Cybersecurity threats to Connected and Automated Transportation Cyber-Physical Systems (CPS) are escalating due to their high interconnectivity and autonomy; however, existing threat modeling approaches suffer from limited scope, high computational overhead, and heavy reliance on domain expertise. To address these challenges, we propose TraCR-TMF—a lightweight, large language model (LLM)-driven threat modeling framework. TraCR-TMF innovatively integrates the MITRE ATT&CK knowledge graph with three LLM paradigms: Retrieval-Augmented Generation (RAG), in-context learning, and supervised fine-tuning. It enables automated threat identification, attack technique classification, countermeasure recommendation, and dynamic mapping of attack paths to critical assets. The framework substantially reduces dependence on human security experts. Evaluated on real-world transportation CPS deployments, it achieves 90% threat identification accuracy and successfully reconstructs and predicts sophisticated adversarial behaviors—including lateral movement, data exfiltration, and ransomware encryption.

Modern transportation systems rely on cyber-physical systems (CPS), where cyber systems interact seamlessly with physical systems like transportation-related sensors and actuators to enhance safety, mobility, and energy efficiency. However, growing automation and connectivity increase exposure to cyber vulnerabilities. Existing threat modeling frameworks for transportation CPS are often limited in scope, resource-intensive, and dependent on significant cybersecurity expertise. To address these gaps, we present TraCR-TMF (Transportation Cybersecurity and Resiliency Threat Modeling Framework), a large language model (LLM)-based framework that minimizes expert intervention. TraCR-TMF identifies threats, potential attack techniques, and corresponding countermeasures by leveraging the MITRE ATT&CK matrix through three LLM-based approaches: (i) a retrieval-augmented generation (RAG) method requiring no expert input, (ii) an in-context learning approach requiring low expert input, and (iii) a supervised fine-tuning method requiring moderate expert input. TraCR-TMF also maps attack paths to critical assets by analyzing vulnerabilities using a customized LLM. The framework was evaluated in two scenarios. First, it identified relevant attack techniques across transportation CPS applications, with 90% precision as validated by experts. Second, using a fine-tuned LLM, it successfully predicted multiple exploitations including lateral movement, data exfiltration, and ransomware-related encryption that occurred during a major real-world cyberattack incident. These results demonstrate TraCR-TMF's effectiveness in CPS threat modeling, its reduced reliance on cybersecurity expertise, and its adaptability across CPS domains.