threat-modeling-ics

The threat-modeling-ics skill is a specialized tool for security engineers, system architects, and OT/ICS incident responders who need to secure critical infrastructure environments. It bridges the gap between high-level architectural design and technical vulnerability assessment by processing Microsoft Threat Modeling Tool (TMT) artifacts. By analyzing *.tm7 model files and *.csv threat lists, the agent automates the enrichment of security findings with industrial-grade context, ensuring that compliance requirements and operational constraints are addressed systematically.

The skill excels in high-stakes environments where IT/OT convergence introduces unique attack surfaces. It guides users through the Purdue Model (ISA-95) to categorize assets—ranging from field sensors and actuators to SCADA servers and ERP systems—and applies the STRIDE methodology to enumerate threats within these zones. By mapping technical findings to MITRE ATT&CK for ICS, CWE weakness classifications, and CVSS v4.0 scoring, the agent allows teams to transition from raw vulnerability lists to prioritized, risk-aware mitigation strategies.

• Automated extraction and parsing of Microsoft TMT threat-list exports and architectural model files.

• Contextual enrichment of threats using MITRE ATT&CK for ICS to identify TTPs relevant to industrial control environments.

• Severity assessment utilizing CVSS v4.0 and BSI Likelihood of Exploit metrics to tailor risks to OT environments.

• Comprehensive mapping of risk treatment decisions, including mitigation, transfer, acceptance, and avoidance, to ensure accountability.

• Application of CIA Triad principles (Confidentiality, Integrity, Availability) specifically tailored to the unique failure modes of PLC, PAC, and HMI assets.

• Users should treat the TMT CSV as the primary artifact, falling back to the *.tm7 file for missing architectural context regarding trust boundaries and data flows.

• Ensure that all findings are evaluated against the Purdue Model layers to identify appropriate network segmentation and defense-in-depth strategies.

• Focus on operational impact categories, such as Denial of View, process disruption, and physical damage, rather than traditional IT metrics alone.

• Use the agent to produce audit-ready documentation to fulfill regulatory requirements for standards like IEC 62443, NIST SP 800-30, and EU CRA.

• Constraints include a requirement for structured TMT input files; ensure exports are clean and representative of the current target system state for the most accurate threat enumeration.