Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1692.002: Reporting Message

Adversaries may spoof reporting messages in control system environments for evasion and to impair process control. In control systems, reporting messages contain telemetry data (e.g., I/O values) pertaining to the current state of equipment and the industrial process. Reporting messages are important for monitoring the normal operation of a system or identifying important events such as deviations from expected values.

If an adversary has the ability to Spoof Reporting Messages, they can impact the control system in many ways. The adversary can Spoof Reporting Messages that state that the process is operating normally, as a form of evasion. The adversary could also Spoof Reporting Messages to make the defenders and operators think that other errors are occurring in order to distract them from the actual source of a problem.[1]

ICST1692.002Sub-techniqueObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Reporting Message spoofing matters because ICS operators often make safety and continuity decisions based on telemetry that says what equipment and the process are doing. If those messages are false, defenders may see “normal” conditions during a real issue or chase misleading alarms while the actual problem continues. The business concern is not only cyber intrusion; it is loss of trustworthy operational awareness across HMIs, controllers, RTUs, IEDs, control servers, gateways, and safety-related devices.

Executive priority

Treat this as an operational resilience and cyber-physical risk topic: can the organization prove that critical process telemetry is authentic, expected, and restricted to approved paths? Leaders should ask whether ICS network segmentation, sender/device authentication, protocol filtering, and allowlists are implemented for the control paths that matter most. This also supports audit and incident readiness because response teams need evidence that telemetry shown to operators can be trusted during abnormal events.

Technical view

ATT&CK provides no official detection text for T1692.002, but it is linked to detection strategy DET0746 and mitigations focused on communication authenticity, device/process authentication, allowlisting, segmentation, and traffic filtering. SOC and IR teams should validate visibility into reporting-message flows between field/control assets and operator-facing systems, especially where HMIs, PLCs, RTUs, IEDs, control servers, data gateways, safety controllers, DCS controllers, and PACs exchange telemetry. Detection engineering should focus on unauthorized senders, unexpected message paths, abnormal message types/rates/sequences, and inconsistencies between expected operations and reported I/O or event data.

Likely telemetry

  • ICS network traffic containing reporting/telemetry messages between control assets
  • Protocol-aware logs or captures for automation protocols where available, such as those referenced in ATT&CK context for control servers and filtering
  • HMI and control server event, alarm, and telemetry records
  • RTU, PLC, IED, PAC, DCS controller, safety controller, and data gateway communication or event logs where supported
  • Network allowlist, firewall, segmentation, and protocol-filter enforcement logs

Detection direction

  • Confirm whether DET0746 or an equivalent local analytic exists; ATT&CK does not provide detection implementation detail in the supplied object.
  • Baseline legitimate telemetry sources, destinations, ports, protocols, message types, rates, and sequences for critical processes.
  • Alert on reporting messages from unauthorized or unexpected devices, networks, or software processes.
  • Tune for operational false positives caused by maintenance, commissioning, protocol translation, gateway changes, or failover paths.
  • Correlate operator-visible HMI values and alerts with lower-level device or network evidence when available, because spoofed reporting messages may be intended to make the process appear normal or to misdirect personnel.

Mitigation priorities

  • Prioritize communication authenticity for untrusted network paths using mechanisms that authenticate the sender and verify message integrity, consistent with M0802.
  • Require authentication for devices and software processes where appropriate, especially remote connections and API access, consistent with M0813.
  • Restrict which devices can communicate using network allowlists for IP address, MAC address, port, and protocol where feasible, consistent with M0807.
  • Segment critical process control systems from enterprise and other non-required networks, using physical/logical segmentation and DMZ patterns where applicable, consistent with M0930.
  • Use ingress/egress and protocol-aware filtering, including application-layer allow/deny logic for automation protocols where communication patterns are well defined, consistent with M0937.
Analyst notes and limits

This object is a sub-technique of T1692 Unauthorized Message and supersedes the revoked T0856 Spoof Reporting Message. The supplied relationships show broad ICS asset relevance, including HMIs, PLCs, RTUs, IEDs, control servers, data gateways, safety controllers, DCS controllers, and PACs. The Maroochy Water Breach campaign is listed as using this object, but this take does not infer current activity or broader attribution from that relationship.

The supplied ATT&CK object does not specify tactics, technique platforms, or official detection guidance. Defensive recommendations are therefore based on the official description, cited relationships, and listed mitigations; local engineering diagrams, asset inventories, protocol details, and process-safety requirements are required to determine actual exposure and coverage.

