An Evidence-Driven Analysis of Threat Information Sharing Challenges for Industrial Control Systems and Future Directions

TL;DR

This paper analyzes the challenges in sharing threat information for industrial control systems, identifying key limitations and proposing directions for improving standards and practices to enhance cybersecurity collaboration.

Contribution

It provides a systematic analysis of ICS threat sharing challenges, including technical limitations and proposes enhancements to information-sharing standards like STIX.

Findings

Identified four key limitations in ICS threat information sharing.

Analyzed 196 procedures across 79 MITRE ATT&CK techniques.

Proposed improvements for ICS-specific threat representation in standards.

Abstract

The increasing cyber threats to critical infrastructure highlight the importance of private companies and government agencies in detecting and sharing information about threat activities. Although the need for improved threat information sharing is widely recognized, various technical and organizational challenges persist, hindering effective collaboration. In this study, we review the challenges that disturb the sharing of usable threat information to critical infrastructure operators within the ICS domain. We analyze three major incidents: Stuxnet, Industroyer, and Triton. In addition, we perform a systematic analysis of 196 procedure examples across 79 MITRE ATT&CK techniques from 22 ICS-related malware families, utilizing automated natural language processing techniques to systematically extract and categorize threat observables. Additionally, we investigated nine recent ICS vulnerability advisories from the CISA Known Exploitable Vulnerability catalog. Our analysis identified four important limitations in the ICS threat information sharing ecosystem: (i) the lack of coherent representation of artifacts related to ICS adversarial techniques in information sharing language standards (e.g., STIX); (ii) the dependence on undocumented proprietary technologies; (iii) limited technical details provided in vulnerability and threat incident reports; and (iv) the accessibility of technical details for observed adversarial techniques. This study aims to guide the development of future information-sharing standards, including the enhancement of the cyber-observable objects schema in STIX, to ensure accurate representation of artifacts specific to ICS environments.