SRAG: Security Retrieval Augmented Generation-based AI assistance for handling security advisories for automation technology

The European Union's Cyber Resilience Act requires high security standards for critical infrastructures and industries such as energy and water supply or mechanical and plant engineering. These critical areas are generally highly automated and rely on automation technology which protection against cyber attacks is of central importance. Component manufacturers and system operators therefore regularly check their products for known vulnerabilities, e.g. in the software libraries used, by comparing them with vulnerability databases such as those of the VDE (CERT@VDE). If vulnerabilities are discovered, security advisories are created and published in a machine-readable format. Vulnerabilities are identified using the CVE referencing system (cve.mitre.org). If vulnerabilities are found, decisions must be made on the basis of a risk assessment and the recommendations for actions in the security advisories. This results in the planning of maintenance intervals for required updates, which leads to production downtimes.

Current problems in the interaction between component manufacturers and system operators lie, among others, in the different application of standards. In practice, vulnerability descriptions do not consistently use uniform product designations and legacy descriptions in particular are not consistently compliant. Despite the standardized machine-readable CSAF format, security advisories are often still available in HTML format or as PDF files. In addition, recommendations for action from security advisories are often unspecific and rarely allow vulnerabilities to be assigned to specific applications and functions of a system operator. This makes it difficult or impossible to derive individual or industry-based instructions for action and they are therefore often simply ignored. Manual asset management and the periodic comparison of inventory lists and vulnerability databases also pose personnel challenges, especially for SMEs, which often leads to delayed or non-response to potential threats.

AI assistance and LLMs can provide a suitable solution to the problems described above. For this reason, the project SRAG as part of the German government's IT security program "Digital. Sicher. Souverän" with research focus on IT security through AI deals with the development of a domain-specific solution approach for an AI-based assistance system (Security-RAG) for handling vulnerabilities and security advisories in the field of automation technology. The solution approach defines the following goals: (i) AI-based detection of vulnerabilities by developing approaches for enriching large language models (LLM) with new data sets (e.g. CVEs, SBOM, security advisories) using fine-tuning and agent-based retrieval augmented generation (RAG); (ii) Identification of vulnerabilities in components using Security-RAG. (iii) AI-based support for end users through situation-related and secure recommendations for actions generated on the basis of vulnerability reports and specific use cases using LLMs as well as explanations of the AI decision using Shapley interactions.

The consortium consists of the research partners Fraunhofer IOSB-INA and TH OWL/inIT, the VDE Association and four other corporate partners. Within the project, inIT is mainly involved in carrying out a practical requirements analysis with the participating industrial companies with regard to (partially) automatic risk assessments and the prototypical implementation of a risk assessment software.