For decades, the security of industrial control systems (ICS) and operational technology (OT) has rested on a foundation of isolation and perimeter defense. This model, often conceptually represented by the Purdue Model, has provided a sense of security rooted in the belief that a strong perimeter could protect the fragile networks that govern critical infrastructure. However, this foundational blueprint is now an illusion. Modern operational realities—including ubiquitous wireless connectivity, the proliferation of remote, unattended sites, and the increasing convergence of IT and OT networks—have rendered this legacy security model fundamentally inadequate and dangerous. This report provides an authoritative, evidence-based analysis that validates this central thesis.
The illusion of protection is unraveling under the weight of documented threats. Public research from leading security agencies like the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and threat intelligence frameworks like MITRE ATT&CK for ICS confirm that the vulnerabilities inherent in legacy architectures are no longer theoretical. They are actively exploited vectors for modern adversaries. The analysis presented herein demonstrates that industrial networks are not only at risk from sophisticated external actors but also from the foundational assumptions of their own security posture.
This report moves beyond problem identification to a strategic solution. It introduces the emerging paradigm of Preemptive Cyber Defense, a philosophy that fundamentally shifts the focus from a reactive "detect-and-respond" model to a proactive one that actively denies, disrupts, and deceives adversaries before an attack can succeed.1 By synthesizing evidence of modern threat vectors with this forward-looking security model, the analysis offers a new blueprint for securing critical infrastructure. The goal is to move beyond the illusion of protection to a dynamic, resilient, and truly defensible posture for the future.
The Purdue Model, a framework developed in the 1990s, has long served as the architectural blueprint for segmenting industrial control systems from enterprise IT networks. Its foundational premise was a strict hierarchical structure where industrial operations remained isolated, often via an "air gap," from external business networks.3 This isolation was once a powerful security control, with physical separation serving as the primary barrier to entry for cyber threats. In that era, the assumption was that the lower levels of the model, particularly Levels 1 and 2 where controllers and field devices reside, operated within a trusted, insulated environment.1
However, the rapid and ongoing digital transformation of industrial environments has rendered this assumption obsolete. The rise of the Industrial Internet of Things (IIoT), cloud computing, and the necessity for remote monitoring have created a "fluid, interconnected nature" in modern industrial systems that the Purdue Model's rigid design cannot accommodate.3 Experts and industry reports confirm that this IT/OT convergence is now the norm; a 2024 SANS survey found that only 8.2% of organizations maintain 100% isolated systems, indicating the pervasive nature of this blurring of boundaries.3
This has fundamentally changed the flow of data within industrial environments. The Purdue Model was designed for a vertical, hierarchical communication pattern, where data flowed in a predictable, linear fashion from lower control levels to higher enterprise levels. Today, operations rely on a state of "hyper-convergence" where systems must communicate across traditional layers and with external cloud environments and third-party partners.3 This horizontal communication directly contradicts the model's vertical structure, creating security "blind spots" that attackers can exploit.3
Compounding this architectural conflict is the common reality that network segmentation, while a core principle of the Purdue Model, is often "flat in practice." In many environments, segments are created on paper, but broad communication permissions between them and the management layer still exist.1 The result is that while the network appears segmented, it functions as a single, flat network where a breach in one area can quickly spread to others. This illusion of security provides attackers with a clear lateral movement path across critical systems. CISA has repeatedly highlighted this risk, documenting incidents where attackers exploited misconfigured segmentation to move from business networks into operational environments.7 A simple but critical consequence of this architectural rigidity is the tendency for security policies to clash with operational demands. In the face of time-sensitive production needs, operators often resort to creating policy exceptions or shortcuts to maintain uptime. This introduces human error and unintentional misconfigurations, which undermine the very security the model was intended to provide. The CISA report confirms that these misconfigurations, such as shared local administrator accounts and poor IT-OT segmentation, are not theoretical issues but are found in real-world critical infrastructure environments.7
The table below provides a clear, evidence-based mapping of the Purdue Model's outdated assumptions to the modern realities that have exposed its limitations.
