BRIDG-ICS: Bridging Industrial & Cyber-Physical Security

Updated 20 December 2025

BRIDG-ICS is a framework that unifies industrial control system layers by integrating AI-driven threat analytics, blockchain logging, and secure cyber-physical testbeds to enhance cybersecurity in Industry 5.0 environments.
It employs an AI-enriched industrial security knowledge graph that fuses diverse data sources and cyber-physical elements to enable real-time risk assessment and multi-stage attack simulation.
BRIDG-ICS leverages blockchain-based forensic logging and physics-informed temporal detection methodologies to provide audit-ready, resilient, and semantically rich cybersecurity analysis.

BRIDG-ICS (BRIDge for Industrial Control Systems) is a suite of methodologies and technical frameworks spanning AI-driven industrial threat analytics, blockchain-based forensic logging, and secure cyber-physical testbed integration. Its unifying goal is to bridge inherent gaps between IT/OT domains, enable semantically rich and temporally precise cybersecurity analysis, and support robust, audit-ready operation of Industry 5.0 cyber-physical systems.

1. Architectural Foundations and System Integration

BRIDG-ICS comprises cross-cutting system architectures that enable unified security, auditability, and control in industrial and cyber-physical environments. The framework integrates four canonical ICS layers: Field Level (sensors, actuators), Control Level (PLCs), Logical Control Layer (SCADA/MES), and Corporate/Enterprise Level (ERP and business systems) (Ahmadi-Assalemi et al., 2022). In bridging these, BRIDG-ICS fuses:

Data sources: Public security knowledge bases (CVE, CWE, CAPEC, MITRE ATT&CK for ICS), live ICS/OT telemetry (Purdue model, OPC UA/Sensor logs), and contextual CTI reports (Nandiya et al., 13 Dec 2025).
Distributed cyber-physical elements: Field-deployed Digital Witness nodes for forensically-sound data anchoring and local buffering, interfaced securely to blockchain-enabled ledgers via REST/TLS (Ahmadi-Assalemi et al., 2022).
Knowledge graph engines: AI-enriched, domain-extended graph databases unifying industrial assets, communication channels, vulnerabilities, and adversarial behavior (Nandiya et al., 13 Dec 2025).
Resilient testbed environments: Modular, protocol-driven plant testbeds encompassing wireless/wired sensors, PID-controlled actuators, PLC-level interlocks, and resilient mesh networking (Breza et al., 2020).

The architecture supports high-throughput, low-latency, permissioned blockchain deployment for digital forensics, AI-powered knowledge graph creation for semantic threat analytics, and hybrid control-network co-design for stability and safety guarantees.

2. Industrial Security Knowledge Graph and LLM-Driven Enrichment

At the core of the BRIDG-ICS analytics approach is an AI-grounded Industrial Security Knowledge Graph (KG) (Nandiya et al., 13 Dec 2025). The KG integrates:

Node types: Assets (PLCs, HMIs, IIoT gateways), vulnerabilities (CVE with EPSS, CVSS attributes), weaknesses (CWE hierarchy), attack patterns (CAPEC), adversarial techniques (MITRE ATT&CK ICS), operational/process variables, domain-extracted entities (TOOL, FILE, URL, CONFIG_PARAM).
Edge types: Protocol and process data-flows (COMMUNICATES_WITH), vulnerability and mitigation associations (hasVulnerability, hasWeakness, hasMitigation), adversary-action graph links (exploitedBy, uses, suggestedTactic), and LLM-extracted semantic detail (detailAct).
Quantitative risk attributes: Each edge encodes riskWeight, $p_{Exploit}$ , and attackCost, supporting risk propagation and scenario simulation.

LLMs (SecureBERT, REBEL, NL2KG pipelines) automate knowledge enrichment. They extract entities from unstructured CTI, predict missing relations (e.g., CVE–CWE/Technique inference), and translate natural language threat descriptions into structured triples. Predicted links (HAS_POSSIBLE_CWE, HAS_POSSIBLE_TECHNIQUE) are validated with accuracy up to 98.7% for MITRE technique association, 66.5% for missing CWE inference.

3. Probabilistic Risk Modeling and Graph-Analytic Attack Simulation

BRIDG-ICS introduces explicit probabilistic, quantitative risk modeling over its knowledge graph structure (Nandiya et al., 13 Dec 2025). Risk-relevant mathematical formulations and metrics include:

Edge risk attributes: For edge $u \rightarrow v$ ,

$\mathrm{controlStrength}(u,v) = a \cdot c \cdot e \cdot h$

where $a$ (accessibility), $c$ (config hygiene), $e$ (exploitability resistance), $h$ (residual weakness).

Probability of exploit:

$p_{Exploit}(u, v) = \mathrm{EPSS}(u,v) \cdot [1 - \mathrm{controlStrength}(u,v)]$

Attack cost:

$\mathrm{attackCost}(u,v) = \mathrm{Base\_CVSS} + f_{AC} + f_{AV} + \mathrm{EPSS}(u,v)$

Aggregate risk weight: $riskWeight(u,v) = p_{Exploit}(u,v) \times (\mathrm{criticality}(v)/10)$
Multi-stage path probability: $p(P)=\prod_{i=1}^{k-1} p_{Exploit}(v_i, v_{i+1})$
Node exposure: $Exposure(v) = \sum_{(u,v)} riskWeight(u,v)$

Graph-analytic techniques (Yen's $k$ -shortest, Dijkstra, PageRank, betweenness, Louvain clustering) are used for multi-stage attack path simulation and resilience analysis. Algorithmic scoring combines path probability and accumulated attack cost.

