pith. sign in

arxiv: 2603.24888 · v1 · submitted 2026-03-26 · 💻 cs.CR

An Approach to Generate Attack Graphs with a Case Study on Siemens PCS7 Blueprint for Water Treatment Plants

Lucas Miranda , Carlos Banjar , Daniel Menasche , Anton Kocheturov , Gaurav Srivastava , Tobias Limmer This is my paper

Pith reviewed 2026-05-15 01:14 UTC · model grok-4.3

classification 💻 cs.CR
keywords attack graphsindustrial control systemsICS securityvulnerability analysisSiemens PCS7exploit chainsnetwork topologycybersecurity
0
0 comments X

The pith

A stateful traversal algorithm generates attack graphs for ICS by integrating network topology and vulnerability data.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

This paper develops a method to automatically create attack graphs for industrial control systems, focusing on environments like water treatment facilities. It does so by first building a model that merges how the network is laid out with data on existing security flaws. A stateful algorithm then walks through possible sequences of exploits, respecting what must be true before each step and what it enables afterward. The approach is tested on a standard blueprint for Siemens PCS7 systems, showing concrete examples such as how one weak point can undermine network divisions and how fixing one issue can safeguard a whole area. This gives plant operators specific information on where to focus their security efforts to prevent cascading failures.

Core claim

The paper's core contribution is a semi-automated framework that constructs a system model from network topology information and vulnerability data, which is then processed by a stateful traversal algorithm to identify potential exploit chains based on preconditions and consequences, as demonstrated in a case study on the Siemens PCS7 Cybersecurity Blueprint for Water Treatment Plants where it simulates attacks from CVEs and misconfigurations, revealing that a single point of failure can compromise segmentation and that patching critical vulnerabilities protects security zones.

What carries the argument

Stateful traversal algorithm applied to an integrated network topology and vulnerability model that enumerates exploit chains by matching preconditions to consequences.

If this is right

  • Simulating attacks from known CVEs and device misconfigurations becomes feasible in ICS settings.
  • A single point of failure can be shown to compromise network segmentation.
  • Patching a critical vulnerability can be demonstrated to protect an entire security zone.
  • Actionable insights for risk mitigation are produced for water treatment plant operators.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The generated graphs could serve as a basis for automated security testing tools that verify proposed configurations.
  • Similar methods might extend to other critical infrastructure sectors beyond water treatment.
  • Updating the vulnerability data over time could allow ongoing monitoring of evolving threats in the modeled system.

Load-bearing premise

The network topology and vulnerability data provided to the model must accurately reflect the real system without omitting important constraints like physical access or timing requirements.

What would settle it

Observing that the attack paths generated for the Siemens PCS7 blueprint include sequences that cannot occur in a controlled testbed of the actual plant due to unmodeled physical or operational barriers.

Figures

Figures reproduced from arXiv: 2603.24888 by Anton Kocheturov, Carlos Banjar, Daniel Menasche, Gaurav Srivastava, Lucas Miranda, Tobias Limmer.

Figure 1
Figure 1. Figure 1: Workflow: inputs → processing → attack graph. However, manually analyzing complex ICS architectures to identify potential attack vectors is time-consuming and error-prone. Attack graphs are a powerful formalism for modeling and ana￾lyzing multi-step attacks, providing a clear visualization of how an attacker can chain vulnerabilities to exploit critical assets. While the concept is not new, its application… view at source ↗
Figure 2
Figure 2. Figure 2: Attack graph fragment with exploit paths and one [PITH_FULL_IMAGE:figures/full_fig_p003_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: All possible attack paths leading to the Energy Man [PITH_FULL_IMAGE:figures/full_fig_p004_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: All possible attack paths leading to the TIM 1531 [PITH_FULL_IMAGE:figures/full_fig_p004_4.png] view at source ↗
read the original abstract

