From Incomplete Architecture to Quantified Risk: Multimodal LLM-Driven Security Assessment for Cyber-Physical Systems
In the current landscape of technology, cyber-physical systems (CPS) face numerous challenges due to incomplete architectural documentation. These issues arise from a variety of factors including the obsolescence of legacy technologies, gaps in knowledge management, and the intricate nature of integrating various subsystems across prolonged operational lifecycles. Such architectural incompleteness significantly hinders reliable security assessments, as the absence of accurate architectural knowledge constrains the identification of system dependencies, potential attack surfaces, and pathways for risk propagation.
Introduction to ASTRAL
To tackle these foundational challenges, a novel architecture-centric security assessment technique called ASTRAL (Architecture-Centric Security Threat Risk Assessment using LLMs) has been introduced. This technique is implemented in a prototype tool that harnesses the capabilities of multimodal large language models (LLMs). ASTRAL is designed to assist practitioners in the reconstruction and analysis of CPS architectures, especially when documentation is either fragmented or entirely absent.
Core Features of ASTRAL
The ASTRAL approach leverages a combination of advanced techniques aimed at enhancing security assessments in CPS. Below are the core features of this innovative tool:
- Prompt Chaining: This technique allows for the iterative querying of the LLM, facilitating deeper insights into system vulnerabilities.
- Few-Shot Learning: ASTRAL can quickly adapt to new data or system architectures, requiring minimal examples to learn effectively.
- Architectural Reasoning: The tool utilizes reasoning capabilities to synthesize system representations from various data sources, enabling a more comprehensive understanding of the CPS architecture.
Integration of LLM Reasoning with Architectural Modelling
By integrating the reasoning power of LLMs with architectural modelling techniques, ASTRAL provides a robust framework for adaptive threat identification and quantitative risk estimation. This integration allows for a more dynamic assessment of risks associated with cyber-physical systems, enabling organizations to make more informed decisions regarding cyber risk management.
Evaluation and Feedback
The efficacy of ASTRAL has been evaluated through an ablation study across multiple CPS case studies. An expert evaluation involving 14 experienced cybersecurity practitioners was also conducted to gather insights into the tool’s practical utility. The feedback from these practitioners indicates that ASTRAL is not only useful but also reliable in supporting architecture-centric security assessments.
Conclusion
Overall, the results of the evaluations underscore that ASTRAL can significantly contribute to enhancing the understanding and management of cyber risks within CPS. By addressing gaps in architectural knowledge and facilitating more precise assessments, this innovative approach represents a promising advancement in the field of cybersecurity, particularly for systems that have historically been difficult to assess due to architectural incompleteness.