Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1693.002: Module Firmware

Adversaries may install malicious or vulnerable firmware onto modular hardware devices. Control system devices often contain modular hardware devices. These devices may have their own set of firmware that is separate from the firmware of the main control system equipment.

This technique is similar to System Firmware, but is conducted on other system components that may not have the same capabilities or level of integrity checking. Although it results in a device re-image, malicious device firmware may provide persistent access to remaining devices.[1]

An easy point of access for an adversary is the Ethernet card, which may have its own CPU, RAM, and operating system. The adversary may attack and likely exploit the computer on an Ethernet card. Exploitation of the Ethernet card computer may enable the adversary to accomplish additional attacks, such as the following:[1]

* Delayed Attack - The adversary may stage an attack in advance and choose when to launch it, such as at a particularly damaging time. * Brick the Ethernet Card - Malicious firmware may be programmed to result in an Ethernet card failure, requiring a factory return. * Random Attack or Failure - The adversary may load malicious firmware onto multiple field devices. Execution of an attack and the time it occurs is generated by a pseudo-random number generator. * A Field Device Worm - The adversary may choose to identify all field devices of the same model, with the end goal of performing a device-wide compromise. * Attack Other Cards on the Field Device - Although it is not the most important module in a field device, the Ethernet card is most accessible to the adversary and malware. Compromise of the Ethernet card may provide a more direct route to compromising other modules, such as the CPU module.

ICST1693.002Sub-techniqueObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Module Firmware matters because an ICS device may rely on add-on modules, such as communication cards, that run their own firmware separate from the main controller. If that module firmware is malicious or vulnerable, a device can be re-imaged in a way that creates persistence, causes module failure, or provides a path toward other components. For business leaders, the risk is not just an IT compromise; it can affect PLCs, safety controllers, DCS controllers, and PACs that support operational continuity and safety-critical processes.

Executive priority

Prioritize this where modular controllers support critical production, safety, or continuous process operations. Leaders should ask whether firmware integrity, access control, network segmentation, and audit evidence extend to controller modules—not only to the main device. This is also a compliance and resilience issue: incident responders need known-good firmware baselines, asset/module inventories, and evidence of who can access or update field devices before an outage or suspected tampering event.

Technical view

SOC, OT engineering, and IR teams should validate coverage around modular embedded assets targeted by this technique: PLCs, safety controllers, DCS controllers, and PACs. MITRE provides no platform or tactic values and no official detection text, but the relationship to DET0790 indicates a detection strategy exists for Module Firmware. Practical validation should focus on whether teams can observe firmware changes, module reboots or failures, unauthorized network access to field devices, and deviations from known-good firmware states. Treat Ethernet or communications modules as separate attack surfaces with their own firmware, authentication, and integrity requirements.

Likely telemetry

  • ICS asset and module inventory, including firmware versions for controller modules
  • Known-good firmware hashes, signatures, or baseline integrity records
  • Engineering workstation, maintenance, or gateway logs showing access to field devices
  • Network traffic between engineering/management systems and PLC, PAC, DCS, or safety controller modules
  • Authentication and authorization logs for users, devices, software processes, and gateways

Detection direction

  • Confirm whether DET0790-aligned logic is implemented locally; the supplied ATT&CK object does not include detection details.
  • Baseline module firmware versions and compare after device reboots, program downloads, program restarts, maintenance windows, or communication-card failures.
  • Tune alerts for unexpected firmware changes, unauthorized access attempts, unusual management connections, or module behavior inconsistent with expected operational sequences.
  • Reduce false positives by correlating with approved maintenance work orders, authorized engineering sessions, and planned firmware updates.
  • Check blind spots around Ethernet cards and other modules that may not expose the same logs, integrity checks, or authentication controls as the main controller.

Mitigation priorities

  • Start with asset and firmware audit practices: maintain module inventories and known-good firmware integrity records, supported by periodic checks.
  • Restrict access to field devices using Access Management, Human User Authentication, and Software Process and Device Authentication where feasible in the ICS environment.
  • Use Network Segmentation, Network Allowlists, and Filter Network Traffic to limit which systems can communicate with controller modules and which protocols or message patterns are allowed.
  • Apply Communication Authenticity and encryption controls for untrusted networks where supported, recognizing that legacy ICS constraints may limit options.
  • Prefer Code Signing and Boot Integrity capabilities for firmware and module startup validation when available from the device ecosystem.
Analyst notes and limits

This is a sub-technique of Modify Firmware and supersedes the revoked T0839 Module Firmware object. The supplied relationships make the cyber-physical relevance clear: targeted assets include PLCs, safety controllers, DCS controllers, and PACs, all embedded ICS assets. The practical emphasis should be on module-level visibility and control, especially for communications modules that may be more exposed than the main controller.

The official ATT&CK object does not specify tactics, platforms, aliases, or detection text. The assessment therefore cannot assert active exploitation, adversary attribution, guaranteed detection coverage, or specific vendor behavior. Local architecture, device capabilities, maintenance practices, and available OT telemetry determine actual exposure and control effectiveness.

Official MITRE ATT&CK definition

Module Firmware

Adversaries may install malicious or vulnerable firmware onto modular hardware devices. Control system devices often contain modular hardware devices. These devices may have their own set of firmware that is separate from the firmware of the main control system equipment.

