Industrial Security Knowledge Graph

• Industrial Security Knowledge Graph is a structured representation of assets, vulnerabilities, controls, and risk metrics for proactive industrial threat detection.
• It employs formal schemas, canonical ontologies, and robust extraction pipelines to unify heterogeneous IT/OT and industry-specific data.
• Relational and probabilistic machine learning techniques, including graph embeddings and anomaly scoring, drive risk mitigation and threat analytics.

An Industrial Security Knowledge Graph (ISKG) is a structured, formal representation that aggregates entities and relationships relevant to industrial security—including assets, vulnerabilities, weaknesses, controls, behaviors, and associated risk metrics—enabling integrative analytics, reasoning, and automation for cyber-physical threat detection, risk analysis, and mitigation across industrial environments. ISKGs serve as the core data backbone unifying heterogeneous operational technology (OT), information technology (IT), and domain-specific knowledge assets. The emergence of machine learning, entity-relation extraction, graph embedding, and risk propagation has resulted in ISKGs becoming essential for proactive, scalable, and context-aware security management in modern converged industrial networks.

1. Formal Schema, Ontologies, and Canonical Models

The ISKG formalism is characterized by a directed labeled property graph, typically defined as $G = (V, E, T_V, T_E, \varphi, \psi)$, where $V$ and $E$ denote the nodes (entities) and directed edges (relations), and $\varphi: V \to T_V$, $\psi: E \to T_E$ assign type functions over finite type sets. Industrial adoption leverages schemas integrating both canonical cybersecurity ontologies (CVE, CWE, CPE, CAPEC, MITRE ATT&CK) and OT/ICS extensions (ISA-95, AutomationML, proprietary asset inventories) (Shi et al., 2023, Nandiya et al., 13 Dec 2025, Garrido et al., 2021).

Typical node types include:

• Asset (PLC, HMI, SCADA_Server, Protocol_Module, Workstation, Sensor, Controller, Process_Object)
• Vulnerability (CVE entries)
• Weakness (CWE classes)
• AttackPattern (CAPEC)
• Technique (ATT&CK)
• Behavior (e.g., UnauthorizedWrite)
• Control (Firewall, IDS)
• Industrial Safety entities: IC (Cause), D (Deviation), ME (Middle Event), C (Consequence), S (Suggestion) (Wang et al., 2021)

Relation types encode:

• hasVulnerability(Asset, Vulnerability)
• manifestsWeakness(Vulnerability, Weakness)
• exploitedBy(Weakness, AttackPattern)
• suggestsTechnique(AttackPattern, Technique)
• controls(Controller, Module)
• runs_on(Application, Host)
• communicatesWith(Host, Host), controlledCommunicatesWith, usesProtocol, accesses, etc.
• RISK(ζ,n): IC → D → ME → C → S, supporting HAZOP propagation modeling (Wang et al., 2021)

Probabilistic risk attributes and weights, such as riskWeight, p_Exploit, attackCost, and controlStrength, augment edges for quantitative analytics (Nandiya et al., 13 Dec 2025).

2. Data Integration, Pipeline Construction, and Information Extraction

ISKG development requires robust, multi-stage ingestion pipelines—starting from authoritative sources (NVD JSON for CVE, CWE, CPE; industry ontologies; AutomationML and OPC-UA logs; Zeek traffic traces; HAZOP reports). Raw records are preprocessed and mapped to ontology classes via schemas reflecting entity and relation types (Shi et al., 2023, Nandiya et al., 13 Dec 2025, Garrido et al., 2021, Wang et al., 2021).