4. Secure Industrial Logging via Blockchain and Forensic Readiness

BRIDG-ICS leverages permissioned blockchain infrastructures with smart contracts for secure, immutable, and audit-ready evidence management (Ahmadi-Assalemi et al., 2022). Key features include:

Digital Witness nodes: Field devices capturing data, timestamping, hashing artifacts, and submitting hash/metadata transactions to the blockchain.
Blockchain nodes: Deployed across ICS and enterprise domains, hosting append-only ledgers, smart contract runtimes, and consensus engines (Proof-of-Authority [PoA], Practical Byzantine Fault Tolerance [PBFT]).
Smart contract logic: Modular functions enforce submission rules, validate digital signatures, update on-chain Chain-of-Custody, mediate evidence handoff, and enforce ACLs.
Cryptographic primitives: Secure hashes ( $H$ ), digital signatures, Merkle roots, and block linking via $BlockHash_i = H(BlockHeader_i \parallel txRoot_i \parallel BlockHash_{i-1})$ .
Performance profile: PoA and PBFT enable sub-second block times and throughput exceeding 500 tx/s, well above typical SCADA rates.

Design guidelines mandate digital forensic readiness throughout the SDLC, strict identity management (X.509 certificates), and modularization of smart contract logic for defense-in-depth.

5. Methods for Bridging Semantic and Temporal Gaps in OT Security

To address the mapping between cyber/logical attacks and process-level anomalous effects, BRIDG-ICS incorporates methodologies from the BRIDGE framework (Ike et al., 2023):

Semantic alignment: Analyzers model actuation dependencies in SCADA logic, extracting control-time, control-burst, and control-frequency features. Violations (control-time outliers, unexpected burst/frequency shifts) indicate semantic deviations detectable directly from OPC traces.
Physics-informed temporal detection: A PINN-based transformer autoencoder learns normal process dynamics, incorporating inertial (PDE) consistency laws. The overall loss is the sum of reconstruction, Kullback-Leibler, and physics regularization terms.
Dynamic, process-calibrated time alignment: Upon a SCADA-side alert, the system waits for an "inertia time block" (ITB) before querying for physical effects in the plant, ensuring that cause-effect relationships are temporally valid.
End-to-end attack correlation: Only if semantic outliers in SCADA logic and process anomalies in the corresponding ITB-aligned window co-occur is a correlated attack declared. This sharply reduces false positive rates relative to isolated detection streams.

Empirical evaluation on the SCAPHY dataset shows 96.2% true positive and 0.8% false positive rates—substantially outperforming state-of-the-art signature and invariant-based approaches.

6. Experimental Validation and Performance Assessment

Deployments of BRIDG-ICS span laboratory, synthetic, and live industrial environments, leveraging:

AI-KG platform: Neo4j 5.x with GDS 2.x, PyTorch LLM inference, supporting ~120,000 nodes and ~260,000 edges (Nandiya et al., 13 Dec 2025). KG ingestion and enrichment complete in ≈2 hrs; $k$ -shortest-path attack simulation completes in <200 ms per scenario.
Benchmarks: Application of controls (e.g., patching, network segmentation) yields measurable improvements—average attack path length increases 25–50%, reachable asset set drops 50–70%, and critical PLC node exposure drops by 75% post-mitigation.
Physical testbed validation: In the Separator testbed (oil–water separation), mesh-channel wireless control achieves 100% reliability under interference, with process stability maintained within design margins. Safety interlocks and physical emergency measures complement cyber monitoring (Breza et al., 2020).

LLM-driven enrichment demonstrates high accuracy in missing-link prediction, and integrated attack–response simulation demonstrates actionable exposure reduction guidance.

7. Best Practices, Limitations, and Future Directions

BRIDG-ICS elucidates several best practices:

Modularize physical and logical process blocks by decoupling actuation, interlock, and health-monitoring functions.
Harmonize scheduling and control bandwidths to ensure control stability under adverse network or adversary conditions.
Enforce independent safety envelopes and validate closed-loop response under worst-case network delays.
Integrate digital forensic readiness and machine-auditable evidence capture into all layers of the ICS architecture.
Leverage AI-driven entity/relation extraction and graph inference to unify cyber–physical visibility.

Limitations identified include one-time calibration efforts (e.g., mapping tag names), re-learning with significant architectural changes, and intrinsic detection latency tied to physical process inertia. A plausible implication is that automatic ontology alignment and early-warning proxies during inertia blocks can further improve responsiveness. A future direction is cross-domain enrichment—jointly correlating network–control–process anomalies and integrating standardized regulatory compliance (GDPR, IEC 62443, NIST 800-82) across all logging and analytics pipelines (Nandiya et al., 13 Dec 2025, Ahmadi-Assalemi et al., 2022).

BRIDG-ICS formalizes a multi-modal, AI-assisted framework for unifying cyber and physical industrial security, supporting resilient, audit-ready, and context-aware operation of large-scale Industry 5.0 systems (Nandiya et al., 13 Dec 2025, Ahmadi-Assalemi et al., 2022, Ike et al., 2023, Breza et al., 2020).