The increasing cyber threats to critical infrastructure highlight the importance of private companies and government agencies in detecting and sharing information about threat activities. Although the need for improved threat information sharing is widely recognized, various technical and organizational challenges persist, hindering effective collaboration. In this study, we review the challenges that disturb the sharing of usable threat information to critical infrastructure operators within the ICS domain. We analyze three major incidents: Stuxnet, Industroyer, and Triton. In addition, we perform a systematic analysis of 196 procedure examples across 79 MITRE ATT&CK techniques from 22 ICS-related malware families, utilizing automated natural language processing techniques to systematically extract and categorize threat observables. Additionally, we investigated nine recent ICS vulnerability advisories from the CISA Known Exploitable Vulnerability catalog. Our analysis identified four important limitations in the ICS threat information sharing ecosystem: (i) the lack of coherent representation of artifacts related to ICS adversarial techniques in information sharing language standards (e.g., STIX); (ii) the dependence on undocumented proprietary technologies; (iii) limited technical details provided in vulnerability and threat incident reports; and (iv) the accessibility of technical details for observed adversarial techniques. This study aims to guide the development of future information-sharing standards, including the enhancement of the cyber-observable objects schema in STIX, to ensure accurate representation of artifacts specific to ICS environments.

翻译：针对关键基础设施日益增长的网络安全威胁凸显了私营企业和政府机构在检测与共享威胁活动信息方面的重要性。尽管改进威胁信息共享的必要性已被广泛认知，但各种技术与组织层面的挑战依然存在，阻碍了有效协作。本研究系统梳理了在工业控制系统领域内，影响向关键基础设施运营商共享可用威胁信息的主要障碍。我们分析了三个重大安全事件：震网病毒、工业破坏者病毒与特里同攻击。此外，我们对来自22个ICS相关恶意软件家族的79项MITRE ATT&CK技术中的196个规程案例进行了系统性分析，运用自动化自然语言处理技术系统性地提取并分类威胁可观测指标。同时，我们调查了来自CISA已知可利用漏洞目录的九份近期ICS漏洞公告。分析揭示了ICS威胁信息共享生态系统中存在的四个重要局限：（i）信息共享语言标准（如STIX）中缺乏对ICS对抗技术相关要素的一致性表征；（ii）对未公开的专有技术的依赖；（iii）漏洞与威胁事件报告中提供的技术细节有限；（iv）已观测对抗技术相关技术细节的可获取性不足。本研究旨在指导未来信息共享标准的制定，包括增强STIX中的网络可观测对象模式，以确保对ICS环境特有要素的准确表征。