Groups, software, and campaigns

Relationship explorer

All related ATT&CK context

mitigates · Mitigation M0812: Safety Instrumented Systems ICS mitigates · Mitigation M0805: Mechanical Protection Layers ICS detects · Detection Strategy DET0779: Detection of Loss of Safety ICS uses · Malware S1009: Triton ICS
Mitigations

Mitigation direction

Mitigation ICS

M0812: Safety Instrumented Systems

Utilize Safety Instrumented Systems (SIS) to provide an additional layer of protection to hazard scenarios that may cause property damage. A SIS will typically include sensors, logic solvers, and a final control element that can be used to automatically respond to an hazardous condition [1] . Ensure that all SISs are segmented from operational networks to prevent them from being targeted by additional adversarial behavior.

Mitigation ICS

M0805: Mechanical Protection Layers

Utilize a layered protection design based on physical or mechanical protection systems to prevent damage to property, equipment, human safety, or the environment. Examples include interlocks, rupture disk, release values, etc. [1]

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
b9453c73e74eaf71...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle b9453c73e74e…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack T0880
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use