Securing Industrial Containers: A Knowledge-Driven Approach

by

Author: Denis Avetisyan

This research introduces a novel methodology for identifying security risks in containerized deployments within critical operational technology environments.

An ontology-based risk assessment approach, leveraging the Container Security Risk Ontology (CSRO) and an integrated identification tool, offers a means of systematically addressing vulnerabilities inherent in container deployments within operational technology environments-acknowledging that all such systems are subject to eventual compromise, and proactive evaluation merely reframes the timeline of inevitable decay.
An ontology-based risk assessment approach, leveraging the Container Security Risk Ontology (CSRO) and an integrated identification tool, offers a means of systematically addressing vulnerabilities inherent in container deployments within operational technology environments-acknowledging that all such systems are subject to eventual compromise, and proactive evaluation merely reframes the timeline of inevitable decay.

A new ontology-based framework, CSRO, enables reproducible and technically integrated security risk identification for containerized OT systems.

While containerisation offers agility in operational technology (OT) deployments, elevated privileges required for low-level access introduce significant security vulnerabilities. This paper, ‘An Ontology-Based Approach to Security Risk Identification of Container Deployments in OT Contexts’, addresses the challenge of consistently identifying these risks within complex, hybrid IT/OT environments. We present the Container Security Risk Ontology (CSRO), a model-based approach enabling automated, reproducible risk assessment by formalising the link between deployment artefacts and potential threats. Could this formalisation pave the way for more proactive and integrated security measures in critical OT infrastructure?

The Inevitable Cascade: Why Structured Threat Modeling Matters

Conventional threat modeling frequently depends on spontaneous lists and brainstorming sessions, a practice increasingly inadequate for modern, intricate systems. While seemingly efficient for initial assessments, this ad-hoc approach often fails to comprehensively identify the full spectrum of potential attacks, particularly those arising from the complex interactions within interconnected components. The lack of a structured methodology means that subtle vulnerabilities and cascading failures can be overlooked, leaving systems exposed to unforeseen exploits. Consequently, security teams may find themselves reacting to incidents rather than proactively mitigating risks, and the resulting defenses may be incomplete or misdirected, especially as system complexity continues to escalate.

The reliance on unstructured brainstorming and ad-hoc lists in traditional threat modeling often results in incomplete assessments of potential security risks. This informal approach frequently fails to map the complex dependencies between vulnerabilities and attack vectors, meaning that a single initial compromise can cascade into multiple system failures without being adequately foreseen. Consequently, threat actors may exploit unforeseen combinations of weaknesses, bypassing defenses designed to address isolated issues. A systematic methodology is crucial to identify not only individual threats but also the logical relationships that amplify their impact, allowing security professionals to proactively mitigate the most critical vulnerabilities before they are exploited.

Robust security isn’t achieved through reactive measures, but through proactively dismantling potential attacks into manageable components and establishing a clear order of defense. A systematic approach to threat modeling involves identifying critical assets, mapping potential attack vectors, and analyzing the likelihood and impact of each threat. This deconstruction allows security teams to move beyond generalized concerns and focus on specific vulnerabilities. By prioritizing defenses based on risk – considering both the probability of an attack and the damage it could inflict – resources can be allocated effectively, strengthening the most vulnerable areas of a system. Ultimately, this structured methodology transforms security from a state of constant reaction to a position of informed preparedness, bolstering resilience against evolving threats.

The Container Security Risk Ontology (CSRO) unifies five key domains-ATT&CK Techniques, Context Scenarios, Attack Scenarios, Risk Assessment Rules, and Container Security Artefacts-to provide a comprehensive framework for container security risk management.
The Container Security Risk Ontology (CSRO) unifies five key domains-ATT&CK Techniques, Context Scenarios, Attack Scenarios, Risk Assessment Rules, and Container Security Artefacts-to provide a comprehensive framework for container security risk management.

Formalizing the Inevitable: Model-Based Security Approaches

CORAS employs a model-based security approach by representing system components and their interconnections as a graph, allowing security analysts to systematically identify potential threats. This framework facilitates threat identification through the creation of attack models that map out possible attack paths, starting from initial attacker access points and progressing through system vulnerabilities to critical assets. The modeling process is structured around assets, vulnerabilities, and attack steps, enabling a detailed analysis of potential risks. By formally representing the system and its weaknesses, CORAS moves beyond ad-hoc threat assessments and supports a more rigorous and repeatable security analysis process.

The CORAS framework enables security professionals to collaboratively brainstorm potential threats and document them as attack models. These models are visually represented as directed graphs, illustrating potential pathways an attacker could take to compromise system assets. Nodes in the graph typically represent assets, vulnerabilities, and attack steps, while edges define the relationships and dependencies between them. This visual approach facilitates the identification of critical attack paths and allows for a systematic analysis of the associated risks, providing a clear understanding of how an attacker might progress from initial access to achieving their objectives. The resulting models support focused mitigation strategies and improve the effectiveness of security controls.

