An Ontology-Based Approach to Security Risk Identification of Container Deployments in OT Contexts
Yannick Landeck, Dian Balta, Martin Wimmer, Christian Knierim
TL;DR
This work addresses security risk identification for container deployments in OT by introducing the Container Security Risk Ontology (CSRO), a modular, ontology-based model that links adversarial techniques, contextual assumptions, attack scenarios, risk rules, and container artefacts. Implemented as a knowledge graph with SPARQL-based risk calculation and a command-line tool, CSRO enables end-to-end, artefact-to-risk identification that is reproducible and adaptable to changing OT environments. A large-scale industrial OT case study demonstrates automated risk levels and executable risk treatments, illustrating the approach’s practical viability and integration potential with existing workflows (e.g., policy engines like OPA). The work lays a foundation for extending risk identification to host-level and organizational factors and suggests directions for reducing maintenance overhead and incorporating Generative AI to enhance usability and workflow integration.
Abstract
In operational technology (OT) contexts, containerised applications often require elevated privileges to access low-level network interfaces or perform administrative tasks such as application monitoring. These privileges reduce the default isolation provided by containers and introduce significant security risks. Security risk identification for OT container deployments is challenged by hybrid IT/OT architectures, fragmented stakeholder knowledge, and continuous system changes. Existing approaches lack reproducibility, interpretability across contexts, and technical integration with deployment artefacts. We propose a model-based approach, implemented as the Container Security Risk Ontology (CSRO), which integrates five key domains: adversarial behaviour, contextual assumptions, attack scenarios, risk assessment rules, and container security artefacts. Our evaluation of CSRO in a case study demonstrates that the end-to-end formalisation of risk calculation, from artefact to risk level, enables automated and reproducible risk identification. While CSRO currently focuses on technical, container-level treatment measures, its modular and flexible design provides a solid foundation for extending the approach to host-level and organisational risk factors.
