Loading
Blog
Recent ActivityRecent Activity

MITRE ATT&CK vs. NIST CSF

What is the MITRE ATT&CK framework, how it relates to NIST CSF, how to use them together, and how Verve by Rockwell Automation can assist.

Share This:

LinkedInLinkedIn
XX
FacebookFacebook
PrintPrint
EmailEmail
Electronics engineers who are investigating systems, CAD software, for developing microchips and semiconductors, manufacturing plants, industrial plants.

Effective governance helps organizations proactively manage cyber risks while navigating resource limitations, security compliance, and minimizing downtime. A successful governance model should communicate how an organization identifies threats, prioritizes and manages risks, determines how risks are transferred or budgeted, and lays out the procedures to respond.

Mitre Attack governance chart

Two critical frameworks that can serve as a key component in any cybersecurity program, whether enterprise (IT), operational (OT), or a converged version of the pair (IT/OT) are the National Institute of Standards & Technology (NIST) Cybersecurity Framework (CSF) and the MITRE ATT&CK®.

  • NIST Cybersecurity Framework is a set of best practices, standards, and recommendations that help an organization improve its cybersecurity measures. Originally, it was targeted towards IT, but it was later expanded to include an ICS component.
  • MITRE ATT&CK® is a publicly available knowledge base that catalogs the tactics, techniques, and procedures adversaries use across multiple platforms. It was first built from real-world intrusions in Windows enterprise environments and has since expanded to include macOS, Linux, cloud, mobile, and Industrial Control Systems (ICS).

This post will highlight the value and discuss how to use these two different frameworks together for a more comprehensive and effective security strategy.

Why Choose NIST CSF?

NIST CSF offers IT and OT security managers a flexible standard for establishing and improving cybersecurity governance. We also recommend using NIST CSF since it’s easily relatable for decision makers and IT security teams.

There is no shortage of competing cybersecurity frameworks. Still, the NIST CSF is easily mappable to other standards. When combined with NIST SP-800-82r2, the industrial cybersecurity companion, the NIST CSF is perfectly suited for Operational Technology (OT) environments and critical infrastructure.

What is the MITRE ATT&CK Framework?

The MITRE ATT&CK framework is a comprehensive playbook of behaviors that attackers exhibit. The behaviors are organized into a matrix with the tactics representing the goals of the attacker (i.e., Initial Access or Execution) and the techniques highlighting the methods they would use to achieve those goals (i.e., Content Injection or Cloud Administration Command).

Mitre Attck chart

In this way, the tactics represent “why” an attacker may use those techniques, and the techniques represent “how” they do so, which is very different in nature from the core concept of governance.

Governance is composed of structures, systems and practices that encompass decision making, strategic direction guidelines, implementations of policy, and reports on performance for improvement and corrective action. Meanwhile, ATT&CK groups various techniques into piles for cybersecurity professionals and tools to communicate defensive coverage, cyber threat intelligence, detection capabilities and incident/red team results.

Why You Should Use NIST CSF and MITRE ATT&CK Together

Most organizations have a governance structure and process that includes how the organization protects itself from cyber threats or uses technology.

The NIST CSF is made up of five governance areas that comprehensively describe: Protect, identify, detect, respond, and recover. These five areas provide the overarching structure or blueprint for your security program and outline the essential areas you need to address.

This is where MITRE ATT&CK matrices (Enterprise and ICS) come in. The ATT&CK framework puts forward the necessary information or use cases that should be captured. One without the other is not very effective, but when used together, they drive effective cyber security governance for both IT and OT environments.

A Hypothetical Example Using NIST CSF and MITRE ATT&CK

Imagine the following scenario:

A manufacturing organization detects unusual network activity from anti-virus and affected system logs. The source originates from an IT workstation that connects to the OT network for data collection.

Using the above scenario, an analyst would be assigned to investigate the alerts or anomalous conditions, but how would they do so and in what manner?

Protecting your OT environment involves the right frameworks and technology. In this situation, the right approach would be to:

  1. Set up sufficient technology and guidance/governance aligned with the five NIST CSF areas, so the security teams have clear processes and tools at their disposal.
  2. Ensure resources and staff are adequately trained on core security tools to identify and detect threats, protect systems, isolate, and remediate an attacker, and recover affected systems.
  3. Use predefined playbooks that are fine-tuned and supported using ATT&CK tactics, techniques, and procedures.
  4. Use the ATT&CK framework to outline, identify, and triage the cyber event as it occurs, but also as part of the post-mortem process.
  5. Follow the organization’s guidance from start to finish including communicating the impacts to management.

This is a high-level overview that requires customization for your organization, but it is important to note that you can use the frameworks together in ICS and OT.

Comprehensive OT Security Using NIST CSF, MITRE ATT&CK, and Verve by Rockwell Automation

While NIST CSF and MITRE ATT&CK provide the framework and knowledge, effectively implementing them in complex IT/OT environments often requires the right technology and resources.

When operationalized as part of an organization focused on structured action, Verve® by Rockwell Automation becomes an invaluable OT cyber security solution to help secure critical infrastructure.

About the Verve by Rockwell Automation Security Center

The Verve by Rockwell Automation Security Center goes beyond asset inventory management and vulnerability management to apply a robust OT Systems Management (OTSM) approach.

mitre

ATT&CK works best when using a SIEM, which is significant as SIEM functionality for logging and alerts (Signals) is a new feature to the Verve by Rockwell Automation Security Platform. Even more, we support a variety of ATT&CK detection use cases and provide additional resources to enable the use of both frameworks to enhance your organization’s security posture. This includes:

  • Identifying risks, and areas where gaps exist in an organization’s NIST CSF wheel coverage.
  • Enumerating vulnerabilities and tracking remediation.
  • Creating custom policies to help protect endpoints against specific techniques.
  • Layering compensating controls to reduce the likelihood of an attacker initial compromise vector.
  • Fine-tuning logs, alerts, and SIEM functionality.
  • Creating custom detection “signals” that are grouped or use specific ATT&CK TTPs.
  • Dissecting timelines into a series of events that contributed to an incident.

Given the unique ability for Verve by Rockwell Automation to install on commodity systems to communicate natively to a wide catalog of devices, patches, and ingest logs from applicable OT systems, you get a powerful cyber security tool to aid security teams.

Published May 21, 2025

Topics: Build Resilience Cybersecurity

Subscribe to Rockwell Automation

Receive the latest news, thought leadership and information directly to your inbox.

Subscribe now

You may also be interested in

Loading
Loading
Loading
Loading
  1. Chevron LeftChevron Left Rockwell Automation Home Chevron RightChevron Right
  2. Chevron LeftChevron Left Com... Chevron RightChevron Right
  3. Chevron LeftChevron Left News Chevron RightChevron Right
  4. Chevron LeftChevron Left Blogs Chevron RightChevron Right
  5. Chevron LeftChevron Left MITRE ATT&CK vs. NIST CSF Chevron RightChevron Right
Please update your cookie preferences to continue.
This feature requires cookies to enhance your experience. Please update your preferences to allow for these cookies:
  • Social Media Cookies
  • Functional Cookies
  • Performance Cookies
  • Marketing Cookies
  • All Cookies
You can update your preferences at any time. For more information please see our {0} Privacy Policy
CloseClose