ICS Inconsistencies
In the current ATT&CK release of ICS, there are inconsistencies between the data on the ICS wiki and the STIX objects. Be aware that the ICS data from STIX is leading for DeTT&CT, and thus not the wiki because that cannot be accessed via an API.
See below the inconsistencies we encountered while developing ATT&CK ICS support for DeTT&CT. We expect this to be resolved in the near future as MITRE is working on further maturing ICS.
Note that in DeTT&CT we refer to assets as platforms (as is also done in the ICS STIX objects), like we also do for ATT&CK Enterprise.
The ICS wiki lists the following assets:
- Control Server
- Data Historian
- Engineering Workstation
- Field Controller/RTU/PLC/IED
- Human-Machine Interface
- Input/Output Server
- Safety Instrumented System/Protection Relay
However, in the STIX objects we can find three additional assets:
- Device Configuration/Parameters
- Windows
- None
The inconsistencies we found in the past for Group and Software IDs have been resolved because ATT&CK for ICS has joined attack.mitre.org.
- Home
- Introduction
- Installation and requirements
- Getting started / How to
- Changelog
- Future developments
- ICS - Inconsistencies
- Introduction
- DeTT&CT data sources
- Data sources per platform
- Data quality
- Scoring data quality
- Improvement graph