Official MITRE ATT&CK definition

Reporting Message

Adversaries may spoof reporting messages in control system environments for evasion and to impair process control. In control systems, reporting messages contain telemetry data (e.g., I/O values) pertaining to the current state of equipment and the industrial process. Reporting messages are important for monitoring the normal operation of a system or identifying important events such as deviations from expected values.

If an adversary has the ability to Spoof Reporting Messages, they can impact the control system in many ways. The adversary can Spoof Reporting Messages that state that the process is operating normally, as a form of evasion. The adversary could also Spoof Reporting Messages to make the defenders and operators think that other errors are occurring in order to distract them from the actual source of a problem.[1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

2 rows
Domain ID Name Relationship / procedure
ICS T1692 Unauthorized Message This object subtechnique of Unauthorized Message.
ICS T0856 Spoof Reporting Message Spoof Reporting Message revoked by this object.
Associated objects

Groups, software, and campaigns

Campaign ICS

C0020: Maroochy Water Breach

Maroochy Water Breach was an incident in 2000 where an adversary leveraged the local government’s wastewater control system and stolen engineering equipment to disrupt and eventually release 800,000 liters of raw sewage into the local community.[1]

Relationship explorer

All related ATT&CK context

subtechnique of · Technique T1692: Unauthorized Message ICS uses · Campaign C0020: Maroochy Water Breach ICS mitigates · Mitigation M0807: Network Allowlists ICS targets · ICS Asset A0007: Control Server ICS targets · ICS Asset A0010: Safety Controller ICS mitigates · Mitigation M0930: Network Segmentation ICS targets · ICS Asset A0002: Human-Machine Interface (HMI) ICS targets · ICS Asset A0009: Data Gateway ICS targets · ICS Asset A0018: Programmable Automation Controller (PAC) ICS mitigates · Mitigation M0937: Filter Network Traffic ICS targets · ICS Asset A0005: Intelligent Electronic Device (IED) ICS detects · Detection Strategy DET0746: Detection of Spoof Reporting Message ICS targets · ICS Asset A0004: Remote Terminal Unit (RTU) ICS targets · ICS Asset A0003: Programmable Logic Controller (PLC) ICS revoked by · Technique T0856: Spoof Reporting Message ICS targets · ICS Asset A0017: Distributed Control System (DCS) Controller ICS mitigates · Mitigation M0813: Software Process and Device Authentication ICS mitigates · Mitigation M0802: Communication Authenticity ICS
Mitigations

Mitigation direction

Mitigation ICS

M0807: Network Allowlists

Network allowlists can be implemented through either host-based files or system hosts files to specify what connections (e.g., IP address, MAC address, port, protocol) can be made from a device. Allowlist techniques that operate at the application layer (e.g., DNP3, Modbus, HTTP) are addressed in Filter Network Traffic mitigation.

Mitigation ICS

M0930: Network Segmentation

Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Restrict network access to only required systems and services. In addition, prevent systems from other networks or business functions (e.g., enterprise) from accessing critical process control systems. For example, in IEC 62443, systems within the same secure level should be grouped into a zone, and access to that zone is restricted by a conduit, or mechanism to restrict data flows between zones by segmenting the network. [1] [2]

Mitigation ICS

M0937: Filter Network Traffic

Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic. Perform inline allow/denylisting of network messages based on the application layer (OSI Layer 7) protocol, especially for automation protocols. Application allowlists are beneficial when there are well-defined communication sequences, types, rates, or patterns needed during expected system operations. Application denylists may be needed if all acceptable communication sequences cannot be defined, but instead a set of known malicious uses can be denied (e.g., excessive communication attempts, shutdown messages, invalid commands). Devices performing these functions are often referred to as deep-packet inspection (DPI) firewalls, context-aware firewalls, or firewalls blocking specific automation/SCADA protocol aware firewalls. [1]

Mitigation ICS

M0813: Software Process and Device Authentication

Require the authentication of devices and software processes where appropriate. Devices that connect remotely to other systems should require strong authentication to prevent spoofing of communications. Furthermore, software processes should also require authentication when accessing APIs.

Mitigation ICS

M0802: Communication Authenticity

When communicating over an untrusted network, utilize secure network protocols that both authenticate the message sender and can verify its integrity. This can be done either through message authentication codes (MACs) or digital signatures, to detect spoofed network messages and unauthorized connections.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
d73e04ce24f51663...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle d73e04ce24f5…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011

    Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011 A Taxonomy of Cyber Attacks on SCADA Systems Retrieved. 2018/01/12

    Open source URL
  2. [2]
    mitre-attack T1692.002
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use