One of the most insidious vulnerabilities introduced by modern operational practices is "wireless bleeding." This phenomenon occurs when Wi-Fi, Bluetooth, and other wireless signals extend far beyond the physical boundaries of a facility, often reaching 150 to 300 feet outside of a controlled area.1 While this may seem like a minor technical issue, it fundamentally undermines traditional physical and digital perimeter defenses. When networks extend into uncontrolled territory, fences and firewalls lose much of their protective value, providing an attacker with a remote, unassailable pathway for initial access.1
This wireless bleed is not just a theoretical problem; it is a weaponized attack vector. The MITRE ATT&CK for ICS framework identifies "Wireless Compromise" (ID: T0860) as a specific technique for gaining initial access to a network from a remote distance.8 The threat can be launched from a nearby parking lot, a residential area, or a public space, without an attacker ever having to physically breach a fence or door.1 A powerful example of this is a Russian APT group that used a "Nearest Neighbor Attack" to compromise a target organization by leveraging the wireless network of a separate organization located across the street.10 The attacker remained on the victim's network for two years before being discovered, demonstrating the stealth and long-term persistence that this vector can enable.
The ubiquity of this threat is further validated by publicly available reconnaissance tools. Attackers can use widely accessible Wi-Fi scanning applications, such as WiGLE, to geographically locate and identify industrial access points.11 This process transforms a conceptual vulnerability into a targetable, geographically-mappable threat. The research shows that thousands of industrial Wi-Fi access points are publicly exposed, and a significant percentage of those found use weak encryption (WEP/WPA), old Wi-Fi encryption protocols that are no longer considered secure.11 This reveals a trove of low-hanging fruit for attackers, allowing them to remotely identify and target vulnerable industrial sites with minimal effort. This process of passive, remote reconnaissance fundamentally alters the cyber kill chain, allowing attackers to identify targets and plan attacks without ever setting foot on the premises.
The problem of an expanding perimeter is compounded by the increasing reliance on geographically dispersed, unattended remote sites. Across industries from energy production to water treatment and transportation, these sites are often distant from central control rooms and have minimal physical or cyber protection.7 These locations are frequently characterized by flat network setups, reliance on unmanaged switches, and a lack of direct oversight, making them a critical vulnerability for industrial organizations.
Publicly documented incidents and official government reports provide irrefutable evidence of this risk. In the 2021 Oldsmar, Florida, water treatment plant attack, a threat actor used unsecured remote access to gain control of a human-machine interface (HMI) and alter the set point for sodium hydroxide to a toxic level.13 Similarly, a hack of a U.S. wind farm demonstrated how hackers could take control of an entire network of wind turbines using a Raspberry Pi-based card with a cellular module for remote access to programmable automation controllers.14 These incidents prove that a compromise at an unmanaged remote site is not an isolated event but a potential entry point for attacks on the entire network.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has provided definitive validation of these risks. In a cyber threat hunt at a critical infrastructure organization, CISA analysts explicitly found that the OT environment was misconfigured with poor network segmentation, insecurely stored credentials, and unrestricted remote access for local admin accounts.7 This demonstrates that the vulnerability of remote sites and the ineffective security measures in place are not theoretical concerns but are actively being identified in real-world critical infrastructure environments.
The true danger of an unsecured remote site lies in how it serves as a trusted pivot point for broader attacks. Because these sites often rely on legacy systems and unmanaged connections, a compromise there can grant an attacker a trusted foothold inside the core network, allowing for unimpeded lateral movement. The MITRE ATT&CK for ICS framework outlines specific techniques, such as "Lateral Tool Transfer" (T0867) and "Remote Services" (T0886), that attackers use to move through a poorly segmented environment.15 The Colonial Pipeline ransomware attack serves as a chilling example of this principle: the initial foothold was gained through a single compromised VPN account, which then allowed attackers to move laterally, leading to the shutdown of the largest fuel pipeline in the United States.16 This highlights that a perimeter defense is insufficient, as the most effective attacks now begin from an already-trusted internal or remote location.
The methods used to compromise wireless networks have evolved far beyond the brute-force attacks of the past. Modern adversaries leverage a sophisticated toolkit that targets the inherent vulnerabilities in wireless protocols themselves, often bypassing the need for user interaction entirely.
