Securing the Future of Industry: AI-Powered Threat Insights

by

Author: Denis Avetisyan

A new knowledge graph framework is emerging to bolster cybersecurity in the increasingly connected world of Industry 5.0.

The BRIDG-ICS Knowledge Graph facilitates illustrative reasoning across diverse use cases, establishing a structured foundation for complex problem-solving.
The BRIDG-ICS Knowledge Graph facilitates illustrative reasoning across diverse use cases, establishing a structured foundation for complex problem-solving.

This paper introduces BRIDG-ICS, an AI-grounded knowledge graph designed to enhance threat modeling, risk assessment, and resilience in converging OT/IT environments.

The increasing convergence of IT and OT systems in Industry 5.0, while driving innovation, paradoxically expands the attack surface for cyber-physical systems. Addressing this challenge, we present ‘BRIDG-ICS: AI-Grounded Knowledge Graphs for Intelligent Threat Analytics in Industry~5.0 Cyber-Physical Systems’, a novel framework leveraging knowledge graphs and artificial intelligence to model and assess cyber risk in smart manufacturing. BRIDG-ICS uniquely fuses heterogeneous data-linking assets, vulnerabilities, and threats-to enable proactive threat reasoning and quantitative resilience assessment. Could this AI-enriched approach fundamentally reshape how we secure critical industrial infrastructure against increasingly sophisticated attacks?

The Evolving Threat Landscape in Operational Technology

Modern Industrial Control Systems (ICS) present a cybersecurity challenge fundamentally different from traditional IT networks due to their sheer complexity and scale. These systems, often sprawling across vast physical infrastructures – think power grids, manufacturing plants, and pipelines – incorporate a heterogeneous mix of legacy devices, proprietary protocols, and real-time operating systems. Unlike the relatively standardized environments of corporate networks, ICS lack consistent patching cycles and often operate for decades with limited security updates. This creates a significant vulnerability window, exacerbated by the interconnectedness of these systems and the difficulty of applying conventional security tools – designed for packet-based networks – to the specialized communication protocols used in ICS. Consequently, traditional perimeter-based defenses and signature-based detection methods prove largely ineffective against the sophisticated, targeted attacks increasingly directed at critical infrastructure, demanding a shift towards more adaptive and context-aware security strategies.

The increasing integration of Information Technology (IT) with Operational Technology (OT) systems-historically isolated industrial control networks-significantly expands the potential attack surface for malicious actors. This convergence, driven by initiatives like Industry 4.0 and the Industrial Internet of Things, introduces IT-standard networking protocols and software into environments that were previously reliant on proprietary systems. While offering benefits in efficiency and data analytics, this broadened connectivity means vulnerabilities in traditionally secure OT environments are now exposed to the same threats faced by standard IT networks, and vice versa. Consequently, simple risk assessments focusing solely on IT or OT prove inadequate; a nuanced approach is required. This necessitates a comprehensive understanding of both digital and physical processes, alongside a thorough evaluation of how vulnerabilities in one domain might impact the other, demanding specialized tools and expertise to effectively identify, prioritize, and mitigate emerging risks.

While resources like the Common Vulnerabilities and Exposures (CVE) and Common Weakness Enumeration (CWE) represent crucial foundations for cybersecurity, their utility within operational technology (OT) environments is significantly limited by a lack of contextualization. These databases typically focus on vulnerabilities affecting standard information technology, failing to account for the unique characteristics of industrial control systems – including long operational lifecycles, specialized hardware, and safety-critical functions. A vulnerability flagged as ‘critical’ in an IT setting may pose a negligible risk to a physically isolated programmable logic controller, or conversely, a seemingly low-severity flaw could trigger a catastrophic safety incident. Consequently, security teams require tools and methodologies capable of translating generic vulnerability data into actionable intelligence specific to the OT environment, factoring in asset criticality, network segmentation, and potential impact on physical processes. Without this contextual layer, prioritization efforts become misaligned, leading to wasted resources and persistent risk.

Industry 5.0's integration of cyber-physical systems with IT and operational technology layers creates complex manufacturing environments that pose significant cybersecurity challenges.
Industry 5.0’s integration of cyber-physical systems with IT and operational technology layers creates complex manufacturing environments that pose significant cybersecurity challenges.

A Knowledge Graph for Cyber-Physical Risk: BRDIG-ICS

BRDIG-ICS employs a knowledge graph framework to represent the complex interdependencies characteristic of smart manufacturing systems. This framework models assets – including physical equipment, control systems, and network devices – as nodes within a graph. Relationships between these assets, such as data flow, control dependencies, and physical connections, are represented as edges connecting the nodes. This structure allows for the visualization and analysis of how compromises to one asset can propagate through the system, impacting others. The knowledge graph facilitates risk assessment by providing a contextualized view of asset criticality and potential attack paths, moving beyond traditional, isolated security assessments.

