Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T0883: Internet Accessible Device

Adversaries may gain access into industrial environments through systems exposed directly to the internet for remote access rather than through External Remote Services. Internet Accessible Devices are exposed to the internet unintentionally or intentionally without adequate protections. This may allow for adversaries to move directly into the control system network. Access onto these devices is accomplished without the use of exploits, these would be represented within the Exploit Public-Facing Application technique.

Adversaries may leverage built in functions for remote access which may not be protected or utilize minimal legacy protections that may be targeted. [1] These services may be discoverable through the use of online scanning tools.

In the case of the Bowman dam incident, adversaries leveraged access to the dam control network through a cellular modem. Access to the device was protected by password authentication, although the application was vulnerable to brute forcing. [1] [2] [3]

In Trend Micros manufacturing deception operations adversaries were detected leveraging direct internet access to an ICS environment through the exposure of operational protocols such as Siemens S7, Omron FINS, and EtherNet/IP, in addition to misconfigured VNC access. [4]

ICST0883TechniqueObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

T0883 matters because an industrial device or remote-access path exposed directly to the internet can turn a control environment into an externally reachable business risk. The key issue is not exploitation of a vulnerable application; MITRE defines this as access through intentionally or unintentionally exposed devices and built-in remote access functions with weak or inadequate protections. For executives, this is a resilience and governance problem: organizations need evidence that critical ICS access paths are known, segmented, authenticated, and not discoverable as direct internet entry points.

Executive priority

Prioritize this as an industrial boundary-control issue. Leadership should ask for a current inventory of internet-reachable ICS assets and remote-access services, proof that critical process control systems are segmented from internet-facing services, and evidence that remote access is limited to required systems and services. This technique is especially material where workstations, application servers, VPN servers, switches, or firewalls support ICS operations, because exposure can create a direct path toward the control system network and complicate incident response, audit readiness, and operational continuity decisions.

Technical view

SOC, IR, and detection engineering teams should validate whether any ICS-related devices or services are directly reachable from the internet, including remote access functions and exposed operational protocols referenced by MITRE such as Siemens S7, Omron FINS, EtherNet/IP, and misconfigured VNC. Because MITRE does not provide official detection text for this technique, coverage should be built around asset exposure validation, boundary monitoring, remote access review, and correlation with the related detection strategy DET0796 where available. Relationship context indicates relevant asset classes include workstations, application servers, VPN servers, switches, and firewalls; teams should confirm these assets are represented in inventories, network diagrams, access-control rules, and monitoring scope.

Likely telemetry

  • External attack surface and internet exposure scan results for ICS-related IP ranges and remote-access services
  • Firewall, VPN, and boundary device configuration and connection logs
  • Network flow records showing inbound internet connections to ICS-adjacent or control-network assets
  • Remote access authentication logs, including failed password attempts where available
  • Asset inventory and network segmentation records for workstations, application servers, VPN servers, switches, and firewalls

Detection direction

  • Validate that detection content distinguishes direct internet-accessible devices from Exploit Public-Facing Application behavior, since MITRE separates access without exploits from exploitation of public-facing applications.
  • Compare external scan findings against approved remote-access architecture and known ICS asset inventory to identify unintentionally exposed devices.
  • Tune alerts for inbound internet-originated connections to ICS-related systems, especially where the destination is not an approved DMZ or remote-access service.
  • Review false positives from sanctioned vendor, engineering, or field remote access, but require business owner approval and segmentation evidence rather than treating known access as inherently safe.
  • Use relationship context from DET0796 as the ATT&CK-linked detection strategy, while recognizing that no detailed official detection guidance was supplied in the object.

Mitigation priorities

  • First, remove unnecessary direct internet exposure for ICS devices and services.
  • Apply Network Segmentation (M0930): isolate critical systems, functions, and resources using physical and logical segmentation.
  • Place required internet-facing services in a DMZ rather than exposing internal control-system networks directly.
  • Restrict network access to only required systems and services, including limiting enterprise-to-ICS access paths.
  • Validate that firewalls, VPN servers, switches, application servers, and operator or engineering workstations are configured according to the intended segmentation model and are not bypassing it.
Analyst notes and limits

The supplied ATT&CK object includes examples involving internet-accessible control systems, a cellular modem in the Bowman dam incident, and manufacturing deception operations where direct internet access exposed industrial protocols and VNC. Relationship context also shows use by the Unitronics Defacement Campaign and Fuxnet, but this summary does not infer current exposure, attribution, or customer impact from those relationships. Treat this technique as a control validation and exposure-management priority for ICS environments.

