Blog

Unlocking Industrial Cyber Risk Visibility: How MITRE ATT&CK v18 Empowers OT/ICS Analytics and Elevates Cyber Risk Quantification

DeNexus | October 31, 2025

The Evolving Challenge of Industrial Cyber Risk 

For today’s industrial asset owners, quantifying OT cyber risk remains one of the most complex challenges in cybersecurity. Operational Technology (OT) environments—power plants, manufacturing lines, and critical infrastructure—are no longer isolated. Their increasing connectivity to enterprise IT networks expands the attack surface, creating a web of interdependencies that traditional security models fail to quantify. 

Executives are demanding evidence-based cybersecurity, asking not only “Are we secure?” but “What’s our financial exposure if we aren’t?” Yet many organizations still lack a structured approach to link vulnerabilities and telemetry data to expected loss or value-at-risk (VaR) metrics that drive board-level decisions. 

The release of MITRE ATT&CK v18 (October 2025) marks a major shift. Its expanded ICS/OT framework, new detection strategy model, and improved asset taxonomy now give industrial organizations a richer, data-driven foundation for industrial cyber risk quantification. Combined with platforms like DeNexus DeRISK, these capabilities allow enterprises to transform technical signals into measurable financial risk and actionable investment decisions. 

 

What’s New in MITRE ATT&CK v18 for ICS/OT 

  1. Expanded ICS Asset Model for Real-World Mapping

Version 18 introduces an improved Asset object model that reflects actual OT components—PLCs, historians, gateways, DCS controllers, and more. 

This enables vulnerability management for OT with higher fidelity, aligning adversary techniques directly to the physical assets they target. 

Impact: More precise modeling of OT networks supports risk-based cybersecurity investments and reduces blind spots in asset-owner risk quantification. 

 

  1. Detection Strategy Overhaul: From Events to Behaviors

ATT&CK v18 replaces static detection rules with behavioral detection chains, aligning adversary tactics to cause-and-effect telemetry patterns. 

Impact: OT defenders can now link behavioral analytics (e.g., “mode changes” or “parameter manipulation”) directly to cyber risk quantification models, refining probability and dwell-time estimates. 

 

  1. Cross-Domain Integration Between IT and OT

With better mappings between enterprise and industrial matrices, ATT&CK v18 helps model hybrid IT→OT attack paths—a critical capability for manufacturing, energy, and transport sectors. 

Impact: Enables comprehensive modeling of multi-domain breaches and supports portfolio-level cyber risk management. 

 

Why This Matters for Industrial Cyber Risk Quantification 

These enhancements enable organizations to model OT risks with unprecedented accuracy and business relevance: 

  • Improved asset fidelity → Models that reflect real control systems (not abstract devices). 
  • Behavioral path modeling → Better understanding of adversary movement and escalation likelihood. 
  • Telemetry-based calibration → Quantified visibility gaps and control effectiveness. 
  • Cross-domain aggregation → Unified modeling of enterprise and OT risk exposures. 
  • Business alignment → Translating attack likelihoods into financial terms like expected loss and VaR. 

 

This evolution supports a new era of evidence-based cybersecurity, where cyber risk becomes measurable, defensible, and directly tied to operational and financial outcomes. 

 

How DeNexus DeRISK™ will leverage ATT&CK v18 to Quantify Industrial Cyber Risk 

A Full-Stack Solution to Industrial Cyber Risk 

DeRISK™, the cyber risk quantification (CRQ) and quantified vulnerability management (QVM) platform by DeNexus, bridges the gap between cyber operations and financial decision-making for industrial enterprises. 

It combines inside-out data (vulnerabilities, telemetry, controls) and outside-in intelligence (threat feeds, industry trends) to model risk in financial terms—calculating expected loss, value-at-risk, and ROI of mitigation strategies. 

 

How ATT&CK v18 will enhance DeRISK’s Capabilities 

  • Asset-specific attack-path mapping: Leveraging v18’s refined ICS taxonomy for precise, equipment-level modeling. 
  • Behavioral chain analytics: Converting ATT&CK behavioral chains into probabilistic models of compromise and dwell time. 
  • Detection maturity calibration: DeRISK already integrates telemetry and visibility data to quantify control effectiveness and detection gaps. 
  • Cross-domain attack modeling: Simulating additional combined IT/OT breach scenarios for holistic portfolio exposure. 
  • Executive-ready metrics: Outputs board-level cyber risk KPIs that align with CFO and insurer expectations. 

 

Use Case: Quantifying Cyber Risk in Manufacturing 

Consider a global manufacturer running PLCs, historians, and SCADA systems. 

Using ATT&CK v18, the organization maps each OT asset to corresponding techniques (e.g., Modify Parameter, Alarm Suppression). 

By feeding this mapping and telemetry into DeRISK, the company simulates scenarios such as: 

  • Credential theft leading to parameter modification and production downtime. 
  • Financial consequences including lost revenue, repair costs, and regulatory penalties. 

DeRISK’s modeling then quantifies expected annual loss and risk reduction ROI from specific mitigations—providing the CFO with a data-backed investment case: 

“A $250K investment in improved detection analytics reduces our cyber VaR by 35% and pays for itself in 18 months.” 

 

Action Steps for Industrial Cyber Leaders 

  • Assess detection maturity: Use detection strategy models to pinpoint missing telemetry. 
  • Integrate with CRQ tools like DeRISK: Convert technical exposure into financial impact metrics. 
  • Prioritize based on ROI: Focus budgets on controls with measurable risk-reduction value. 
  • Report to the board in business terms: Use DeRISK metrics (expected loss, VaR) to justify cybersecurity spend. 

 

Conclusion: Turning Threat Intelligence into Financial Intelligence 

MITRE ATT&CK v18 marks a pivotal advancement for industrial cybersecurity. By embedding behavioral detection, refined asset models, and cross-domain mappings, it gives OT leaders the foundation to quantify cyber risk with unprecedented precision. 

DeNexus DeRISK takes this further—translating these models into board-level risk metrics that support insurance optimization, regulatory compliance, and risk-based cybersecurity investments. 

 

Ready to quantify your OT cyber risk? 

Request a demo of DeRISK QVM to see how industrial cyber risk quantification can drive smarter, more resilient decision-making. 

Request a Demo