This study identifies four critical bottlenecks hindering industrial control system (ICS) threat intelligence sharing: inconsistent representation of ICS-specific artifacts in standards such as STIX; absence of vendor-specific technical documentation; insufficient technical detail in vulnerability and incident reports; and limited observability of ICS attack behaviors. Leveraging NLP-based automated analysis, ATT&CK mapping, STIX semantic review, and ICS malware behavioral modeling, the work analyzes three major incidents (including Stuxnet), 196 MITRE ATT&CK software instances, and nine CISA advisories. It provides the first empirical evidence of structural gaps in existing standards regarding ICS-specific observable objects. Based on these findings, the study proposes an extensible, ICS-tailored threat intelligence sharing framework and delivers actionable technical guidance for standards development organizations and critical infrastructure operators to advance interoperable, operationally relevant intelligence exchange.

The increasing cyber threats to critical infrastructure highlight the importance of private companies and government agencies in detecting and sharing information about threat activities. Although the need for improved threat information sharing is widely recognized, various technical and organizational challenges persist, hindering effective collaboration. In this study, we review the challenges that disturb the sharing of usable threat information to critical infrastructure operators within the ICS domain. We analyze three major incidents: Stuxnet, Industroyer, and Triton. In addition, we perform a systematic analysis of 196 procedure examples across 79 MITRE ATT&CK techniques from 22 ICS-related malware families, utilizing automated natural language processing techniques to systematically extract and categorize threat observables. Additionally, we investigated nine recent ICS vulnerability advisories from the CISA Known Exploitable Vulnerability catalog. Our analysis identified four important limitations in the ICS threat information sharing ecosystem: (i) the lack of coherent representation of artifacts related to ICS adversarial techniques in information sharing language standards (e.g., STIX); (ii) the dependence on undocumented proprietary technologies; (iii) limited technical details provided in vulnerability and threat incident reports; and (iv) the accessibility of technical details for observed adversarial techniques. This study aims to guide the development of future information-sharing standards, including the enhancement of the cyber-observable objects schema in STIX, to ensure accurate representation of artifacts specific to ICS environments.