Assessing the security posture of Industrial Control Systems (ICS) is critical for protecting essential infrastructure. However, the complexity and scale of these environments make it challenging to identify and prioritize potential attack paths. This paper introduces a semi-automated approach for generating attack graphs in ICS environments to visualize and analyze multi-step attack scenarios. Our methodology integrates network topology information with vulnerability data to construct a model of the system. This model is then processed by a stateful traversal algorithm to identify potential exploit chains based on preconditions and consequences. We present a case study applying the proposed framework to the Siemens PCS7 Cybersecurity Blueprint for Water Treatment Plants. The results demonstrate the framework's ability to simulate different attack scenarios, including those originating from known CVEs and potential device misconfigurations. We show how a single point of failure can compromise network segmentation and how patching a critical vulnerability can protect an entire security zone, providing actionable insights for risk mitigation.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 0 minor

Summary. The paper claims to introduce a semi-automated approach for generating attack graphs in ICS environments. The method integrates network topology information with vulnerability data to construct a system model, which is then processed by a stateful traversal algorithm to identify potential exploit chains based on preconditions and consequences. A case study on the Siemens PCS7 Cybersecurity Blueprint for Water Treatment Plants is presented to demonstrate the framework's ability to simulate attack scenarios from CVEs and misconfigurations, highlighting effects like single point of failure and benefits of patching.

Significance. If the traversal algorithm correctly models the preconditions and consequences without producing unrealistic paths, the approach could offer practical value for visualizing and prioritizing attack paths in complex ICS setups, providing actionable insights for security in water treatment plants and similar critical infrastructure. The case study shows concrete examples of how the method can inform risk mitigation strategies.

major comments (2)
  1. [Abstract and Case Study] Abstract and Case Study: The abstract states that the method works on the case study but provides no quantitative validation, error analysis, or comparison against manual attack graphs; this is load-bearing for assessing whether the stateful traversal correctly models preconditions or produces false positives.
  2. [Methodology] Methodology description: The traversal relies on the assumption that supplied network topology and vulnerability data are complete and accurate enough to produce realistic paths; the paper does not address handling of incomplete data or real-world constraints such as physical access or timing, which directly affects the utility of the generated graphs.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive feedback, which highlights important aspects of validation and real-world applicability. We agree that strengthening the discussion of these points will improve the manuscript and plan revisions accordingly.

read point-by-point responses

  1. Referee: [Abstract and Case Study] Abstract and Case Study: The abstract states that the method works on the case study but provides no quantitative validation, error analysis, or comparison against manual attack graphs; this is load-bearing for assessing whether the stateful traversal correctly models preconditions or produces false positives.

    Authors: We acknowledge that the case study is qualitative and does not include quantitative metrics, error rates, or systematic comparison to manually constructed graphs. The primary aim was to illustrate the framework's application to a realistic industrial blueprint. In revision, we will expand the case study section with a qualitative walkthrough comparing generated paths to manually verified exploit chains for selected scenarios, add explicit discussion of potential false positives arising from precondition modeling, and note the lack of quantitative validation as a current limitation with directions for future empirical evaluation. revision: partial

  2. Referee: [Methodology] Methodology description: The traversal relies on the assumption that supplied network topology and vulnerability data are complete and accurate enough to produce realistic paths; the paper does not address handling of incomplete data or real-world constraints such as physical access or timing, which directly affects the utility of the generated graphs.

    Authors: The current methodology presentation assumes complete and accurate input data to focus on the traversal algorithm itself. We agree that this is a significant limitation for practical deployment, as real ICS environments frequently involve incomplete topology data, physical access barriers, and timing considerations. In the revised version, we will insert a new subsection under Methodology that explicitly states these assumptions, discusses their implications for graph realism, and outlines how the framework could be extended (e.g., via probabilistic modeling for incomplete data or integration with timing constraints) while keeping the core contribution intact. revision: yes