MITRE did not provide platforms, tactics, or official detection text for this technique. Detection and mitigation recommendations therefore rely on the official description, external references, and supplied relationships, especially DET0796 and M0930. Local confirmation requires environment-specific asset inventory, network architecture, internet exposure data, and access-control evidence.

Official MITRE ATT&CK definition

Internet Accessible Device

Adversaries may gain access into industrial environments through systems exposed directly to the internet for remote access rather than through External Remote Services. Internet Accessible Devices are exposed to the internet unintentionally or intentionally without adequate protections. This may allow for adversaries to move directly into the control system network. Access onto these devices is accomplished without the use of exploits, these would be represented within the Exploit Public-Facing Application technique.

Adversaries may leverage built in functions for remote access which may not be protected or utilize minimal legacy protections that may be targeted. [1] These services may be discoverable through the use of online scanning tools.

In the case of the Bowman dam incident, adversaries leveraged access to the dam control network through a cellular modem. Access to the device was protected by password authentication, although the application was vulnerable to brute forcing. [1] [2] [3]

In Trend Micros manufacturing deception operations adversaries were detected leveraging direct internet access to an ICS environment through the exposure of operational protocols such as Siemens S7, Omron FINS, and EtherNet/IP, in addition to misconfigured VNC access. [4]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Associated objects

Groups, software, and campaigns

Malware ICS

S1157: Fuxnet

Fuxnet is malware designed to impact the industrial network infrastructure managing control system sensors for utility operations in Moscow. Fuxnet is linked to an entity referred to as the Blackjack hacking group, which is assessed to be linked to Ukrainian intelligence services.[1]

Input/Output ServerControl Server
Campaign ICS

C0031: Unitronics Defacement Campaign

The Unitronics Defacement Campaign was a collection of intrusions across multiple sectors by the CyberAv3ngers, where threat actors engaged in a seemingly opportunistic and global targeting and defacement of Unitronics Vision Series Programmable Logic Controller (PLC) with Human-Machine Interface (HMI). The sectors that these PLCs can be commonly found in are water and wastewater, energy, food and beverage manufacturing, and healthcare. The most notable feature of this attack was the defacement of the PLCs' HMIs.[1][2]

Relationship explorer

All related ATT&CK context

uses · Malware S1157: Fuxnet ICS mitigates · Mitigation M0930: Network Segmentation ICS targets · ICS Asset A0016: Firewall ICS targets · ICS Asset A0011: Virtual Private Network (VPN) Server ICS uses · Campaign C0031: Unitronics Defacement Campaign ICS targets · ICS Asset A0015: Switch ICS targets · ICS Asset A0008: Application Server ICS detects · Detection Strategy DET0796: Detection of Internet Accessible Device ICS targets · ICS Asset A0001: Workstation ICS
Mitigations

Mitigation direction

Mitigation ICS

M0930: Network Segmentation

Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Restrict network access to only required systems and services. In addition, prevent systems from other networks or business functions (e.g., enterprise) from accessing critical process control systems. For example, in IEC 62443, systems within the same secure level should be grouped into a zone, and access to that zone is restricted by a conduit, or mechanism to restrict data flows between zones by segmenting the network. [1] [2]

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
7bbb015ac4909722...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 7bbb015ac490…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    NCCIC January 2014

    NCCIC 2014, January 1 Internet Accessible Control Systems At Risk Retrieved. 2019/11/07

    Open source URL
  2. [2]
    Danny Yadron December 2015

    Danny Yadron 2015, December 20 Iranian Hackers Infiltrated New York Dam in 2013 Retrieved. 2019/11/07

    Open source URL
  3. [3]
    Mark Thompson March 2016

    Mark Thompson 2016, March 24 Iranian Cyber Attack on New York Dam Shows Future of War Retrieved. 2019/11/07

    Open source URL
  4. [4]
    Stephen Hilt, Federico Maggi, Charles Perine, Lord Remorin, Martin Rsler, and Rainer Vosseler

    Stephen Hilt, Federico Maggi, Charles Perine, Lord Remorin, Martin Rsler, and Rainer Vosseler Mark Thompson 2016, March 24 Iranian Cyber Attack on New York Dam Shows Future of War Retrieved. 2019/11/07 Caught in the Act: Running a Realistic Factory Honeypot to Capture Real Threats Retrieved. 2021/04/12

    Open source URL
  5. [5]
    mitre-attack T0883
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use