Identifying Adversarial Cyber-Activity in Operational Technology Environments Using Bayesian Networks

Maccarone, Lee T.; Buede, Dennis M.; Bowman, Scott Timothy; Ambrozewicz, Pawel; Burdick, Charles D.; Connor Grady, J.; Wen, Shaw Xiao

doi:10.1109/TIFS.2025.3607241

Identifying Adversarial Cyber-Activity in Operational Technology Environments Using Bayesian Networks

Journal Article · Mon Sep 08 00:00:00 EDT 2025 · IEEE Transactions on Information Forensics and Security

DOI:https://doi.org/10.1109/TIFS.2025.3607241· OSTI ID:3011940

^[1]; ^[2]; ^[3]; ^[2]; Burdick, Charles D. ^[2]; ^[1]; ^[3]

Sandia National Laboratories (SNL-NM), Albuquerque, NM (United States)
ITA International, Newport News, VA (United States)
Idaho National Laboratory (INL), Idaho Falls, ID (United States)

Critical infrastructure and other operational technology (OT) environments face increasing cybersecurity risks from adversarial behavior. This paper describes the development of a risk model using a Bayesian network to enhance the comprehension of observable cyber events caused by malicious activity in OT environments. The core of the Bayesian network is a process model that describes the stages of adversary behavior. The remainder of the model is based on the MITRE ATT&CK® for Industrial Control Systems (ICS) taxonomy, which includes tactics and techniques that may be used by the adversary. The observables provide evidence for adversary behavior through the intermediary technique and tactic nodes. One challenge in constructing this model is a lack of open-source data from cyber-attacks on OT systems. This paper discusses learning from limited data, the elicitation of expert opinion to construct the conditional probability tables when data is scarce, and the refinement of the most difficult conditional probabilities tables using several forms of sensitivity analyses. Finally, the Bayesian network is demonstrated using two historical case studies: the DarkSide ransomware attack on the Colonial Pipeline and the destructive cyberattack targeting the ThyssenKrupp blast furnace. Index Terms—Cybersecurity, industrial control systems, operational technology

View Accepted Manuscript (DOE)

Research Organization:: Idaho National Laboratory (INL), Idaho Falls, ID (United States)

Sponsoring Organization:: USDOE Office of Cybersecurity, Energy Security, and Emergency Response (CESER); USDOE Office of Nuclear Energy (NE)

Grant/Contract Number:: AC07-05ID14517; NA0003525

OSTI ID:: 3011940

Report Number(s):: INL/JOU--24-77873

Journal Information:: IEEE Transactions on Information Forensics and Security, Journal Name: IEEE Transactions on Information Forensics and Security Vol. 20; ISSN 1556-6013; ISSN 1556-6021

Publisher:: IEEECopyright Statement

Country of Publication:: United States

Language:: English

References (17)

