An attack where the adversary secretly intercepts and possibly alters communications between two devices. In an ICS context, a MitM could mean an attacker in the network between an HMI and a PLC, eavesdropping on or even modifying control commands or sensor values. For instance, they could report normal readings to operators while actually sending dangerous commands to a process. Many ICS protocols lack authentication, making MitM easier (the attacker can pose as the PLC to the HMI and vice versa). Defenses include encryption/authentication of communications (when available) and network segmentation to make it hard for an intruder to get in that middle position.
