The Enemy within the Process: Simulating Internal Threat Actor Attacks in Industrial Control Systems via BPMN

What happens when the person who knows the system becomes the threat? A legitimate operator who deviates a single step in a BPMN process can compromise an entire industrial plant, often without triggering a single alert.

Industrial Control Systems (ICS) govern critical infrastructure across energy, water, and manufacturing sectors. Unlike external attackers, an internal threat actor holds valid credentials and operational knowledge of the system, making them an underestimated and hard-to-detect risk. This thesis addresses a gap in the literature by simulating insider attacks on ICS processes modelled in BPMN and executed on real engines.

Objectives:

· Analyze scientific literature about attack simulation in BPMN

· Model attack scenarios in BPMN

· Simulate internal threat actors in BPMN engine

Refernces:

· https://ctid.mitre.org/projects/insider-threat-ttp-knowledge-base/

· Hacks, S., Lagerström, R., & Ritter, D. (2021, October). Towards automated attack simulations of BPMN-based processes. In 2021 IEEE 25th International Enterprise Distributed Object Computing Conference (EDOC) (pp. 182-191). IEEE.

· von der Assen, J., Hochuli, J., Grübl, T., & Stiller, B. (2024, September). The danger within: Insider threat modeling using business process models. In 2024 IEEE International Conference on Cyber Security and Resilience (CSR) (pp. 186-192). IEEE.

· Salnitri, M., Dalpiaz, F., & Giorgini, P. (2017). Designing secure business processes with SecBPMN. Software & Systems Modeling, 16(3), 737-757.

· Cybersecurity

· Java or Python

· Basic knowledge of ICS/OT environments is a plus