Assessing the security posture of Industrial Control Systems (ICS) is critical for protecting essential infrastructure. However, the complexity and scale of these environments make it challenging to identify and prioritize potential attack paths. This paper introduces a semi-automated approach for generating attack graphs in ICS environments to visualize and analyze multi-step attack scenarios. Our methodology integrates network topology information with vulnerability data to construct a model of the system. This model is then processed by a stateful traversal algorithm to identify potential exploit chains based on preconditions and consequences. We present a case study applying the proposed framework to the Siemens PCS7 Cybersecurity Blueprint for Water Treatment Plants. The results demonstrate the framework's ability to simulate different attack scenarios, including those originating from known CVEs and potential device misconfigurations. We show how a single point of failure can compromise network segmentation and how patching a critical vulnerability can protect an entire security zone, providing actionable insights for risk mitigation.

翻译：评估工业控制系统（ICS）的安全态势对于保护关键基础设施至关重要。然而，这些环境的复杂性和规模使得识别和优先处理潜在攻击路径变得困难。本文提出了一种半自动化方法，用于生成ICS环境中的攻击图，以可视化和分析多步攻击场景。该方法将网络拓扑信息与漏洞数据相结合，构建系统模型；随后通过状态遍历算法，基于前置条件和后置结果识别潜在利用链。我们以西门子PCS7水处理厂网络安全蓝图为案例，应用该框架进行实证研究。结果表明，该框架能够模拟不同攻击场景，包括源自已知CVE（通用漏洞披露）及潜在设备错误配置的场景。我们揭示了单点故障如何破坏网络隔离，以及关键漏洞补丁如何保护整个安全区域，为风险缓解提供了可操作的见解。