Skip to content

ICS Inconsistencies

Jump to bottom
Marcus Bakker edited this page Apr 30, 2022 · 2 revisions

In the current ATT&CK release of ICS, there are inconsistencies between the data on the ICS wiki and the STIX objects. Be aware that the ICS data from STIX is leading for DeTT&CT, and thus not the wiki because that cannot be accessed via an API.

ATT&CK ICS

See below the inconsistencies we encountered while developing ATT&CK ICS support for DeTT&CT. We expect this to be resolved in the near future as MITRE is working on further maturing ICS.

Assets

Note that in DeTT&CT we refer to assets as platforms (as is also done in the ICS STIX objects), like we also do for ATT&CK Enterprise.

The ICS wiki lists the following assets:

However, in the STIX objects we can find three additional assets:

  • Device Configuration/Parameters
  • Windows
  • None

Group and Software IDs

The inconsistencies we found in the past for Group and Software IDs have been resolved because ATT&CK for ICS has joined attack.mitre.org.

Overview

  1. Home
  2. Introduction
  3. Installation and requirements
  4. Getting started / How to
  5. Changelog
  6. Future developments
  7. ICS - Inconsistencies

Data sources

  1. Introduction
  2. DeTT&CT data sources
  3. Data sources per platform
  4. Data quality
  5. Scoring data quality
  6. Improvement graph

Visibility Coverage

  1. Introduction
  2. Scoring visibility
  3. Improvement graph

Detection coverage

  1. Introduction
  2. Scoring detection
  3. Improvement graph

Threat actor group mapping

  1. Introduction

YAML administration files

  1. Introduction
  2. Data sources
  3. Techniques
  4. Groups
  5. DeTT&CT Editor
Clone this wiki locally