This technique is similar to System Firmware, but is conducted on other system components that may not have the same capabilities or level of integrity checking. Although it results in a device re-image, malicious device firmware may provide persistent access to remaining devices.[1]

An easy point of access for an adversary is the Ethernet card, which may have its own CPU, RAM, and operating system. The adversary may attack and likely exploit the computer on an Ethernet card. Exploitation of the Ethernet card computer may enable the adversary to accomplish additional attacks, such as the following:[1]

* Delayed Attack - The adversary may stage an attack in advance and choose when to launch it, such as at a particularly damaging time. * Brick the Ethernet Card - Malicious firmware may be programmed to result in an Ethernet card failure, requiring a factory return. * Random Attack or Failure - The adversary may load malicious firmware onto multiple field devices. Execution of an attack and the time it occurs is generated by a pseudo-random number generator. * A Field Device Worm - The adversary may choose to identify all field devices of the same model, with the end goal of performing a device-wide compromise. * Attack Other Cards on the Field Device - Although it is not the most important module in a field device, the Ethernet card is most accessible to the adversary and malware. Compromise of the Ethernet card may provide a more direct route to compromising other modules, such as the CPU module.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

2 rows
Domain ID Name Relationship / procedure
ICS T0839 Module Firmware Module Firmware revoked by this object.
ICS T1693 Modify Firmware This object subtechnique of Modify Firmware.
Relationship explorer

All related ATT&CK context

targets · ICS Asset A0010: Safety Controller ICS mitigates · Mitigation M0937: Filter Network Traffic ICS mitigates · Mitigation M0807: Network Allowlists ICS targets · ICS Asset A0003: Programmable Logic Controller (PLC) ICS mitigates · Mitigation M0930: Network Segmentation ICS revoked by · Technique T0839: Module Firmware ICS detects · Detection Strategy DET0790: Detection of Module Firmware ICS targets · ICS Asset A0017: Distributed Control System (DCS) Controller ICS mitigates · Mitigation M0946: Boot Integrity ICS targets · ICS Asset A0018: Programmable Automation Controller (PAC) ICS mitigates · Mitigation M0945: Code Signing ICS mitigates · Mitigation M0808: Encrypt Network Traffic ICS mitigates · Mitigation M0801: Access Management ICS mitigates · Mitigation M0802: Communication Authenticity ICS mitigates · Mitigation M0947: Audit ICS subtechnique of · Technique T1693: Modify Firmware ICS mitigates · Mitigation M0941: Encrypt Sensitive Information ICS mitigates · Mitigation M0804: Human User Authentication ICS mitigates · Mitigation M0813: Software Process and Device Authentication ICS
Mitigations

Mitigation direction

Mitigation ICS

M0937: Filter Network Traffic

Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic. Perform inline allow/denylisting of network messages based on the application layer (OSI Layer 7) protocol, especially for automation protocols. Application allowlists are beneficial when there are well-defined communication sequences, types, rates, or patterns needed during expected system operations. Application denylists may be needed if all acceptable communication sequences cannot be defined, but instead a set of known malicious uses can be denied (e.g., excessive communication attempts, shutdown messages, invalid commands). Devices performing these functions are often referred to as deep-packet inspection (DPI) firewalls, context-aware firewalls, or firewalls blocking specific automation/SCADA protocol aware firewalls. [1]

Mitigation ICS

M0807: Network Allowlists

Network allowlists can be implemented through either host-based files or system hosts files to specify what connections (e.g., IP address, MAC address, port, protocol) can be made from a device. Allowlist techniques that operate at the application layer (e.g., DNP3, Modbus, HTTP) are addressed in Filter Network Traffic mitigation.

Mitigation ICS

M0930: Network Segmentation

Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Restrict network access to only required systems and services. In addition, prevent systems from other networks or business functions (e.g., enterprise) from accessing critical process control systems. For example, in IEC 62443, systems within the same secure level should be grouped into a zone, and access to that zone is restricted by a conduit, or mechanism to restrict data flows between zones by segmenting the network. [1] [2]

Mitigation ICS

M0946: Boot Integrity

Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.

Mitigation ICS

M0945: Code Signing

Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.

Mitigation ICS

M0801: Access Management

Access Management technologies can be used to enforce authorization polices and decisions, especially when existing field devices do not provide sufficient capabilities to support user identification and authentication. [1] These technologies typically utilize an in-line network device or gateway system to prevent access to unauthenticated users, while also integrating with an authentication service to first verify user credentials. [2]

Mitigation ICS

M0802: Communication Authenticity

When communicating over an untrusted network, utilize secure network protocols that both authenticate the message sender and can verify its integrity. This can be done either through message authentication codes (MACs) or digital signatures, to detect spoofed network messages and unauthorized connections.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
8036148d042be113...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 8036148d042b…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Daniel Peck, Dale Peterson January 2009

    Daniel Peck, Dale Peterson 2009, January 28 Leveraging Ethernet Card Vulnerabilities in Field Devices Retrieved. 2017/12/19

    Open source URL
  2. [2]
    mitre-attack T1693.002
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use