Platform set to "None" in ICS

[pljoel]

Hi MITRE,

Thanks for maintaining this awesome repo!  

I noticed that some ICS ATT&CK techniques have the platform list items set to "None" rather than being empty. Eg.: "x_mitre_platforms": [ "None" ] instead of "x_mitre_platforms": [].

Is having "None" in the list a bug or expected? It would make handling the data easier if the x_mitre_platforms list was empty, although the ATT&CK website wouldn't show the platform field anymore unless we change its logic (ATT&CK website HTML technique logic).  

See ICS techniques with x_mitre_platforms with "None" item:

1. T0887
2. T0831
3. T0837
4. T0815
5. T0880
6. T0828
7. T0817
8. T0879
9. T0827
10. T0826
11. T0882
12. T0884
13. T0813

[chrisontay]

Hi @pljoel,

Having "None" in the "x_mitre_platforms" field is expected behavior. Like you mentioned, if the platform field was empty, then both the website and ATT&CK navigator wouldn't show the technique.

The platforms tag for ICS techniques is a bit different from traditional Enterprise techniques. Before the ICS matrix was transitioned to the main ATT&CK website, the platforms on the ICS wiki were referred to as Assets. We didn't have a STIX representation for assets, so we associated assets with x_mitre_platforms.

To your answer your question more specifically though, the ICS techniques you listed don't have platforms/assets that we can point back to from a defender's perspective vs. a technique like T0840, which has Human-Machine Interface since that behavior typically happens on HMIs.

Hope this helps!

[pljoel]

Thanks for your answer @chrisante7 ! I will update my scripts and filter out the "None" items knowing that.

Thanks again!