Protecting Critical Infrastructure for Disasters: NLP-Based Automated Information Retrieval to Generate Hypothetical Cyberattack Scenarios

AbstractCyberattacks disrupt systems, leaving critical infrastructure vulnerable to adversaries, especially during natural disasters. Furthermore, when both a cyberattack and a natural disaster occur concurrently, there are limited tools to ensure further damage beyond the physical is not experienced in crucial societal systems, such as emergency services, which need to operate during any type of hazard. Two prominent knowledge bases for adversary attacks in the cybersecurity community are the MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) Enterprise Matrix and the National Institute of Standards and Technology (NIST) Cybersecurity Framework. Existing processes to derive possible attack methodologies in general from such sources are largely manual and time-consuming. It is essential to automate the information retrieval process to improve efficiency and free up resources for identifying potential cyberattacks. It is also important to identify preventive measures with both human-made and natural hazards in mind. We propose an approach that incorporates Natural Language Processing (NLP) to automatically generate sets of attack paths from the technique descriptions in the Matrix, with both cyber-based and emergency management–based contexts, then map these techniques to the Framework to identify potential relationships between techniques and outlined protective actions. The approach generates outputs showing potential pathways an adversary can take to infiltrate a system, and its respective defense action based on similarity measures. The similarities between techniques and the Framework are evaluated with p-values to determine relevancy of pairings. The results of this study provide an approach to more quickly and effectively assess potential cyberattacks toward protecting critical infrastructure that can be utilized in broader vulnerability analyses, considering contextual data to represent both cyber and natural disaster events.