Machine learning in cybersecurity: A review Handa, Anand; Sharma, Ashu; Shukla, Sandeep K. WIREs Data Mining and Knowledge Discovery, Vol. 9, Issue 4 https://doi.org/10.1002/widm.1306	journal	February 2019
On the hardness of approximate reasoning Roth, Dan Artificial Intelligence, Vol. 82, Issue 1-2 https://doi.org/10.1016/0004-3702(94)00092-1	journal	April 1996
Lazy propagation: A junction tree inference algorithm based on lazy evaluation Madsen, Anders L.; Jensen, Finn V. Artificial Intelligence, Vol. 113, Issue 1-2 https://doi.org/10.1016/S0004-3702(99)00062-4	journal	September 1999
A Bayesian network approach for cybersecurity risk assessment implementing and extending the FAIR model Wang, Jiali; Neil, Martin; Fenton, Norman Computers & Security, Vol. 89 https://doi.org/10.1016/j.cose.2019.101659	journal	February 2020
Bayesian network based weighted APT attack paths modeling in cloud computing Zimba, Aaron; Chen, Hongsong; Wang, Zhaoshun Future Generation Computer Systems, Vol. 96 https://doi.org/10.1016/j.future.2019.02.045	journal	July 2019
Dynamic bayesian networks based abnormal event classifier for nuclear power plants in case of cyber security threats Vaddi, Pavan Kumar; Pietrykowski, Michael C.; Kar, Diptendu Progress in Nuclear Energy, Vol. 128 https://doi.org/10.1016/j.pnucene.2020.103479	journal	October 2020
Machine Learning and Deep Learning Methods for Cybersecurity Xin, Yang; Kong, Lingshuang; Liu, Zhi IEEE Access, Vol. 6 https://doi.org/10.1109/ACCESS.2018.2836950	journal	January 2018
Detection of Real-Time Malicious Intrusions and Attacks in IoT Empowered Cybersecurity Infrastructures Kandhro, Irfan Ali; Alanazi, Sultan M.; Ali, Fayyaz IEEE Access, Vol. 11 https://doi.org/10.1109/ACCESS.2023.3238664	journal	January 2023
Application of Bayesian network to data-driven cyber-security risk assessment in SCADA networks Huang, Kaixing; Zhou, Chunjie; Tian, Yu-Chu 2017 27th International Telecommunication Networks and Applications Conference (ITNAC) https://doi.org/10.1109/ATNAC.2017.8215355	conference	November 2017
Modeling Modern Network Attacks and Countermeasures Using Attack Graphs Ingols, Kyle; Chu, Matthew; Lippmann, Richard 2009 Annual Computer Security Applications Conference (ACSAC) https://doi.org/10.1109/acsac.2009.21	conference	December 2009
Statistical Methods for Developing Cybersecurity Response Thresholds for Operational Technology Systems Using Historical Data Grady, J. Connor; Wen, Shaw X.; Maccarone, Lee T. 2024 IEEE 6th International Conference on Trust, Privacy and Security in Intelligent Systems, and Applications (TPS-ISA) https://doi.org/10.1109/tps-isa62245.2024.00075	conference	October 2024
Cyber-Attack Modeling Analysis Techniques: An Overview Al-Mohannadi, Hamad; Mirza, Qublai; Namanya, Anitta 2016 IEEE 4th International Conference on Future Internet of Things and Cloud Workshops (FiCloudW) https://doi.org/10.1109/w-ficloud.2016.29	conference	August 2016
Measuring network security using dynamic bayesian network Frigault, Marcel; Wang, Lingyu; Singhal, Anoop Proceedings of the 4th ACM workshop on Quality of protection - QoP '08 https://doi.org/10.1145/1456362.1456368	conference	January 2008
Assessing web security risks using dynamic Bayesian network Vu, Thi-Huong-Giang; Hoang, Trung-Hieu; Nguyen, Manh-Tuan The 11th International Symposium on Information and Communication Technology https://doi.org/10.1145/3568562.3568591	conference	December 2022
Development of a Bayesian Network to Model Malicious Cyber-Activity in Operational Technology Environments. Maccarone, Lee; Buede, Dennis; Bowman, Scott Proposed for presentation at the Uncertainty in AI Conference held August 1-5, 2022 in , https://doi.org/10.2172/2006367	conference	August 2022
IT/OT Convergence in Industry 4.0 : Risks and Analisy of the Problems Santos, Silvino; Costa, Paulo; Rocha, Agostinho 2023 18th Iberian Conference on Information Systems and Technologies (CISTI) https://doi.org/10.23919/CISTI58278.2023.10211415	conference	June 2023
A Layered Middleware for OT/IT Convergence to Empower Industry 5.0 Applications Patera, Lorenzo; Garbugli, Andrea; Bujari, Armir Sensors, Vol. 22, Issue 1 https://doi.org/10.3390/s22010190	journal	December 2021

Similar Records

Requirements and Recommendations for a Physical Attack Characterization Framework

Technical Report · Sat Jul 01 00:00:00 EDT 2023 · OSTI ID:2229613

Assessment of the Distributed Ledger Technology for Energy Sector Industrial and Operational Applications Using the MITRE ATT&CK® ICS Matrix

Journal Article · Wed Jun 21 20:00:00 EDT 2023 · IEEE Access · OSTI ID:1997359

CyOTE Precursor Analysis Report: Cyber Attack on Thyssenkrupp Blast Furnace 2014

Technical Report · Wed Oct 15 20:00:00 EDT 2025 · OSTI ID:3030060

Related Subjects

97 - MATHEMATICS AND COMPUTING
Cybersecurity
Industrial Control Systems
Operational Technology

Identifying Adversarial Cyber-Activity in Operational Technology Environments Using Bayesian Networks

Citation Formats

References (17)

Similar Records

Related Subjects