A new and alarming class of threats are "zero-click exploits" and "Wi-Fi injection attacks".2 These are advanced methods of compromising devices without a user having to click a malicious link or open an infected file. A malicious payload can be delivered over a compromised Wi-Fi or Bluetooth network to infect a device, representing a significant escalation beyond traditional social engineering tactics.2 A notable example of this sophisticated approach is the "Nearest Neighbor Attack," used by a Russian APT group to compromise a victim by leveraging a nearby wireless network.10 The attack relies on signal manipulation, where a high-gain directional antenna is used to amplify a rogue Wi-Fi signal, tricking devices into connecting.2 Deauthentication packets are then sent to force devices to disconnect from their legitimate network and reassociate with the rogue access point. Once connected, the attacker acts as a man-in-the-middle to intercept data, inject malware, and establish post-compromise persistence.2
This malicious toolkit now includes a variety of covert wireless devices used for persistent access and data exfiltration. Attackers can implant radio frequency (RF) beacons within compromised environments, enabling long-term data theft even after the initial malware is removed.2 These groups also create hidden Wi-Fi mesh networks using compromised IoT devices to evade traditional security monitoring and strategically deploy rogue Wi-Fi access points near sensitive locations to intercept data.2 These techniques demonstrate an unprecedented level of sophistication in wireless reconnaissance and exploitation.
Bluetooth has also emerged as a powerful espionage vector. The convenience of Bluetooth Low Energy (BLE) has introduced significant vulnerabilities, including the "SweynTooth" vulnerabilities, which can allow an unauthorized user to wirelessly crash a device or access its functions.17 These vulnerabilities enable an array of attacks, including device tracking, passive eavesdropping, and man-in-the-middle attacks, which can intercept and manipulate communication between two devices.18
The threats identified are not theoretical possibilities but are actively contributing to a dramatic increase in attacks on critical infrastructure. Recent reports quantify an alarming rise in attacks that have direct, physical consequences.19 In a 2024 analysis, it was found that the number of affected industrial sites more than doubled, with a staggering 146% increase in incidents that led to physical impairments, rising from 412 sites in 2023 to 1,015 sites in 2024.19 This signals a shift in the nature of attacks, from data exfiltration to sabotage and physical disruption. The manufacturing sector bore the brunt of this escalation, accounting for approximately 70% of all ransomware attacks on industrial organizations.20
This threat is further contextualized by the staggering number of exposed industrial networks. A 2024 analysis using publicly available Wi-Fi scanning tools revealed thousands of industrial Wi-Fi access points in critical infrastructure and manufacturing facilities globally.11 Alarmingly, the findings showed that approximately 20% of these known OT vendor access points were configured with vulnerable encryption, proving that the wireless threat is not just theoretical but widespread and easily targetable.11 The global industrial cybersecurity market is experiencing significant growth, with a projected value of USD 41.4 billion by 2033, a direct response to the increasing frequency of these cyberattacks.22 The financial impact of a breach is immense: the average cost of a data breach in 2024 reached USD 4.88 million, with ransomware breaches costing even more.23
The table below provides a detailed summary of these modern wireless threats and their documented impact.
In response to the failings of legacy perimeter-based security, many organizations have turned to modern IT security frameworks, such as a Zero Trust architecture, to secure their industrial environments. While the principles of Zero Trust—"never trust, always verify" and "least privilege access"—are sound, their application in a complex OT environment introduces an implementation paradox.24 The inherent differences between IT and OT systems make a one-to-one application of these frameworks a significant challenge, often leading to failure, human error, and a false sense of security.
One of the most significant pitfalls is the tendency to treat Zero Trust as a product rather than a comprehensive security strategy.26 A successful implementation requires a philosophical shift, not just the deployment of a new tool.26 The complexity of manual policy maintenance in a large, distributed OT network often leads to a patchwork of exceptions, eroding the security the framework was intended to provide.1
The problem is further compounded by the legacy technology gap. Many OT environments contain equipment that was deployed decades ago and remains unpatchable and unsupported.27 These devices were not designed with security in mind and cannot support the modern agents or protocols required for a traditional, identity-centric Zero Trust model.27 This reality forces organizations to rely on additional technologies to act as a "security proxy" for these vulnerable assets, adding layers of complexity and potential points of failure.27
A critical philosophical conflict also exists between IT's identity-based security and OT's behavioral-based security needs.27 In IT, security decisions are often based on a user's identity. However, in lower-level OT environments, the concept of a user identity often disappears, as devices like PLCs do not track which user entered a command.27 Therefore, a Zero Trust for OT policy must evaluate network traffic based on "known good" patterns and device behavior, a concept that many IT-centric solutions fail to grasp.27 This behavioral approach is essential to ensure that policies do not hinder the continuous, uninterrupted operations that are the top priority in an OT environment.
