Description
While reviewing the generated STIX data for MITRE ATT&CK ICS techniques, I noticed that most attack patterns correctly use the expected external reference format with source_name: "mitre-ics-attack".
However, 12 entries deviate from this convention and instead contain an external reference with:
{
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T0816",
"external_id": "T0816"
}
]
}This is inconsistent with the rest of the dataset and breaks consumers that rely on a stable source_name for MITRE ICS ATT&CK techniques.
Expected Behavior
All ICS techniques should reference MITRE ATT&CK ICS using:
{
"source_name": "mitre-ics-attack"
}12 Affected Techniques
| STIX ID |
Name |
| attack-pattern--23270e54-1d68-4c3b-b763-b25607bcef80 |
Role Identification |
| attack-pattern--50d3222f-7550-4a3c-94e1-78cb6c81d064 |
Data Historian Compromise |
| attack-pattern--539d0484-fe95-485a-b654-86991c0d0d00 |
Network Service Scanning |
| attack-pattern--5f3da2f3-91c8-4d8b-a02f-bf43a11def55 |
Serial Connection Enumeration |
| attack-pattern--7374ab87-0782-41f8-b415-678c0950bb2a |
Location Identification |
| attack-pattern--94f042ae-3033-4a8d-9ec3-26396533a541 |
Detect Program State |
| attack-pattern--a8cfd474-9358-464f-a169-9c6f099a8e8a |
Change Program State |
| attack-pattern--abb0a255-eb9c-48d0-8f5c-874bb84c0e45 |
Control Device Identification |
| attack-pattern--ae62fe1a-ea1a-479b-8dc0-65d250bd8bc7 |
Program Organization Units |
| attack-pattern--d614a9cf-18eb-4800-81e4-ab8ddf0baa73 |
Engineering Workstation Compromise |
| attack-pattern--e0d74479-86d2-465d-bf36-903ebecef43e |
Modify Control Logic |
| attack-pattern--e2994b6a-122b-4043-b654-7411c5198ec0 |
I/O Module Discovery |
Proposed Fix
Standardize the external reference by rewriting the affected objects to use:
{
"source_name": "mitre-ics-attack"
}If needed, merge or reconcile any mismatching MITRE ATT&CK references before normalization.
Impact
Systems or pipelines expecting consistent MITRE ICS reference identifiers may misinterpret or skip these techniques due to the unexpected source_name value.
Description
While reviewing the generated STIX data for MITRE ATT&CK ICS techniques, I noticed that most attack patterns correctly use the expected external reference format with
source_name: "mitre-ics-attack".However, 12 entries deviate from this convention and instead contain an external reference with:
{ "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T0816", "external_id": "T0816" } ] }This is inconsistent with the rest of the dataset and breaks consumers that rely on a stable
source_namefor MITRE ICS ATT&CK techniques.Expected Behavior
All ICS techniques should reference MITRE ATT&CK ICS using:
{ "source_name": "mitre-ics-attack" }12 Affected Techniques
Proposed Fix
Standardize the external reference by rewriting the affected objects to use:
{ "source_name": "mitre-ics-attack" }If needed, merge or reconcile any mismatching MITRE ATT&CK references before normalization.
Impact
Systems or pipelines expecting consistent MITRE ICS reference identifiers may misinterpret or skip these techniques due to the unexpected
source_namevalue.