Circularity Check

0 steps flagged

No significant circularity; constructive algorithm with no derivations or fitted inputs

full rationale

The paper presents a semi-automated methodology that constructs an attack-graph model from supplied network topology and vulnerability data, then applies a stateful traversal algorithm using precondition/consequence semantics. No equations, parameters, or first-principles derivations appear; the central claim is an engineering procedure whose outputs are produced by direct application of the described algorithm to the inputs. The Siemens PCS7 case study simply executes this procedure on a concrete blueprint and reports the resulting paths (single-point-of-failure effects, zone protection via patching). No self-citations load-bear any uniqueness theorem or ansatz, and no step renames a known result or calls a fitted quantity a prediction. The derivation chain is therefore self-contained and non-circular.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The method rests on the standard assumption that public vulnerability databases and network diagrams are sufficient inputs; no new mathematical constants, fitted parameters, or invented entities are introduced in the abstract.

axioms (1)
  • domain assumption Network topology and CVE data are accurate and complete representations of the real system.
    Invoked when the traversal algorithm is said to identify realistic exploit chains.

pith-pipeline@v0.9.0 · 5473 in / 1174 out tokens · 33712 ms · 2026-05-15T01:14:13.815657+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

26 extracted references · 26 canonical work pages

  1. [1]

    Siemens AG. 2023. Secure Guideline Blue Print – WWTP (Water / Waste Water Treatment Plant) V4.0. https://cache.industry.siemens.com/dl/files/322/ 109780322/att_1275024/v1/Secure_Guideline_Blue_Print-WWTP_V04_en.pdf. Accessed: March 27, 2026

    work page 2023

  2. [2]

    Ugur Aksu et al

    M. Ugur Aksu et al. 2018. Automated Generation of Attack Graphs Using NVD. InProceedings of the Eighth ACM Conference on Data and Application Security and Privacy. ACM, New York, NY, USA, 135–142. doi:10.1145/3176258.3176339

    work page doi:10.1145/3176258.3176339 2018

  3. [3]

    Alaa T Al Ghazo, Mariam Ibrahim, Hao Ren, and Ratnesh Kumar. 2019. A2G2V: Automatic attack graph generation and visualization and its applications to com- puter and SCADA networks.IEEE Transactions on Systems, Man, and Cybernetics: Systems50, 10 (2019), 3488–3498

    work page 2019

  4. [4]

    An Approach to Generate Attack Graphs with a Case Study on Siemens PCS7 Blueprint

    Carlos Eduardo Banjar, Lucas Miranda, et al. 2025. svm-attack-graph-simulation: Datasets and source code for “An Approach to Generate Attack Graphs with a Case Study on Siemens PCS7 Blueprint”. GitHub repository. https://github.com/ carloseduardobanjar/svm-attack-graph-simulation Accessed: 2026-01-19

    work page 2025

  5. [5]

    Martín Barrère et al . 2019. Assessing Cyber-Physical Security in Industrial Control Systems. In6th International Symposium for ICS & SCADA Cyber Security Research 2019. BCS Learning & Development

    work page 2019

  6. [6]

    Martín Barrère and Chris Hankin. 2021. Analysing mission-critical cyber-physical systems with and/or graphs and maxsat.ACM transactions on cyber-physical systems5, 3 (2021), 1–29

    work page 2021

  7. [7]

    Peter Cheng and et al. 2012. Aggregating CVSS Base Scores for Semantics-Rich Network Security Metrics. InSRDS

    work page 2012

  8. [8]

    Zakir Durumeric and et al. 2014. The Matter of Heartbleed. InIMC

    work page 2014

  9. [9]

    FIRST. 2019. Common Vulnerability Scoring System v3.1: Specification Document. https://www.first.org/cvss/specification-document

    work page 2019

  10. [10]

    FIRST. 2021. EPSS Tech. Doc. https://www.first.org/epss

    work page 2021

  11. [11]

    Marcel Frigault and Lingyu Wang. 2008. Measuring Network Security Using Bayesian Network-based Attack Graphs. InAnnual IEEE International Conference on Computer Communications and Networks

    work page 2008

  12. [12]

    Laurent Gallon and Jean Jacques Bascou. 2011. Using CVSS in attack graphs. In 2011 Sixth International Conference on A vailability, Reliability and Security. IEEE

    work page 2011

  13. [13]

