The ICS-SEC KG: An Integrated Cybersecurity Resource for Industrial Control Systems
kabulkurniawan
8 views
21 slides
Mar 11, 2025
Slide 1 of 21
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
About This Presentation
The ICS-SEC KG: An Integrated Cybersecurity
Resource for Industrial Control Systems
Slide Content
The ICS-SEC KG: An Integrated Cybersecurity
Resource for Industrial Control Systems
Kabul Kurniawan, Elmar Kiesling, Dietmar Winkler,
Andreas Ekelhart
Resource for Industrial Control Systems
Kabul Kurniawan, Elmar Kiesling, Dietmar Winkler,
Andreas Ekelhart
Motivation
▪Industrial Control Systems (ICS) play a pivotal role in critical
infrastructures.
▪Increasing integration of Information technology (IT) and
Operational Technology (OT).
➢Introduces cybersecurity threats and risks
▪Cyberattacks targeting ICS -> have severe consequences:
➢Operational disruption, physical damage, public safety risk,
economic losses.
▪Example ICS attacks:
➢Stuxnet (2010), targeting Iran’s nuclear program,
➢Triton (2017), targeting safety instrumented system (SIS) of
petrochemical plan,
➢Florida water treatment attack (2021).
2
▪Industrial Control Systems (ICS) play a pivotal role in critical
infrastructures.
▪Increasing integration of Information technology (IT) and
Operational Technology (OT).
➢Introduces cybersecurity threats and risks
▪Cyberattacks targeting ICS -> have severe consequences:
➢Operational disruption, physical damage, public safety risk,
economic losses.
▪Example ICS attacks:
➢Stuxnet (2010), targeting Iran’s nuclear program,
➢Triton (2017), targeting safety instrumented system (SIS) of
petrochemical plan,
➢Florida water treatment attack (2021).
2
Motivation
3
▪Meanwhile, a number of cybersecurity resources, standards, and information sources for ICS are
available…
However,
- The diversity of representations and formats poses significant challenges.
-Research focusing on integration of CTI knowledge on ISC domain remains scarce.
-Mostly focusing in general IT security..
3
▪Meanwhile, a number of cybersecurity resources, standards, and information sources for ICS are
available…
However,
- The diversity of representations and formats poses significant challenges.
-Research focusing on integration of CTI knowledge on ISC domain remains scarce.
-Mostly focusing in general IT security..
Research Goal
4
“Integrated resource that helps to understand how ICSs can be compromised
and protected through associated prevention, detection and mitigation
techniques”
4
“Integrated resource that helps to understand how ICSs can be compromised
and protected through associated prevention, detection and mitigation
techniques”
Background: Purdue Enterprise Reference
Architecture Mapped to ATT&CK for ICS
5
Architecture Mapped to ATT&CK for ICS
5
Background: ICS Cybersecurity Information Standard
and Resources (1)
6
▪MITRE ATT&CK for ICS https://attack.mitre.org/matrices/ics/
and Resources (1)
6
▪MITRE ATT&CK for ICS https://attack.mitre.org/matrices/ics/
Background: ICS Cybersecurity Information Standard
and Resources (2)
7
▪Industrial Control System Advisories (ICSAs)
https://attack.mitre.org/matrices/ics/
and Resources (2)
7
▪Industrial Control System Advisories (ICSAs)
https://attack.mitre.org/matrices/ics/
Background: ICS Cybersecurity Information Standard
and Resources (3)
8
▪National Vulnerability Database (NVD), Common Weakness Enumeration (CWE),
Common Attack Pattern Enumeration and Classification (CAPEC)
https://attack.mitre.org/matrices/ics/
and Resources (3)
8
▪National Vulnerability Database (NVD), Common Weakness Enumeration (CWE),
Common Attack Pattern Enumeration and Classification (CAPEC)
https://attack.mitre.org/matrices/ics/
Background: ICS Cybersecurity Information Standard
and Resources (4)
9
▪NIST Guide to Industrial Control System (ICS)
▪ISA 99.02.1/IEC 62443
and Resources (4)
9
▪NIST Guide to Industrial Control System (ICS)
▪ISA 99.02.1/IEC 62443
Identified linked entities across heterogenous CTI
resources
CVE
CWE
CAPEC
CPE
They seem related,
but not semantically linked
resources
CVE
CWE
CAPEC
CPE
They seem related,
but not semantically linked
Contribution 1: ICS-SEC KG Conceptualization
11
Resource Inclusion Criteria for Ontology Development
▪Clear Schema with Structured Information,
▪Open Dataset, ideally Linked to other resources,
▪Curated by an authorized organization, vendor or trusted community experts,
▪Provides regular updates.
