To address the challenge of detecting stealthy security threats in industrial control systems (ICS), this paper proposes a data-driven attack-pattern mining method grounded in real-world operational logs. Leveraging actual runtime data from a water treatment plant, the method automatically generates over 100,000 semantically valid and executable attack patterns, enabling large-scale, multi-scenario threat modeling and simulation. Its key innovation lies in the first-ever coupling of industrial process logic constraints with anomalous behavioral patterns, thereby ensuring verifiable and logically consistent attack-path generation. Crucially, the framework operates without requiring prior knowledge of known attacks, significantly enhancing both coverage and fidelity in ICS security assessment. Case studies demonstrate that the method uncovers deep logical-level threats—undetectable by conventional intrusion detection techniques—thereby providing a scalable technical foundation for proactive ICS defense.

This work focuses on validation of attack pattern mining in the context of Industrial Control System (ICS) security. A comprehensive security assessment of an ICS requires generating a large and variety of attack patterns. For this purpose we have proposed a data driven technique to generate attack patterns for an ICS. The proposed technique has been used to generate over 100,000 attack patterns from data gathered from an operational water treatment plant. In this work we present a detailed case study to validate the attack patterns.