Is an ATT&CK ICS STIX bundle in the works?

[dalton]

The other ATT&CK technologies have example bundles in https://github.com/mitre-attack/attack-website/tree/master/data/stix . Are there any plans to have one for ICS?

[isaisabel]

Hi @dalton,

ATT&CK for ICS doesn't currently exist in our primary infrastructure (e.g the STIX bundles, ATT&CK Navigator, inclusion on attack.mitre.org itself instead of the site where it's currently hosted). As it matures we may eventually move it over to the primary infrastructure. We don't have any information on the timeframe of this integration at this moment, but I'll leave this issue open to document the request.

Regarding the STIX bundles, the ATT&CK Website's data/stix folder is actually just a copy of the data found in our MITRE/CTI repo. We recommend using that repo for the ATT&CK data in STIX format because it is the intended source for that data. You can also access that data using our TAXII server.

See our working with attack page and MITRE/CTI's USAGE document for more details about accessing the ATT&CK data programmatically.

[dalton]

Thanks, that response makes a lot of sense. Do you know if the intention is that ATT&CK for ICS will be modeled in STIX? Conceptually it is a great fit for a project I'm working on, but I'm not sure how to model ATT&CK for ICS Assets as STIX objects.

Will specific Assets, such as the Siemens S7 PLCs targeted by PLC-Blaster be representable? The Control Server Asset type seems like a good fit, but what STIX object does this map to?

[isaisabel]

Following up to say that ATT&CK for ICS has been released in STIX on MITRE/CTI. See #272 for the issue for adding ICS to the main website.