ICS Ontologies Development Methodology
▪Bottom up approach,
▪Modular ontology,
▪Follow 101 ontology development,
▪Using RDF/OWL Framework.
11
Resource Inclusion Criteria for Ontology Development
▪Clear Schema with Structured Information,
▪Open Dataset, ideally Linked to other resources,
▪Curated by an authorized organization, vendor or trusted community experts,
▪Provides regular updates.
ICS Ontologies Development Methodology
▪Bottom up approach,
▪Modular ontology,
▪Follow 101 ontology development,
▪Using RDF/OWL Framework.
Approach: Integrated ICS-SEC Ontology
12
12
Contribution 2: ICS-SEC KG Construction Pipeline
13
13
ICS-SEC KG Statisticsand Results
14
ICS Advisory trends (2010-2023)
ICS-related vulnerability severity trends
(2010-2023)
14
ICS Advisory trends (2010-2023)
ICS-related vulnerability severity trends
(2010-2023)
Contribution 3: ICS-SEC KG Interfaces
Interface 2 : Linked Data Interface
Interface 1: SPARQL Endpoint Interface 3: Dump Files
Interface 4: TPF Interface
Interface 2 : Linked Data Interface
Interface 1: SPARQL Endpoint Interface 3: Dump Files
Interface 4: TPF Interface
Use-Case 1: Threat Intelligence Exploration
16
•Understanding ICS-related attack
techniques and their anatomy
•Asses vulnerabilities to prevent future
breaches and defence strategies
SPARQL Query
Query Results
16
•Understanding ICS-related attack
techniques and their anatomy
•Asses vulnerabilities to prevent future
breaches and defence strategies
SPARQL Query
Query Results
Use-Case 2: Vulnerability Assessment and
Remediation
17
SPARQL Query:
Query Results
•A real-world use-case derived from [13]
➢System consists of 22 Siemens field
and 17 Cisco networking devices.
•Task:
➢Identify the top 5 vulnerabilities
ranked by their CVSS scores
Remediation
17
SPARQL Query:
Query Results
•A real-world use-case derived from [13]
➢System consists of 22 Siemens field
and 17 Cisco networking devices.
•Task:
➢Identify the top 5 vulnerabilities
ranked by their CVSS scores
Summary
18
▪We highlight the importance of integrated ICS cybersecurity knowledge
and introduced the ICS-SEC KG.
▪We integrate and linked heterogeneous publicly available CTI resources.
▪e.g., ICSA, CVE, CWE, CAPEC and MITREs ATT&CK
▪We provide various access interfaces to the KG .
▪e.g.: SPARQL Endpoint, Linked Data Interface, TPF interface, and data dumps
▪We demonstrate the ICS-SEC KG through two use-cases:
▪Attack Pattern Exploration
▪Vulnerability inspection and remediation in real-world settings
18
▪We highlight the importance of integrated ICS cybersecurity knowledge
and introduced the ICS-SEC KG.
▪We integrate and linked heterogeneous publicly available CTI resources.
▪e.g., ICSA, CVE, CWE, CAPEC and MITREs ATT&CK
▪We provide various access interfaces to the KG .
▪e.g.: SPARQL Endpoint, Linked Data Interface, TPF interface, and data dumps
▪We demonstrate the ICS-SEC KG through two use-cases:
▪Attack Pattern Exploration
▪Vulnerability inspection and remediation in real-world settings
Future Work
19
▪Extend the ICS-SEC KG with additional security standards and sources,
▪Integrate ICS-SEC related unstructured information,
▪Develop human-assisted security analytic tools, e.g., visualizations, chat
bots,
▪Combining with LLMs,
▪to improve ICS-SEC information extraction and data curation,
▪inform LLM-based applications with symbolic knowledge from the
ICS-SEC KG (e.g., GraphRAG).
