Requirements and Recommendations for a Physical Attack Characterization Framework

This study seeks to identify existing frameworks or develop requirements and recommendations for a new framework that can consistently characterize physical attacks, analogous to MITRE ATT&CK®. MITRE ATT&CK is widely used across government, research organizations, and the cyber security community to characterize cyber attack tactics, techniques, and procedures (TTPs) in a consistent and commonly understood manner. While physical attack taxonomies, methodologies, and other tools for evaluating physical security do exist, many are sector and/or facility-type specific—and therefore not able to provide comparable scenarios across sectors—or are more focused on security assessment instead of the characterization of attacks themselves. A MITRE ATT&CK analog for physical attacks on critical infrastructure would provide a common language and structure for analysis of physical attacks. Existing attack characterization methodologies do not robustly address cyber-physical security risks. To fully understand a facility’s security needs, it is important to understand the entire vulnerability landscape from both a physical and a cyber perspective. To underscore this need, organizations such as the Cybersecurity and Infrastructure Security Agency (CISA) are calling for a coordinated approach to cyber and physical security, which they refer to as cyber and physical security convergence. A physical attack characterization framework that could be used jointly with MITRE ATT&CK would help support a more robust analysis in support of convergence, enabling the consistent characterization of attacks that utilize both cyber and physical tactics and techniques. This could provide analysts and stakeholders with a clearer understanding of how security mitigations deployed in the physical realm impact security risks in the cyber realm, and vice versa. In this study, the project team evaluates existing physical security taxonomies and methodologies to assess whether an existing method can be used to create a “physical half” of MITRE ATT&CK. This study then provides requirements and recommendations for a framework that can leverage aspects of existing methodologies. The goal of the final framework is for it to be widely adopted and referenced, regardless of critical infrastructure sector, facility type, or facility components. This study also identifies applicable use cases for when and how a framework could be applied across the various critical infrastructure sectors for a variety of attack types or motivations. Through a literature review of existing security-focused methodologies and taxonomies, engagement with relative stakeholders, evaluation of potential physical attack framework use cases, and subsequent identification of requirements, this study identified the following key findings and recommendations: There is a need for a new physical attack characterization framework; A physical attack framework should be interoperable with the MITRE ATT&CK framework; A physical attack framework should be broadly applicable, but with detailed tactics, techniques, and procedures that encompass the entire attack path; A physical attack framework should be based on observed or feasible events; A physical attack framework should adapt features from existing methodologies, frameworks, and taxonomies; A physical attack framework should be owned, overseen, and maintained by one organization.