    Amjad Ibrahim, Stevica Bozhinoski, and Alexander Pretschner. 2019. Attack graph generation for microservice architecture(SAC ’19). Association for Computing Machinery, New York, NY, USA, 1235–1242. doi:10.1145/3297280.3297401

    work page doi:10.1145/3297280.3297401 2019

  14. [14]

    Mariam Ibrahim, Ruba Elhafiz, and Abdallah Al-Wadi. 2023. Reinforcement learning-based attack graph analysis for wastewater treatment plant.IEEE Transactions on Industry Applications59, 6 (2023), 7858–7867

    work page 2023

  15. [15]

    Tania Islam et al. 2008. A heuristic approach to minimum-cost network hardening using attack graph. InNew Technologies, Mobility and Security. 1–5

    work page 2008

  16. [16]

    Jay Jacobs, Sasha Romanosky, Benjamin Edwards, Idris Adjerid, and Michael Roytman. 2021. Exploit Prediction Scoring System (EPSS).Digital Threats2, 3, Article 20 (July 2021), 17 pages. doi:10.1145/3436242

    work page doi:10.1145/3436242 2021

  17. [17]

    Bruno Paes Leao, Jagannadh Vempati, Gaurav Kumar Srivastava, Siddharth Bhela, Jesse Keller, and Priyanjan Sharma. 2025. Operational Impact-Driven Cybersecu- rity Risk Assessment for Industrial Cyber-Physical Systems. InIEEE Conf. Commu- nications and Network Security. IEEE, 1–9. doi:10.1109/CNS66487.2025.11194174

    work page doi:10.1109/cns66487.2025.11194174 2025

  18. [18]

    Ming Lei et al. 2024. Multi-target Risk Score Aggregation for Security Evaluation of Network Environments. InCloudCom. doi:10.1109/CloudCom62794.2024.00023

    work page doi:10.1109/cloudcom62794.2024.00023 2024

  19. [19]

    Peter Mell, Irena Bojanova, and Carlos Eduardo Galhardo. 2024. Measuring the Exploitation of Weaknesses in the Wild.IT Professional26, 3 (2024), 14–21

    work page 2024

  20. [20]

    Xinming Ou, Sudhakar Govindavajhala, and Andrew W. Appel. 2005. MulVAL: A Logic-based Network Security Analyzer. InUSENIX Security Symposium

    work page 2005

  21. [21]

    Panini Sai Patapanchala. 2016. Exploring Security Metrics for Electric Grid Infras- tructure Leveraging Attack Graphs. Master’s Thesis: Oregon State University, Corvallis, OR, USA

    work page 2016

  22. [22]

    Damiano Ravalico, Mauro Farina, Martino Trevisan, and Alberto Bartoli. 2024. Analysing the Temporal Dynamics of the Exploit Prediction Scoring Systems (EPSS).SSRN Electronic Journal(2024). doi:10.2139/ssrn.5147459

    work page doi:10.2139/ssrn.5147459 2024

  23. [23]

    Sawilla and Xinming Ou

    Raymond E. Sawilla and Xinming Ou. 2008. Identifying Critical Attack Assets in Dependency Attack Graphs.ESORICS(2008), 18–34

    work page 2008

  24. [24]

    Oleg Sheyner, John Haines, Somesh Jha, Richard Lippmann, and Jeannette M. Wing. 2002. Automated Generation and Analysis of Attack Graphs. InProceedings of the IEEE Symposium on S&P. 273–284. doi:10.1109/SECPRI.2002.1004377

    work page doi:10.1109/secpri.2002.1004377 2002

  25. [25]

    de Aguiar, Daniel S

    Brandon Wang, Xiaoye Li, Leandro P. de Aguiar, Daniel S. Menasche, and Zubair Shafiq. 2017. Characterizing and Modeling Patching Practices of Industrial Control Systems.Proc. ACM Meas. Anal. Comput. Syst.1, 1, Article 18 (June 2017), 23 pages. doi:10.1145/3084455

    work page doi:10.1145/3084455 2017

  26. [26]

    Avishai Wool. 2004. A quantitative study of firewall configuration errors.Com- puter37, 6 (2004), 62–67

    work page 2004