An Evidence-Driven Analysis of Threat Information Sharing Challenges for Industrial Control Systems and Future Directions

The increasing cyber threats to critical infrastructure highlight the importance of private companies and government agencies in detecting and sharing information about threat activities. Although the need for improved threat information sharing is widely recognized, various technical and organizational challenges persist, hindering effective collaboration. In this study, we review the challenges that disturb the sharing of usable threat information to critical infrastructure operators within the ICS domain. We analyze three major incidents: Stuxnet, Industroyer, and Triton. In addition, we perform a systematic analysis of 196 procedure examples across 79 MITRE ATT&CK techniques from 22 ICS-related malware families, utilizing automated natural language processing techniques to systematically extract and categorize threat observables. Additionally, we investigated nine recent ICS vulnerability advisories from the CISA Known Exploitable Vulnerability catalog. Our analysis identified four important limitations in the ICS threat information sharing ecosystem: (i) the lack of coherent representation of artifacts related to ICS adversarial techniques in information sharing language standards (e.g., STIX); (ii) the dependence on undocumented proprietary technologies; (iii) limited technical details provided in vulnerability and threat incident reports; and (iv) the accessibility of technical details for observed adversarial techniques. This study aims to guide the development of future information-sharing standards, including the enhancement of the cyber-observable objects schema in STIX, to ensure accurate representation of artifacts specific to ICS environments.

💡 Research Summary

The paper provides a comprehensive examination of why threat intelligence sharing in the Industrial Control Systems (ICS) domain remains ineffective despite growing policy emphasis and numerous information‑sharing programs. By dissecting three high‑profile incidents—Stuxnet, Industroyer, and Triton—the authors illustrate the concrete adversarial techniques that operators need to detect. They then scale this insight through a systematic analysis of 196 procedural examples drawn from 22 malware families covering 79 MITRE ATT&CK‑ICS techniques. Using a large‑language‑model‑driven natural‑language‑processing pipeline, they automatically extract 361 observables and map them to STIX 2.1 objects. The mapping results reveal that only 101 observables have full STIX support, 191 have partial support, and 69 lack any representation, underscoring a systemic mismatch between the richness of ICS‑specific artifacts and the expressive power of current standards.

In parallel, the authors review nine recent vulnerability advisories from the CISA Known Exploitable Vulnerability (KEV) catalog, finding that most reports provide only high‑level impact statements and omit the granular technical details required for detection rule creation.

From these empirical findings, four critical limitations emerge: (1) the absence of a coherent representation for ICS‑specific artifacts (e.g., Modbus function codes, PLC register values) within existing information‑sharing languages such as STIX; (2) reliance on undocumented proprietary parsing technologies that hinder interoperability; (3) insufficient technical depth in both vulnerability and incident reports; and (4) limited accessibility of detailed observables across the threat‑sharing ecosystem.

To address these gaps, the authors propose extending the STIX Cyber‑Observable Object (SCO) schema with an “ICS‑Specific Artifact” class, accompanied by enriched metadata fields for controller models, firmware versions, communication channels, and physical‑process parameters. They argue that such extensions would enable direct translation of shared observables into actionable detection signatures for SIEMs, IDS/IPS, and OT‑specific monitoring tools.

The paper also contributes an open‑source NLP pipeline that can be reused by researchers and practitioners to extract and structure CTI from unstructured reports, facilitating reproducibility and future benchmarking. Finally, the authors discuss organizational measures—trust frameworks, standardized metadata governance, and public‑private collaboration platforms—that must accompany technical standardization to achieve reliable, timely, and actionable threat sharing in critical infrastructure.

Overall, the study highlights that without both schema enhancements to STIX and coordinated governance, the current threat‑information sharing model will continue to fall short of the operational needs of ICS asset owners. The proposed roadmap offers a concrete path toward more precise, interoperable, and actionable cyber‑threat intelligence for the industrial sector.