The challenges of applying IT-centric security frameworks to OT are not just academic discussions; they are validated by definitive findings from government agencies and threat intelligence frameworks. CISA has conducted real-world threat hunts that explicitly identify and document critical gaps in critical infrastructure organizations. In a 2024 assessment, CISA found several misconfigurations, including poor network segmentation, insecurely stored credentials, and unrestricted remote access for shared local admin accounts.7 These findings demonstrate that a theoretical security posture often fails to materialize in practice.
These CISA findings directly correlate with the tactics and techniques documented in the MITRE ATT&CK for ICS framework. The framework's "Lateral Movement" tactic (ID: TA0109) details how adversaries use vulnerabilities to enter and control remote systems and move laterally across networks.15 The specific techniques identified, such as "Valid Accounts" (ID: T0859) and "Exploitation of Remote Services" (ID: T0866), are a direct consequence of the issues identified by CISA.15 An attacker can steal credentials for a specific user or service account, and once they have a "valid account," they can use it to bypass access controls and move laterally without triggering traditional perimeter defenses.
The Colonial Pipeline attack serves as a definitive example of this. The initial entry point was a single compromised VPN account, which provided the attacker with a trusted, internal foothold.16 This compromised credential then became a "valid account" that allowed the attacker to move laterally throughout the network, ultimately leading to a catastrophic shutdown.16 This documented chain of events highlights a crucial point: a perimeter-focused defense is no longer sufficient. Attackers are successfully leveraging the vulnerabilities of insecure remote access and poor segmentation to turn a compromised credential into a network-wide security event, a problem that traditional, IT-centric Zero Trust and segmentation frameworks fail to fully address.
The table below provides a powerful, high-level validation of the report's central arguments by mapping them directly to external research and expert commentary.
The analysis confirms that the "illusion of protection" is a direct result of relying on an outdated, reactive security model. Traditional "detect-and-respond" methodologies and fixed defenses, such as firewalls and intrusion detection systems, have become fundamentally inadequate against modern adversaries.1 This reliance on static, predictable defenses provides attackers with a clear roadmap to navigate a network, bypass its fixed barriers, and execute a methodical, phased attack.1 The challenge is not merely to deploy more tools but to adopt a new security philosophy that moves beyond simply building taller walls.
This new philosophy is a paradigm-shifting approach known as Preemptive Cyber Defense. Unlike a reactive model that waits for an attack to happen, a preemptive model aims to neutralize threats before they can materialize into a successful attack.1 This strategy is defined by three core principles: actively denying attackers the opportunity to initiate attacks, disrupting ongoing attacks as they occur, and deceiving adversaries to divert them from critical assets.1
A central and paradoxical innovation of this approach is to intentionally and intelligently "increase the perceived attack surface" to mislead and confuse an adversary, thereby protecting the actual assets.1 This is accomplished by deploying a vast, unpredictable layer of deceptive elements, such as fake responders, decoys, and sirens, across both IT and OT environments. This expansion makes the network appear far larger and more complex than it actually is, creating a "target-rich" but "unreliable" environment for adversaries. This strategy strategically targets the earliest stages of the cyber kill chain—reconnaissance and initial access—by rendering an attacker's intelligence gathering futile and forcing them to deplete their resources and reveal their methods.1
The vulnerabilities identified in this report—the failings of the Purdue Model, the risks of wireless bleeding, and the gaps at remote sites—are all problems that a preemptive defense is purpose-built to solve. By adopting this new philosophy, an organization can transform the narrative from one of a vulnerable, reactive defense to one of a dynamic, proactive, and resilient security posture.
A new answer for the Purdue Model gap can be found in a preemptive defense that is agentless and purpose-built for OT realities.1 Unlike a manual, IT-centric Zero Trust approach, a preemptive solution can provide the behavioral-based enforcement and visibility needed at Levels 1 and 2 of the Purdue Model without the operational friction or human error. Because the technology can simulate critical OT assets and protocols, any interaction with a deceptive device is, by its very nature, an unauthorized and malicious act that instantly triggers a high-fidelity alert.1 This allows for the real-time, behavioral-based detection and evaluation that traditional frameworks lack.
