Screenshots may be taken of workstations, HMIs, or other devices that display environment-relevant process, device, reporting, alarm, or related data. Device displays may reveal information regarding the ICS process, layout, control, and related schematics. Analysis of screen captures may provide the adversary with an understanding of intended operations and interactions between critical devices. Preventing screen capture on a device may require disabling various system calls supported by the operating systems (e.g., Microsoft WindowsGraphicsCaputer APIs)”]
Source: https://collaborate.mitre.org/attackics/index.php/Technique/T0852