SMSI: System Model Security Inference: Automated Threat Modeling for Cyber-Physical Systems

TL;DR

SMSI is an automated hybrid pipeline that infers security controls for cyber-physical systems from architecture models, integrating vulnerability parsing, ATT&CK mapping, and control recommendation.

Contribution

It introduces a novel neuro-symbolic approach combining multiple models for automated threat modeling in CPS from architecture to controls.

Findings

SecureBERT achieves high control retrieval accuracy.

Dense embeddings effectively support automated control recommendations.

Pipeline validated on a healthcare IoT gateway.

Abstract

Threat modeling for cyber-physical systems (CPS) remains a largely manual exercise. This project presents SMSI (System Model Security Inference), a hybrid neuro-symbolic pipeline that starts from a SysML architecture model and produces a prioritized list of NIST 800-53 security controls. The prototype has three main stages: a deterministic parser mapping system components to vulnerabilities via the NVD; a family of retrieval and classification models linking vulnerabilities to MITRE ATT&CK techniques; and a control recommender. We explore three approaches for CVE-to-ATT&CK mapping: a supervised classifier using fine-tuned SecureBERT+, retrieval-based dense encoders, and a zero-shot LLM approach using Gemma-4 26B. We validate the pipeline on a healthcare IoT gateway with nine software components. For the ATT&CK-to-NIST stage, pretrained SecureBERT achieves the highest control retrieval scores, demonstrating that dense embeddings provide a strong basis for automated control recommendation.