19
▪Extend the ICS-SEC KG with additional security standards and sources,
▪Integrate ICS-SEC related unstructured information,
▪Develop human-assisted security analytic tools, e.g., visualizations, chat
bots,
▪Combining with LLMs,
▪to improve ICS-SEC information extraction and data curation,
▪inform LLM-based applications with symbolic knowledge from the
ICS-SEC KG (e.g., GraphRAG).
20
Thank you!
This work has been partially supported and funded by the Austrian ResearchPromotion Agency (FFG) via the Austrian Competence
Center for Digital Pro-duction (CDP) under the contract number 881843. SBA Research (SBA-K1) is aCOMET Centre within the
COMET – Competence Centers for Excellent Tech-nologies Programme and funded by BMK, BMAW, and the federal state of Vi-
enna. COMET is managed by FFG. This work is also part of the TEAMING.AIproject which receives funding in the European
Commission’s Horizon 2020 Re-search Programme under Grant Agreement Number 957402 (www.teamingai-project.eu).
20
Kurniawan, K., Kiesling, E., Winkler, D., & Ekelhart, A. The ICS-SEC
KG: An Integrated Cybersecurity Resource for Industrial Control
Systems, International Semantic Web Conference 2024.
Read the full paper:
Kurniawan, Kabul, Elmar Kiesling, and Andreas Ekelhart. "CyKG-RAG:
Towards knowledge-graph enhanced retrieval augmented generation for
cybersecurity.“ RAGE-KG Workshop, ISWC 2024.
Thank you!
This work has been partially supported and funded by the Austrian ResearchPromotion Agency (FFG) via the Austrian Competence
Center for Digital Pro-duction (CDP) under the contract number 881843. SBA Research (SBA-K1) is aCOMET Centre within the
COMET – Competence Centers for Excellent Tech-nologies Programme and funded by BMK, BMAW, and the federal state of Vi-
enna. COMET is managed by FFG. This work is also part of the TEAMING.AIproject which receives funding in the European
Commission’s Horizon 2020 Re-search Programme under Grant Agreement Number 957402 (www.teamingai-project.eu).
20
Kurniawan, K., Kiesling, E., Winkler, D., & Ekelhart, A. The ICS-SEC
KG: An Integrated Cybersecurity Resource for Industrial Control
Systems, International Semantic Web Conference 2024.
Read the full paper:
Kurniawan, Kabul, Elmar Kiesling, and Andreas Ekelhart. "CyKG-RAG:
Towards knowledge-graph enhanced retrieval augmented generation for
cybersecurity.“ RAGE-KG Workshop, ISWC 2024.
References
21
(1)Liu, K., Wang, F., Ding, Z., Liang, S., Yu, Z., Zhou, Y.: Recent Progress of Using Knowledge Graph for Cybersecurity. Electronics 11(15), 2287 (Jul 2022).
(2)Liu, K., Wang, F., Ding, Z., Liang, S., Yu, Z., Zhou, Y.: A review of knowledge graph application scenarios in cyber security (Apr 2022)
(3)Sikos, L.F.: Cybersecurity knowledge graphs. Knowledge and Information Systems (9), 3511–3531 (Sep 2023)
(4)Zhao, X., Jiang, R., Han, Y., Li, A., Peng, Z.: A survey on cybersecurity knowledge graph construction. Computers & Security, 103524
(5)Syed, Z., Padia, A., Mathews, M., Finin, T., Joshi, A.: UCO: A Unified Cybersecurity Ontology. In: Proceedings of the AAAI Workshop on Artificial Intelligence
forCyber Security.
(6)HoloLen: Cybersecurity Knowledge Graph (2020)
(7)Sarhan, I., Spruit, M.: Open-cykg: An open cyber threat intelligence knowledge graph. Knowledge-Based Systems 233, 107524 (2021)
(8)Kiesling, E., Ekelhart, A., Kurniawan, K., Ekaputra, F.: The SEPSES Knowledge Graph: An Integrated Resource for Cybersecurity. The Semantic Web – ISWC
2019.
