An Evidence-Driven Analysis of Threat Information Sharing Challenges for Industrial Control Systems and Future Directions
Adam Hahn, Rubin Krief, Daniel Rebori-Carretero, Rami Puzis, Aviad Elyashar, Nik Urlaub
TL;DR
This work analyzes threat information sharing for industrial control systems (ICS) and identifies four major barriers: insufficient STIX observables for ICS artifacts, reliance on proprietary protocols, lack of detailed vulnerability advisories, and limited actionable threat intelligence. By combining case studies of Triton, Stuxnet, and Industroyer with a systematic extraction of 361 observables from MITRE ATT&CK for ICS across 196 procedures and nine CISA KEV advisories, the study demonstrates substantial gaps in representation and operational utility. It finds that roughly 53% of ICS observables are only partially represented in STIX, 19% have no representation, and only 28% are fully covered, with many actionable indicators not captured by STIX. The authors propose concrete directions—expanding STIX to include ICS-specific observables, standardizing vulnerability disclosures with actionable rules, developing open ICS protocol parsers, and fostering sector-specific information-sharing practices—to improve detection, response, and resilience in OT environments.
Abstract
The increasing cyber threats to critical infrastructure highlight the importance of private companies and government agencies in detecting and sharing information about threat activities. Although the need for improved threat information sharing is widely recognized, various technical and organizational challenges persist, hindering effective collaboration. In this study, we review the challenges that disturb the sharing of usable threat information to critical infrastructure operators within the ICS domain. We analyze three major incidents: Stuxnet, Industroyer, and Triton. In addition, we perform a systematic analysis of 196 procedure examples across 79 MITRE ATT&CK techniques from 22 ICS-related malware families, utilizing automated natural language processing techniques to systematically extract and categorize threat observables. Additionally, we investigated nine recent ICS vulnerability advisories from the CISA Known Exploitable Vulnerability catalog. Our analysis identified four important limitations in the ICS threat information sharing ecosystem: (i) the lack of coherent representation of artifacts related to ICS adversarial techniques in information sharing language standards (e.g., STIX); (ii) the dependence on undocumented proprietary technologies; (iii) limited technical details provided in vulnerability and threat incident reports; and (iv) the accessibility of technical details for observed adversarial techniques. This study aims to guide the development of future information-sharing standards, including the enhancement of the cyber-observable objects schema in STIX, to ensure accurate representation of artifacts specific to ICS environments.