Standards and Guidance
- NIST SP 800-82 Rev. 2 (ICS Security)
- NIST SP 800-154 (Threat Modeling)
- ISA/IEC 62443 Series (Overview)
- NCSC: Threat Modelling
Use standards to anchor scope, control expectations, and terminology. Use attack models to turn that scope into paths you can test.
Intrusion and Behavior Models
The Attack Models Library
This library is a curated starting point. It prioritizes primary sources, widely used knowledge bases, and standards that organizations actually reference. Each item here is useful because it can be mapped into a model, a detection, a control, or a test plan.
Technique and Tactic Knowledge Bases
MITRE ATT&CK provides a shared vocabulary for adversary behavior. Its ICS matrix extends that vocabulary into industrial environments where the attacker is targeting controllers and processes.
Attack Patterns, Weaknesses, and Vulnerabilities
These three layers form a practical chain: patterns describe how attacks happen, weaknesses describe root causes, and vulnerabilities describe specific instances in products. A mature attack model uses all three.
- CAPEC: Common Attack Pattern Enumeration and Classification
- CWE: Common Weakness Enumeration
- CVE: Common Vulnerabilities and Exposures
- NVD: National Vulnerability Database
- CVSS v3.1 Specification
Representing and Sharing Models
If you want your models to power automation, you need machine readable formats. STIX is commonly used for expressing cyber threat and observable information, and TAXII is used for sharing it between systems.
Attack Trees and Attack Graphs
For computed path analysis and design time reasoning, start with the classic references, then move into tooling and domain specific extensions.
Tools and Practice
Prefer primary sources. If a blog contradicts a specification, trust the specification.
Contribute a Reference
If you found a strong paper, a standard, or a dataset that belongs here, email it with a short justification and where it fits: