A Large Language Model-Supported Threat Modeling Framework for Transportation Cyber-Physical Systems
Journal:
arXiv
Published Date:
Jun 1, 2025
Abstract
Modern transportation systems rely on cyber-physical systems (CPS), where
cyber systems interact seamlessly with physical systems like
transportation-related sensors and actuators to enhance safety, mobility, and
energy efficiency. However, growing automation and connectivity increase
exposure to cyber vulnerabilities. Existing threat modeling frameworks for
transportation CPS are often limited in scope, resource-intensive, and
dependent on significant cybersecurity expertise. To address these gaps, we
present TraCR-TMF (Transportation Cybersecurity and Resiliency Threat Modeling
Framework), a large language model (LLM)-based framework that minimizes expert
intervention. TraCR-TMF identifies threats, potential attack techniques, and
corresponding countermeasures by leveraging the MITRE ATT&CK matrix through
three LLM-based approaches: (i) a retrieval-augmented generation (RAG) method
requiring no expert input, (ii) an in-context learning approach requiring low
expert input, and (iii) a supervised fine-tuning method requiring moderate
expert input. TraCR-TMF also maps attack paths to critical assets by analyzing
vulnerabilities using a customized LLM. The framework was evaluated in two
scenarios. First, it identified relevant attack techniques across
transportation CPS applications, with 90% precision as validated by experts.
Second, using a fine-tuned LLM, it successfully predicted multiple
exploitations including lateral movement, data exfiltration, and
ransomware-related encryption that occurred during a major real-world
cyberattack incident. These results demonstrate TraCR-TMF's effectiveness in
CPS threat modeling, its reduced reliance on cybersecurity expertise, and its
adaptability across CPS domains.