CORAS enhances threat analysis by directly incorporating established threat knowledge bases, most notably MITRE ATT&CK. This integration allows the system to map identified attack paths to known adversary tactics and techniques, providing contextualized insights into potential attacker behaviors. By leveraging this existing body of knowledge, CORAS moves beyond simple threat identification to facilitate reproducible risk assessments and the derivation of specific treatment recommendations. The system’s ability to link modeled threats to documented techniques enables a technically integrated solution capable of automating aspects of both risk analysis and mitigation planning, as validated by the current implementation.

The Container Security Risk Ontology (CSRO) categorizes container security risks across five distinct domains.
The Container Security Risk Ontology (CSRO) categorizes container security risks across five distinct domains.

Deconstructing the Attack Surface: The Logic of Attack Trees

Attack Trees provide a structured, hierarchical approach to threat modeling, differing from other methods by explicitly defining an attacker’s goals and the various ways those goals can be achieved. This visualization technique decomposes a high-level attack objective into successively smaller sub-goals – or ‘nodes’ – representing specific actions an attacker might take. Each node can be further broken down, illustrating multiple paths to compromise a system. The resulting tree diagram facilitates a comprehensive analysis of potential threats by revealing all plausible attack vectors, enabling security professionals to prioritize mitigation efforts based on the likelihood and impact of each path. Unlike flat lists of vulnerabilities, Attack Trees emphasize the logical relationships between attack steps, offering a more nuanced understanding of attacker behavior.

Attack trees decompose a malicious objective – the root of the tree – into a hierarchical structure of sub-objectives, or AND/OR nodes, representing the various ways an attacker could achieve their goal. AND nodes signify that all sub-goals must be met for the parent goal to be achieved, while OR nodes indicate that satisfying any one of the sub-goals is sufficient. This structure allows security analysts to systematically enumerate potential attack paths, identifying critical vulnerabilities represented by leaf nodes – the most basic steps an attacker must complete. By visualizing the complete attack surface in this manner, teams can prioritize mitigation efforts based on the likelihood and impact of each path, and more effectively identify weaknesses in a system’s defenses.

Integrating Attack Trees with the MITRE ATT&CK framework provides security professionals with a structured means of correlating potential attack paths with documented adversary behaviors. This mapping allows for the identification of specific tactics, techniques, and procedures (TTPs) employed within each node of the Attack Tree, facilitating a more granular risk assessment. By linking abstract attack goals to concrete ATT&CK techniques, organizations can prioritize mitigation efforts based on observed adversary behavior and the likelihood of successful exploitation. This integration is crucial for developing automated risk assessment tools, enabling dynamic security posture adjustments based on real-time threat intelligence and the evolving threat landscape.

The presented methodology, CSRO, inherently acknowledges the transient nature of security postures within operational technology. Any identified mitigation, however robust initially, will inevitably face new vulnerabilities as the system evolves. This aligns with Andrey Kolmogorov’s observation: “The most important thing in science is not to be right, but to be systematic.” The systematic approach of CSRO-building a knowledge graph to model risks-doesn’t promise perpetual security, but rather a structured understanding that facilitates adaptation. The ontology’s strength lies in its ability to represent the decay of security effectiveness over time, permitting proactive adjustments rather than reactive responses to inevitable compromise. Acknowledging this temporal dimension is key to graceful aging of the system.

What Lies Ahead?

The presented approach, while offering a structured methodology for identifying security risks in containerized operational technology, merely addresses a transient state. Every architecture lives a life, and this one, too, will inevitably succumb to the pressures of evolving threats and increasingly complex deployments. The very act of formalizing risk-of creating a static representation of a dynamic problem-introduces a delay. Improvements age faster than one can understand them.

Future work must acknowledge this inherent limitation. The focus shouldn’t solely be on expanding the ontology-though that will certainly occur-but on developing mechanisms for its continuous, automated refinement. A system capable of learning from incident reports, vulnerability disclosures, and real-time network analysis would be less a snapshot and more a living model of the threat landscape.

Ultimately, the true challenge isn’t building a perfect risk assessment, but accepting that all assessments are imperfect. The value lies not in eliminating risk, an impossible task, but in understanding its contours, and building systems resilient enough to absorb inevitable failures. This approach offers a step toward that understanding, a temporary bulwark against the entropy inherent in all complex systems.

Original article: https://arxiv.org/pdf/2601.04010.pdf

Contact the author: https://www.linkedin.com/in/avetisyan/

See also:

2026-01-08 22:49