An Ontology-Based Approach to Security Risk Identification of Container Deployments in OT Contexts

TL;DR

This paper introduces CSRO, an ontology-based model for automated, reproducible security risk identification in OT container deployments, addressing challenges of hybrid architectures and stakeholder fragmentation.

Contribution

The paper presents a novel ontology-based framework, CSRO, integrating key security domains for systematic risk assessment in OT container environments.

Findings

CSRO enables automated risk calculation from artefacts to risk levels.

The approach improves reproducibility and interpretability of security assessments.

CSRO's modular design allows future extension to broader risk factors.

Abstract

In operational technology (OT) contexts, containerised applications often require elevated privileges to access low-level network interfaces or perform administrative tasks such as application monitoring. These privileges reduce the default isolation provided by containers and introduce significant security risks. Security risk identification for OT container deployments is challenged by hybrid IT/OT architectures, fragmented stakeholder knowledge, and continuous system changes. Existing approaches lack reproducibility, interpretability across contexts, and technical integration with deployment artefacts. We propose a model-based approach, implemented as the Container Security Risk Ontology (CSRO), which integrates five key domains: adversarial behaviour, contextual assumptions, attack scenarios, risk assessment rules, and container security artefacts. Our evaluation of CSRO in a case study demonstrates that the end-to-end formalisation of risk calculation, from artefact to risk level, enables automated and reproducible risk identification. While CSRO currently focuses on technical, container-level treatment measures, its modular and flexible design provides a solid foundation for extending the approach to host-level and organisational risk factors.