MITRE ACID is an open-source tool for threat detection in OT environments. Based on ATT&CK, it supports S7, EtherNet/IP and BACnet.
ACID is fundamentally a collection of indicators specifically developed for OT protocols. These indicators are based on the widely recognized ATT&CK framework for industrial control systems (ICS). This creates a common language for security professionals, enabling precise identification and communication of threats.
A main goal of ACID is to improve visibility in OT networks. It focuses particularly on configuration management and other critical activities in network traffic. ACID uses the network monitoring tool Zeek (formerly known as Bro) to report key findings and enable quick responses to potential security incidents.
In its current version, ACID supports the protocols S7, EtherNet/IP with CIP and BACnet. This already covers a large portion of the communication protocols used in industry. MITRE plans, however, to expand support to additional protocols in the future.
A distinctive feature of ACID is the flexibility to adapt to specific environments. This is made possible by the MITRE Defensive OT Signatures (mDOTS). Companies can fine-tune detection mechanisms to match their needs and the technologies they deploy.
MITRE emphasizes that ACID is an open-source project and is actively being developed. The organization explicitly invites collaboration and feedback from the community.
For companies that operate industrial control systems, ACID offers a chance to raise their security posture. It provides deeper insight into operations within OT networks and helps detect potential weaknesses early.
With ACID, MITRE marks an important milestone in the development of security solutions for industrial environments. It will be interesting to see how this tool proves itself and evolves in practice.