Inconsistent External References for MITRE ATT&CK ICS Techniques (12 affected entries) #63
Description
Description
While reviewing the generated STIX data for MITRE ATT&CK ICS techniques, I noticed that most attack patterns correctly use the expected external reference format with source_name: "mitre-ics-attack".
However, 12 entries deviate from this convention and instead contain an external reference with:
{
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T0816",
"external_id": "T0816"
}
]
}This is inconsistent with the rest of the dataset and breaks consumers that rely on a stable source_name for MITRE ICS ATT&CK techniques.
Expected Behavior
All ICS techniques should reference MITRE ATT&CK ICS using:
{
"source_name": "mitre-ics-attack"
}12 Affected Techniques
| STIX ID | Name |
|---|---|
| attack-pattern--23270e54-1d68-4c3b-b763-b25607bcef80 | Role Identification |
| attack-pattern--50d3222f-7550-4a3c-94e1-78cb6c81d064 | Data Historian Compromise |
| attack-pattern--539d0484-fe95-485a-b654-86991c0d0d00 | Network Service Scanning |
| attack-pattern--5f3da2f3-91c8-4d8b-a02f-bf43a11def55 | Serial Connection Enumeration |
| attack-pattern--7374ab87-0782-41f8-b415-678c0950bb2a | Location Identification |
| attack-pattern--94f042ae-3033-4a8d-9ec3-26396533a541 | Detect Program State |
| attack-pattern--a8cfd474-9358-464f-a169-9c6f099a8e8a | Change Program State |
| attack-pattern--abb0a255-eb9c-48d0-8f5c-874bb84c0e45 | Control Device Identification |
| attack-pattern--ae62fe1a-ea1a-479b-8dc0-65d250bd8bc7 | Program Organization Units |
| attack-pattern--d614a9cf-18eb-4800-81e4-ab8ddf0baa73 | Engineering Workstation Compromise |
| attack-pattern--e0d74479-86d2-465d-bf36-903ebecef43e | Modify Control Logic |
| attack-pattern--e2994b6a-122b-4043-b654-7411c5198ec0 | I/O Module Discovery |
Proposed Fix
Standardize the external reference by rewriting the affected objects to use:
{
"source_name": "mitre-ics-attack"
}If needed, merge or reconcile any mismatching MITRE ATT&CK references before normalization.
Impact
Systems or pipelines expecting consistent MITRE ICS reference identifiers may misinterpret or skip these techniques due to the unexpected source_name value.