A preemptive approach also provides a new solution for the challenges of wireless bleeding. By deploying deception at the network edge, a preemptive solution can confuse and contain threats that exploit wireless vulnerabilities before they can move laterally.1 An adversary who gains a foothold via a wireless signal will find themselves in a virtual minefield of false targets, unable to map the true network topology or find and exploit legitimate assets.1 This active deception layer neutralizes the threat before it can pivot, providing a powerful and proactive countermeasure to a threat vector that bypasses traditional perimeter defenses.
Finally, a preemptive, distributed architecture provides a new and effective approach to securing remote sites. By deploying autonomous, ruggedized devices at these unattended locations, an organization can ensure that threats are contained at the source, without waiting for central intervention.1 If an attacker attempts to breach a remote site, the device can instantly and autonomously block the malicious source locally at "wire speed," and then synchronize this new blacklist rule with a central management unit.1 This instantaneous, network-wide containment prevents any lateral movement or subsequent attempts by the threat to infect other systems, stopping the attack before it can cause a widespread event. This provides a measurable and scalable answer to the long-standing challenge of securing the unmanaged edge of the network.
The analysis presented in this report confirms that the threats identified in "The Illusion of Protection..." are not just real, but are documented, accelerating, and foundational to the current threat landscape. The vulnerabilities inherent in a legacy, perimeter-based security model are now actively exploited vectors, as confirmed by agencies like CISA and frameworks like MITRE ATT&CK for ICS. The increasing reliance on wireless technology and unmanaged remote sites has created a continuously expanding and target-rich attack surface that legacy security cannot address.
For security leaders and risk managers, the primary recommendation is to recognize that achieving true cyber resilience requires a fundamental shift in strategy. It is no longer sufficient to patch an outdated blueprint or to incrementally upgrade existing tools with IT-centric frameworks that are incompatible with OT realities. The evidence suggests that a reactive, "detect-and-respond" model, even with sophisticated tools, is simply not fast or agile enough to stop modern threats that can move at machine speed.
The path forward lies in the adoption of a new security paradigm: Preemptive Cyber Defense. This approach moves beyond the limitations of reactive security by actively and autonomously denying, disrupting, and deceiving adversaries at the earliest stages of an attack. It is an agentless, non-disruptive, and scalable solution that is purpose-built to address the unique challenges of the OT environment, from unpatchable legacy systems to geographically dispersed remote sites. By making the network a dynamic, unpredictable, and hostile environment for an attacker, a preemptive defense can stop threats before they succeed. It is not merely a tool but a foundational platform for a new era of proactive security, forcing the attacker to play on a field where the rules are constantly changing and their reconnaissance is rendered obsolete.
The Illusion of Protection_ Why Wireless Bleeding, Remote Site Gaps, and Flawed Purdue Model Assumptions Endanger Industrial Control Systems.pdf
Top Wireless-Enabled Threats in 2025 - Bastille Networks, accessed August 17, 2025, https://bastille.net/wp-content/uploads/Top-Wireless-Enabled-Threats-in-2025-1.pdf
Is It Time to Rethink the Purdue Model? | Nexus, accessed August 17, 2025, https://nexusconnect.io/articles/is-it-time-to-rethink-the-purdue-model
Is the Purdue Model for operational technology security outdated? - Acronis, accessed August 17, 2025, https://www.acronis.com/en-sg/blog/posts/is-the-purdue-model-for-operational-technology-security-outdated/
Purdue Model Limitations and Alternatives for ... - Trout Software, accessed August 17, 2025, https://www.trout.software/resources/tech-blog/purdue-model-limitations-and-alternatives-for-modern-ot