The transformation consists of:

• Entity/Relation Extraction: LLMs (SecureBERT, CySecBERT), seq2seq RE models (REBEL), and template-based postprocessing yield triples (h, r, t)[c] annotated with extraction confidence (Nandiya et al., 13 Dec 2025).
• Event Modeling: Reified event nodes allow temporal queries and support time-windowed anomaly detection or provenance tracing (Garrido et al., 2021).
• Information Standardization: Pattern layers absorb linguistic heterogeneity, mapping terms via functions $f: T_\text{raw} \to T_\text{std}$ (e.g., f(“管线存水”) = IC(pipeline+water-storage)) (Wang et al., 2021).
• Data Layer: Advanced NER models, such as HAINEX (IBERT + BiLSTM + CRF with Industrial Loss), attain F1 ≈ 88.4% on HAZOP text (Wang et al., 2021).

Commercial-scale pipelines automate batch and streaming ingestion, CI/CD schema migrations, periodic retraining (e.g., monthly auto-retrain triggered by Δ triples > threshold), and asset-vulnerability linkage (Shi et al., 2023, Nandiya et al., 13 Dec 2025).

3. Relational and Probabilistic Machine Learning Techniques

A defining feature of ISKGs is the use of relational machine learning—specifically, embedding-based link prediction and energy-based models—to infer latent associations, rank risk, and enable proactive alerting (Shi et al., 2023, Garrido et al., 2021, Nandiya et al., 13 Dec 2025).

Key methods:

• TransE, DistMult, RESCAL: Each entity/relation embedded as $h, r, t \in \mathbb{R}^k$, scores $s(h, r, t)$ parameterize link likelihoods; loss is margin-based ranking: $$L = \sum_{(h, r, t) \in G} \sum_{(h', r, t') \in G'} [\gamma + s(h', r, t') - s(h, r, t)]_+$$ Negatives sampled by type-aware corruption; typical hyperparameters k=200, γ=1, learning rate α=0.01 (Shi et al., 2023).
• Energy-based (RESCAL): Score triple likelihood $\theta_{spo} = e_s^T R_p e_o$, with regularized unsupervised wake-sleep training (Garrido et al., 2021).
• Graph Embedding for Enrichment: FastRP embeddings and KNN are used for missing link proposals, enabling HAS_POSSIBLE_COMMUNICATION inference when score >0.65 (Nandiya et al., 13 Dec 2025).
• LLM Enrichment: SecureBERT fine-tuning yields F1 ≈ 0.82 for NER; REBEL for relation extraction achieves validation accuracy ≈ 0.88 on ICS advisories. LLM-based enrichment increases the triple count by 31% (example: total triples from 128,347 to 168,491), and augments manifestsWeakness by 46% and suggestsTechnique by 350% (Nandiya et al., 13 Dec 2025).
• Anomaly Scoring: Triples scored and thresholded for alert generation; illustrative subgraph alerts trace to low-probability events (thresholds set via per-predicate quantiles) (Garrido et al., 2021).

Evaluation metrics include mean rank (MR), mean reciprocal rank (MRR), Hits@N, ROC-AUC, and precision@k. For example, TransE on NVD-derived KG (CW): MRR ≈ 0.29, Hits@10 ≈ 0.39; LLM-enriched BRIDG-ICS triples increase path-connected asset reachability by 40% and lower average path length by 25% (Nandiya et al., 13 Dec 2025, Shi et al., 2023).

4. Probabilistic Risk Metrics, Attack Simulation, and Path Analytics

ISKGs support advanced quantitative modeling, enabling attack surface analysis, risk scoring, and multi-stage path enumeration (Nandiya et al., 13 Dec 2025, Takko et al., 2021).

Pathwise risk attributes:

• For each edge e=(u, v): $$\text{riskWeight}(u, v) = p_{Exploit}(u, v) \times \frac{criticality(v)}{10}$$
• For a path P: $$p(P) = \prod_{i=1}^{k-1} p_{Exploit}(v_i, v_{i+1}), C(P) = \sum_{i=1}^{k-1} attackCost(v_i, v_{i+1}), R(P) = \sum_{i=1}^{k-1} attackCost(v_i, v_{i+1}) \times p_{Exploit}(v_i, v_{i+1})$$
• Risk propagation: Decayed-sum rates and two-hop aggregates quantify how risk propagates from industrial sectors or geographies onto individual entities $$r_e(t) = \overline{r_e(C)} + \overline{r_e(I)} + \overline{r_e(c)} + \overline{r_e(i)}$$ (Takko et al., 2021).