BRDIG-ICS employs a knowledge graph structure where individual components of a smart manufacturing system – assets such as PLCs and HMIs, potential vulnerabilities like unpatched software, and active threats including malware or network intrusions – are represented as nodes. These nodes are then connected by edges defining the relationships between them, such as “controls,” “is vulnerable to,” or “communicates with.” This interconnected representation moves beyond isolated risk assessments, allowing for the propagation of risk information across the system. For example, a vulnerability identified in one asset can be traced to other assets it influences, and the potential impact of a threat can be assessed based on the affected assets and their interdependencies, providing a comprehensive, system-level view of cyber-physical risk.

BRDIG-ICS employs Large Language Models (LLMs) to automate the creation and ongoing maintenance of its knowledge graph. Specifically, LLMs are utilized for both entity recognition – identifying key components like sensors, PLCs, and network devices – and relation extraction, which determines the connections between these entities, such as “connected_to” or “controls.” This automated process reduces the manual effort required to build and update the graph, enabling scalability and real-time risk assessment. The LLMs parse unstructured data sources, including incident reports, vulnerability databases, and system documentation, to identify relevant entities and relationships, then populate and enrich the knowledge graph accordingly. This data-driven approach facilitates a more comprehensive and dynamic representation of cyber-physical risk within the smart manufacturing environment.

This intelligent security workflow combines knowledge graph reasoning, large language model analysis, and resilience assessment to proactively identify and mitigate threats through a Security-by-Design approach.
This intelligent security workflow combines knowledge graph reasoning, large language model analysis, and resilience assessment to proactively identify and mitigate threats through a Security-by-Design approach.

Unlocking Insights: Graph Data Science and AI in Action

BRDIG-ICS utilizes Graph Embeddings and Graph Data Science techniques to model assets and their interdependencies as nodes and relationships within a graph database. This allows the framework to identify critical assets by analyzing their centrality and connectivity, and to map potential attack paths by traversing these relationships. Graph embeddings translate nodes and edges into vector representations, enabling machine learning algorithms to identify patterns indicative of vulnerabilities or high-risk pathways. Techniques such as shortest path algorithms and community detection are employed to quantify risk and prioritize security efforts, ultimately providing a data-driven approach to asset identification and attack path analysis.

Integration with threat intelligence sources, specifically the MITRE ATT&CK framework, significantly enhances the BRDIG-ICS system’s detection and prediction capabilities. By mapping observed behaviors and network activity to ATT&CK tactics and techniques, the system can identify potential threats based on known adversary behaviors. This allows for proactive identification of malicious activity even before signature-based detection is possible, and enables prediction of potential attack paths by understanding how adversaries typically operate. The framework leverages ATT&CK to contextualize alerts, prioritize investigations, and improve the overall accuracy of threat assessments within the BRDIG-ICS environment.

Data enrichment within the BRDIG-ICS framework resulted in a measurable reduction of attack path lengths, ranging from 20% to 40%. This improvement is directly attributable to the integration of diverse data sources and the subsequent enhancement of network visibility. By providing a more complete understanding of asset relationships and potential vulnerabilities, the framework facilitates the implementation of targeted controls that effectively shorten the routes attackers can traverse. This reduction in attack path length correlates with increased resilience, as the time available for detection and response is extended, and the overall attack surface is minimized.

BRDIG-ICS utilizes machine learning models to predict relationships between assets and potential cyber threats. Specifically, the framework achieved 98.70% accuracy in predicting HAS_POSSIBLE_TECHNIQUE links by employing a SecRoBERTa model combined with a CyberBERT classifier. This indicates a high degree of reliability in identifying techniques likely used in attacks targeting specific assets. Additionally, the framework attained 66.47% accuracy in predicting HAS_POSSIBLE_CWE links using a BERT classifier, demonstrating its ability to associate assets with potential Common Weakness Enumeration vulnerabilities, though at a lower accuracy rate than technique prediction.

Neo4j serves as the foundational graph database for BRDIG-ICS due to its inherent capabilities in handling complex relationships and large datasets. Its architecture allows for efficient storage and traversal of interconnected data points, critical for representing industrial control system (ICS) assets and their vulnerabilities. This scalability supports the processing of extensive asset inventories and threat landscapes, while optimized query performance – facilitated by Neo4j’s query language, Cypher – enables real-time risk assessment. The ability to rapidly query relationships between assets, vulnerabilities, and threat actors is essential for identifying critical attack paths and prioritizing mitigation efforts within dynamic operational technology (OT) environments.

The BRIDG-ICS methodology provides a comprehensive framework for integrating data-driven insights into complex system development.
The BRIDG-ICS methodology provides a comprehensive framework for integrating data-driven insights into complex system development.

