Live Active security incident? Get immediate response
MITRE ATT&CK® Mitigation

M0817: Supply Chain Management

Implement a supply chain management program, including policies and procedures to ensure all devices and components originate from a trusted supplier and are tested to verify their integrity.

ICSM0817MitigationObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Supply Chain Management matters because ICS environments can inherit risk before equipment, software, or workflows ever reach the site. The ATT&CK relationship here is specific: this mitigation is intended to reduce exposure to Supply Chain Compromise, where manipulated products or delivery mechanisms may create a path into control systems once introduced. For leaders, the decision value is whether procurement, engineering, security, and operations can prove that devices and components come from trusted suppliers and are tested for integrity before deployment.

Executive priority

Treat this as a resilience and governance control, not only a procurement checklist. Executives should ask whether the organization has documented supply chain policies, supplier trust criteria, and integrity testing evidence for ICS devices and components. This supports risk-based purchasing, incident decision-making when supplier trust is questioned, and compliance alignment with the referenced NIST SP 800-53 controls SA-12 and SR-1. The priority is highest where unverified products or software can enter control systems with limited opportunity for later inspection.

Technical view

MITRE provides this as an ICS mitigation for Supply Chain Compromise, with no ATT&CK detection text, platforms, or tactics specified. SOC, IR, OT engineering, and governance teams should therefore validate the control through process and asset evidence: supplier approval records, component provenance, acceptance testing, integrity verification results, and change records for devices or software introduced into the control systems environment. Detection engineering should not assume runtime telemetry alone will cover this behavior; the key validation point is whether pre-deployment and receiving controls produce auditable evidence that can be correlated during investigations.

Likely telemetry

  • Approved supplier and procurement records
  • Device and component provenance documentation
  • Receiving, staging, and acceptance test records
  • Software, firmware, or component integrity verification results where available
  • Asset inventory and change management records for newly introduced ICS devices or software

Detection direction

  • Because official detection guidance is not provided, frame coverage as control validation and investigation readiness rather than guaranteed alerting.
  • Validate that new or changed ICS assets can be traced back to supplier, delivery path, testing status, and approval history.
  • Tune SOC and IR playbooks to request procurement and integrity-testing evidence when investigating suspicious newly installed or recently updated control system components.
  • Watch for blind spots where engineering teams, vendors, or integrators introduce components outside centralized procurement or change management.
  • Account for false assurance: an approved supplier list is not equivalent to verified integrity testing of delivered devices, software, or components.

Mitigation priorities

  • Establish and maintain a supply chain management program with documented policies and procedures.
  • Define trusted supplier criteria for devices, software, components, and relevant workflows entering the ICS environment.
  • Require integrity testing or verification before deployment into control systems where feasible and documented.
  • Tie procurement, engineering acceptance, asset inventory, and change management so supply chain evidence is available during audits and incidents.
  • Track and review exceptions for urgent purchases, replacement parts, vendor-managed changes, or components that bypass normal intake controls.
Analyst notes and limits

This object is a mitigation, not a technique, and its supplied relationship is to ICS ATT&CK technique T0862 Supply Chain Compromise. The strongest defensive value is governance plus operational evidence: proving what entered the environment, from whom, under what approval, and with what integrity validation. Glexia would use this to assess whether supply chain risk management is connected to OT asset management, incident response, and compliance evidence rather than isolated in procurement.

The supplied ATT&CK fields do not specify platforms, tactics, or official detection guidance. The related technique description is truncated in the provided object. Local architecture, supplier model, procurement process, testing capability, and OT change practices are required to determine actual exposure and coverage.

Official MITRE ATT&CK definition

Supply Chain Management

Implement a supply chain management program, including policies and procedures to ensure all devices and components originate from a trusted supplier and are tested to verify their integrity.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
ICS T0862 Supply Chain Compromise

A supply chain management program should include methods the assess the trustworthiness and technical maturity of a supplier, along with technical methods (e.g., code-signing, bill of materials) needed to validate the integrity of newly obtained devices and components. Develop procurement language that emphasizes the expectations for suppliers regarding the artifacts, audit records, and technical capabilities needed to validate the integrity of the devices supply chain. CitationRobert A. Martin January 2021
Relationship explorer

All related ATT&CK context

mitigates · Technique T0862: Supply Chain Compromise ICS
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
25c348072c38e454...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 25c348072c38…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack M0817
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use