(9)Shen, G., Wang, W., Mu, Q., Pu, Y., Qin, Y., Yu, M.: Data-Driven Cybersecurity Knowledge Graph Construction for Industrial Control System Security. Wireless
Communications and Mobile Computing 2020.
(10) Shaaban, A.M., Gruber, T., Schmittner, C.: Ontology-Based Security Tool for Critical Cyber-Physical Systems. In: Proceedings of the 23rd International Systems
and Software Product Line Conference , Paris France (Sep 2019)
(11)Heverin, T., Chandnani, A., Lopex, C., Brahmhatt, N.: Ontology modelling of industrial control system ethical hacking. In: International Conference on Cyber
Warfare and Security. pp. 109–XII. Academic Conferences International Limited (2021)
(12)Alanen, J., Linnosmaa, J., Malm, T., Papakonstantinou, N., Ahonen, T., Heikkil¨a, E., Tiusanen, R.: Hybrid ontology for safety, security, and dependability risk
assessments and Security Threat Analysis (STA) method for industrial control systems. Reliability Engineering & System Safety 220, 108270 (Apr 2022)
(13)Empl, P., Schlette, D., St¨oger, L., Pernul, G.: Generating ICS vulnerability playbooks with open standards. International Journal of Information Security (2),
1215–1230 (Apr 2024)
21
(1)Liu, K., Wang, F., Ding, Z., Liang, S., Yu, Z., Zhou, Y.: Recent Progress of Using Knowledge Graph for Cybersecurity. Electronics 11(15), 2287 (Jul 2022).
(2)Liu, K., Wang, F., Ding, Z., Liang, S., Yu, Z., Zhou, Y.: A review of knowledge graph application scenarios in cyber security (Apr 2022)
(3)Sikos, L.F.: Cybersecurity knowledge graphs. Knowledge and Information Systems (9), 3511–3531 (Sep 2023)
(4)Zhao, X., Jiang, R., Han, Y., Li, A., Peng, Z.: A survey on cybersecurity knowledge graph construction. Computers & Security, 103524
(5)Syed, Z., Padia, A., Mathews, M., Finin, T., Joshi, A.: UCO: A Unified Cybersecurity Ontology. In: Proceedings of the AAAI Workshop on Artificial Intelligence
forCyber Security.
(6)HoloLen: Cybersecurity Knowledge Graph (2020)
(7)Sarhan, I., Spruit, M.: Open-cykg: An open cyber threat intelligence knowledge graph. Knowledge-Based Systems 233, 107524 (2021)
(8)Kiesling, E., Ekelhart, A., Kurniawan, K., Ekaputra, F.: The SEPSES Knowledge Graph: An Integrated Resource for Cybersecurity. The Semantic Web – ISWC
2019.
(9)Shen, G., Wang, W., Mu, Q., Pu, Y., Qin, Y., Yu, M.: Data-Driven Cybersecurity Knowledge Graph Construction for Industrial Control System Security. Wireless
Communications and Mobile Computing 2020.
(10) Shaaban, A.M., Gruber, T., Schmittner, C.: Ontology-Based Security Tool for Critical Cyber-Physical Systems. In: Proceedings of the 23rd International Systems
and Software Product Line Conference , Paris France (Sep 2019)
(11)Heverin, T., Chandnani, A., Lopex, C., Brahmhatt, N.: Ontology modelling of industrial control system ethical hacking. In: International Conference on Cyber
Warfare and Security. pp. 109–XII. Academic Conferences International Limited (2021)
(12)Alanen, J., Linnosmaa, J., Malm, T., Papakonstantinou, N., Ahonen, T., Heikkil¨a, E., Tiusanen, R.: Hybrid ontology for safety, security, and dependability risk
assessments and Security Threat Analysis (STA) method for industrial control systems. Reliability Engineering & System Safety 220, 108270 (Apr 2022)
(13)Empl, P., Schlette, D., St¨oger, L., Pernul, G.: Generating ICS vulnerability playbooks with open standards. International Journal of Information Security (2),
1215–1230 (Apr 2024)
Tags
Categories
TechnologyDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 8
- Slides 21
- Age 277 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
67 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
63 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
52 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
51 views
21
Know for Certain
DaveSinNM
29 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
33 views