SMSI: System Model Security Inference: Automated Threat Modeling for Cyber-Physical Systems
This work addresses the manual effort in CPS threat modeling, offering an automated pipeline, though it is validated on a single case study.
SMSI automates threat modeling for cyber-physical systems by converting SysML models into prioritized NIST 800-53 security controls. On a healthcare IoT gateway, the pipeline achieved the highest control retrieval scores using pretrained SecureBERT for ATT&CK-to-NIST mapping.
Threat modeling for cyber-physical systems (CPS) remains a largely manual exercise. This project presents SMSI (System Model Security Inference), a hybrid neuro-symbolic pipeline that starts from a SysML architecture model and produces a prioritized list of NIST 800-53 security controls. The prototype has three main stages: a deterministic parser mapping system components to vulnerabilities via the NVD; a family of retrieval and classification models linking vulnerabilities to MITRE ATT&CK techniques; and a control recommender. We explore three approaches for CVE-to-ATT&CK mapping: a supervised classifier using fine-tuned SecureBERT+, retrieval-based dense encoders, and a zero-shot LLM approach using Gemma-4 26B. We validate the pipeline on a healthcare IoT gateway with nine software components. For the ATT&CK-to-NIST stage, pretrained SecureBERT achieves the highest control retrieval scores, demonstrating that dense embeddings provide a strong basis for automated control recommendation.