Network Segmentation in OT Environments - Blog Trout, accessed August 17, 2025, https://www.trout.software/fr/resources/tech-blog/common-segmentation-mistakes-in-ics-projects
CISA identifies OT configuration flaws during cyber threat hunt at ..., accessed August 17, 2025, https://industrialcyber.co/cisa/cisa-identifies-ot-configuration-flaws-during-cyber-threat-hunt-at-critical-infrastructure-organization-lists-cyber-hygiene/
Wireless Compromise, Technique T0860 - ICS | MITRE ATT&CK®, accessed August 17, 2025, https://attack.mitre.org/techniques/T0860/
Wi-Fi communications in ICS | INCIBE-CERT, accessed August 17, 2025, https://www.incibe.es/en/incibe-cert/blog/wi-fi-communications-ics
How Wireless Threats Endanger Government and Critical Infrastructure - CPO Magazine, accessed August 17, 2025, https://www.cpomagazine.com/cyber-security/how-wireless-threats-endanger-government-and-critical-infrastructure/
Wi-Fi Exposure in OT Environments - OTORIO, accessed August 17, 2025, https://www.otorio.com/blog/wi-fi-exposure-in-ot-environments/
Top 10 most common vulnerabilities in Industrial Control Systems ICS - negg Blog, accessed August 17, 2025, https://negg.blog/en/top-10-most-common-vulnerabilities-in-industrial-control-systems-ics/
Excerpt #5: Industrial Cybersecurity Case Studies and Best Practices, accessed August 17, 2025, https://gca.isa.org/blog/excerpt-5-industrial-cybersecurity-case-studies-and-best-practices
Real-Life Industrial IoT Cyberattack Scenarios - EE Times Europe, accessed August 17, 2025, https://www.eetimes.eu/real-life-industrial-iot-cyberattack-scenarios%EF%BB%BF/
Lateral Movement, Tactic TA0109 - ICS | MITRE ATT&CK®, accessed August 17, 2025, https://attack.mitre.org/tactics/TA0109/
Colonial Pipeline ransomware attack - Wikipedia, accessed August 17, 2025, https://en.wikipedia.org/wiki/Colonial_Pipeline_ransomware_attack
FDA Informs Patients, Providers and Manufacturers About Potential Cybersecurity Vulnerabilities in Certain Medical Devices with Bluetooth Low Energy, accessed August 17, 2025, https://www.fda.gov/news-events/press-announcements/fda-informs-patients-providers-and-manufacturers-about-potential-cybersecurity-vulnerabilities-0
Vulnerabilities and Attacks on Bluetooth LE Devices—Reviewing Recent Info - Technical Articles - All About Circuits, accessed August 17, 2025, https://www.allaboutcircuits.com/technical-articles/vulnerabilities-and-attacks-on-bluetooth-le-devicesreviewing-recent-info/
The 2025 OT Cyber Threat Report | Waterfall Security Solutions, accessed August 17, 2025, https://waterfall-security.com/ot-insights-center/ot-cybersecurity-insights-center/2025-threat-report-ot-cyberattacks-with-physical-consequences/
The 2025 Dragos OT Cybersecurity Year in Review is Coming Soon, accessed August 17, 2025, https://www.dragos.com/blog/the-2025-dragos-ot-cybersecurity-year-in-review-is-coming-soon/
Dragos Industrial Ransomware Analysis: Q4 2024, accessed August 17, 2025, https://www.dragos.com/blog/dragos-industrial-ransomware-analysis-q4-2024/
Industrial Cybersecurity Market Size, Share | CAGR of 9.0%, accessed August 17, 2025, https://market.us/report/industrial-cybersecurity-market/
157 Cybersecurity Statistics and Trends [updated 2024] - Varonis, accessed August 17, 2025, https://www.varonis.com/blog/cybersecurity-statistics
Zero Trust & Enforcing OT Security Inside the Perimeter - Industrial Defender, accessed August 17, 2025, https://www.industrialdefender.com/blog/zero-trust-enforcing-ot-security-inside-the-perimeter
Why is Zero Trust Access important in OT? - SSH Communications Security, accessed August 17, 2025, https://www.ssh.com/academy/operational-technology/why-is-zero-trust-access-important-in-ot
Six Common Pitfalls to Avoid When Implementing a Zero Trust Model, accessed August 17, 2025, https://blog.wei.com/six-common-pitfalls-to-avoid-when-implementing-a-zero-trust-model
Is Zero Trust the Right Choice for Operational Technology (OT)?, accessed August 17, 2025, https://instasafe.com/blog/is-zero-trust-right-choice-for-ot/
Best Practices for MITRE ATT&CK Mapping - CISA, accessed August 17, 2025, https://www.cisa.gov/sites/default/files/2023-01/Best%20Practices%20for%20MITRE%20ATTCK%20Mapping.pdf