Towards Proactive Resilience in the Era of Industry 5.0

The BRDIG-ICS framework represents a fundamental evolution in industrial cybersecurity, moving beyond the traditional model of simply reacting to breaches. Instead, it empowers organizations to actively seek out potential weaknesses and hidden threats within their systems. This is achieved through continuous monitoring, advanced analytics, and the correlation of data from previously siloed sources – operational technology, information technology, and even external threat intelligence feeds. By proactively ‘hunting’ for vulnerabilities before they can be exploited, and by prioritizing remediation efforts based on real-time risk assessments, BRDIG-ICS significantly reduces the attack surface and minimizes the potential for costly disruptions. This shift isn’t just about faster response times; it’s about preventing incidents from occurring in the first place, fostering a more resilient and secure industrial environment.

The BRDIG-ICS framework fundamentally alters cybersecurity budgeting by moving beyond generalized risk assessments. It achieves this through the aggregation and analysis of data streams originating from disparate sources – network traffic, endpoint detection systems, threat intelligence feeds, and even vulnerability scans. This correlated data doesn’t simply highlight vulnerabilities; it quantifies their potential impact within the specific organizational context. Consequently, security teams gain the ability to prioritize investments based on demonstrable risk reduction, directing resources towards the most critical areas and avoiding wasteful spending on low-probability threats. This data-driven approach not only optimizes resource allocation but also provides a clear return on investment for cybersecurity initiatives, fostering a more resilient and cost-effective security posture.

The convergence of BRDIG-ICS with Industry 5.0 fosters a powerful synergy between human expertise and advanced machine capabilities in cybersecurity. This integration moves beyond simply automating threat detection; it actively enhances human analysts’ abilities through AI-driven insights and predictive modeling. By correlating vast datasets from interconnected industrial systems, BRDIG-ICS empowers security teams to anticipate vulnerabilities and proactively mitigate risks, rather than reacting to incidents. The framework facilitates a collaborative environment where machines handle the complexities of data analysis, while human experts focus on strategic decision-making and nuanced threat interpretation, ultimately leading to more resilient and adaptive industrial operations. This human-machine partnership isn’t merely about speed or efficiency; it’s about leveraging the unique strengths of both to build a more robust and intelligent cybersecurity posture.

Across fifteen simulated attack scenarios, the Enriched and Controlled configurations consistently demonstrate improved propagation metrics compared to the Original configuration.
Across fifteen simulated attack scenarios, the Enriched and Controlled configurations consistently demonstrate improved propagation metrics compared to the Original configuration.

The pursuit of robust cybersecurity, as detailed in BRIDG-ICS, demands a foundation built upon verifiable truths rather than empirical observation. This mirrors the sentiment expressed by Carl Friedrich Gauss: “If others would think as hard as I do, they would not have so many questions.” The framework’s emphasis on a knowledge graph – a structured representation of industrial control system data and threat intelligence – isn’t simply about collecting information, but about establishing irrefutable relationships between components and vulnerabilities. Like a mathematical proof, the system’s efficacy rests on the logical consistency of its construction, enabling precise threat modeling and risk assessment within the complex landscape of Industry 5.0’s cyber-physical systems. The beauty lies not in merely identifying threats, but in understanding why they exist and how they propagate, a principle Gauss himself would undoubtedly appreciate.

Beyond the Graph: Charting a Course for Resilience

The BRIDG-ICS framework, while a logical progression in representing the increasingly complex interplay of operational and security data, merely addresses the symptom of systemic fragility, not the underlying disease. A knowledge graph, however meticulously constructed, remains a static model of a dynamic reality. The true challenge lies not in capturing a snapshot of potential threats, but in developing a system capable of deducing novel vulnerabilities from first principles – a formal verification of security properties, not merely an enumeration of known attacks. Every edge added to this graph introduces a potential point of failure, a hidden assumption about system behavior that may prove false under unforeseen circumstances.

Future work must prioritize the integration of formal methods – theorem proving, model checking – with the expressive power of knowledge graphs. The current reliance on AI-driven inference, while pragmatic, risks propagating errors and obscuring the fundamental logic of security. A provably secure system is not one that has survived countless penetration tests, but one where security is guaranteed by mathematical construction. The pursuit of ‘intelligent’ security should not be a substitute for rigorous correctness.

Ultimately, the goal is not simply to react to threats, but to eliminate entire classes of vulnerabilities through mathematically sound design. BRIDG-ICS represents a step toward that ambition, but a critical realization remains: the most elegant security is not found in complexity, but in absolute, demonstrable simplicity.

Original article: https://arxiv.org/pdf/2512.12112.pdf

Contact the author: https://www.linkedin.com/in/avetisyan/

See also:

2025-12-17 01:52