SMSI: Automated Threat Modeling for Cyber-Physical Systems
The SMSI, or System Model Security Inference, is a cutting-edge hybrid neuro-symbolic system aimed at enhancing threat modeling for cyber-physical systems. It starts with a SysML architecture model and produces a ranked list of NIST 800-53 security controls. The process unfolds in three steps: first, a deterministic parser matches system components to vulnerabilities using the NVD; second, retrieval and classification models link these vulnerabilities to MITRE ATT&CK techniques; and third, a control recommender offers solutions. Three different methods for linking CVE to ATT&CK were tested, including a supervised classifier with SecureBERT+, retrieval-based encoders, and a zero-shot LLM approach using Gemma-4 26B. Testing was done on a healthcare IoT gateway with nine software components, showing that pretrained SecureBERT performed best in control retrieval for ATT&CK-to-NIST mapping.
Key facts
- SMSI is a hybrid neuro-symbolic pipeline for automated threat modeling of cyber-physical systems.
- It starts from a SysML architecture model and outputs prioritized NIST 800-53 security controls.
- The pipeline includes a deterministic parser, retrieval/classification models, and a control recommender.
- Three CVE-to-ATT&CK mapping approaches were tested: SecureBERT+, dense encoders, and Gemma-4 26B.
- Validation was performed on a healthcare IoT gateway with nine software components.
- Pretrained SecureBERT achieved the highest control retrieval scores for ATT&CK-to-NIST mapping.
- The project is described in arXiv paper 2604.23905.
- Threat modeling for CPS has been largely manual prior to this work.
Entities
Institutions
- NVD
- MITRE
- NIST
- SecureBERT
- Gemma