While threat modeling is widely recommended to support penetration test planning, penetration testing can, in turn, serve to verify and validate design-phase threat modeling outcomes. Yet, this interrelation remains largely overlooked in academic research. To address this gap, this study proposes BRIDGE, a nine-stage threat modeling-driven penetration testing methodology that connects the design and testing phases. Guided by design-phase threat modeling results, the methodology supports structured test selection, enabling a more focused and efficient testing process. The study introduces a mapping of MITRE ATT&CK for ICS techniques to STRIDE threat categories, establishing a key link between high-level threat analysis performed during system design and the intermediate-level attack representation required for penetration test planning. The methodology’s practical applicability is demonstrated through a real-world case study of a recently deployed microgrid system. The study also examines the effectiveness of CVSS v4.0 compared to v3.1 in representing the distinctive risk profile of ICS vulnerabilities, considering both security requirements and potential safety impacts. This research provides practical guidance for ICS cybersecurity practitioners to enhance penetration test planning efficiency, ensure adequate coverage of critical threat testing, and streamline collaboration with third-party testers. Researchers can leverage the proposed methodology and the MITRE ATT&CK to STRIDE mapping to develop detailed ICS testing procedures, thereby contributing to the advancement of structured ICS security testing practices.
Khalil et al. (Sun,) studied this question.
Synapse has enriched 5 closely related papers on similar clinical questions. Consider them for comparative context: