A Large Language Model-Supported Threat Modeling Framework for Transportation Cyber-Physical Systems

M Sabbir Salek, Mashrur Chowdhury, Muhaimin Bin Munir, Yuchen Cai, Mohammad Imtiaz Hasan, Jean-Michel Tine, Latifur Khan, MD Mizanur Rahman

Published: 29 Aug 2025, Last Modified: 13 Mar 2026IEEE AccessEveryoneCC BY 4.0
Abstract: Increased reliance on automation and connectivity exposes transportation cyber-physical systems (CPS) to many cyber vulnerabilities. Existing threat modeling frameworks are often narrow in scope, labor-intensive, and require substantial cybersecurity expertise. To this end, we introduce the Transportation Cybersecurity and Resiliency Threat Modeling Framework (TraCR-TMF), a large language model (LLM)- based threat modeling framework for transportation CPS that requires limited cybersecurity expert intervention. TraCR-TMF identifies threats, potential attack techniques (i.e., methods to exploit vulnerabilities), and relevant countermeasures (e.g., attack detection and mitigation strategies) for transportation CPS. Three LLM-based approaches support these identifications: (i) a retrieval-augmented generation approach requiring no cybersecurity expert intervention, (ii) an in-context learning approach with low intervention from cybersecurity experts, and (iii) a supervised fine-tuning approach with moderate cybersecurity expert intervention. TraCR-TMF offers LLM-based attack path identification for critical assets based on vulnerabilities across different transportation CPS entities. Additionally, it incorporates the Common Vulnerability Scoring System (CVSS) scores of previously exploited vulnerabilities to prioritize threat mitigations. The framework was evaluated through two use cases. First, the framework identified relevant attack techniques for various transportation CPS applications, about 73% of which were validated by cybersecurity experts as correct. Second, the framework was used to identify attack paths for a target asset in a real-world cyberattack incident. TraCR-TMF successfully predicted exploitations, like lateral movement of adversaries, data exfiltration, and data encryption for ransomware, as reported in the incident. These findings demonstrate TraCR-TMF’s efficacy in transportation CPS threat modeling while reducing the need for extensive involvement of cybersecurity experts. To facilitate real-world adoption, all our codes are shared via an open-source repository.