Attack path simulation uses risk-thresholded BFS with early pruning on path-probability and cost; per-path reporting identifies causal choke-points for mitigation.

5. Safety, Compliance, and Industry-Specific Adaptation

ISKGs extend beyond traditional IT/ICS security to industrial safety, hazard analysis, and functional security workflows:

• Safety Knowledge Graphs (ISKG per (Wang et al., 2021)) incorporate top-down HAZOP-derived ontologies with IC (Cause), D (Deviation), ME (Middle Event), C (Consequence), S (Suggestion) entity/relation classes, supporting pattern-driven migration from heterogeneous domain reports.
• Information extraction from quasi-formal HAZOP text uses robust deep neural NER pipelines (HAINEX), outperforming standard BERT-BiLSTM-CRF models (F1=88.4%) (Wang et al., 2021).
• ISKGs underpin knowledge retrieval, QAS-driven reasoning, auxiliary HAZOP (recommendation retrieval), and hazard propagation navigation.

Compliance mapping leverages entity and edge labeling to align with NIST SP 800-53, IEC 62443, and other standards; deployment of controls demonstrably increases average attack path lengths and reduces node exposure by 60% for the most targeted assets (Nandiya et al., 13 Dec 2025).

6. Secure Control Design and Code Generation with Security Knowledge Graphs

Security knowledge graphs directly guide automated design and code generation, particularly in hardware contexts such as FSMs:

• FSM Security Knowledge Graphs (FSKG), as in SecFSM, include entities such as Vulnerability (with links to CWE IDs), Stage, Type, Check, Consequence, GoodExample, and suggestion nodes. These graphs are linked to both academic and industrial sources.
• User requirements are automatically analyzed to extract vulnerabilities, which are mapped to FSKG nodes; subgraphs provide security checks, code snippets, and mitigation logic for prompt construction (Hu et al., 18 Aug 2025).
• LLM-driven code generation prompts embed security knowledge retrieved from FSKG; for example, adding saturation logic to prevent integer overflow (CWE-190) or default-case branches to avoid Dead State vulnerabilities.
• Quantitative results: SecFSM achieves secure RTL pass rates up to 84% (DeepSeek-R1) and 80% (Claude 3.5), exceeding RAG and base LLM methods (Hu et al., 18 Aug 2025).

Example secure Verilog modules are annotated directly with FSKG node links, supporting traceability and auditability.

7. Scalability, Evaluation, and Best Practices

Production-scale ISKG deployments incorporate:

• Neo4j or triplestore DBs with partitioned storage by plant/floor; ingest rates of 128k–168k triples and >20k nodes in BRIDG-ICS (Nandiya et al., 13 Dec 2025).
• Update automation, incremental ingestion via Kafka connectors, and dual live/staging embedding models to detect and address concept drift.
• Performance: average query latency (reachability) 20–50 ms; path enumeration (k=20) in 0.03 s (Nandiya et al., 13 Dec 2025).
• Evaluation: precision/recall tracking against ground-truth, ROC-AUC ≈ 0.90 and precision@100 ≈ 0.85 for anomaly detection in scaled demo systems (Garrido et al., 2021).
• Visualization: interactive dashboards, graph pattern matching, and subgraph-based interpretability for analyst workflows.
• Analysts are advised to curate ICS-specific corpora, expand ontologies to match sectoral needs, and maintain sliding-window retraining for adaptability (Takko et al., 2021, Shi et al., 2023).

A plausible implication is that, as ISKGs mature, their analytic, reasoning, and automation capabilities enable adaptive, context-aware security strategies in industrial environments driven by data fusion, multi-modal enrichment, and continuous learning at scale.