Search papers, labs, and topics across Lattice.
This paper introduces a non-invasive, multi-agent pipeline that transforms natural language descriptions of operational technology systems into structured knowledge graphs and compliance artifacts in the NIST OSCAL format, addressing the challenges of risk assessment in environments that cannot be actively scanned. By decoupling LLM-based reasoning from deterministic knowledge retrieval, the approach minimizes the risks associated with fabricated vulnerabilities and hallucinated attack paths. In a synthetic scenario involving a water utility, the pipeline achieved a CVE recall of 0.90 and perfect D3FEND recall, highlighting the importance of accurate asset extraction in maintaining compliance and visibility of risks.
Shifting the error landscape in compliance management, this pipeline reveals that a single misidentified asset can lead to irrelevant vulnerabilities, making risk assessment more visible and manageable.
In critical infrastructure, operational technology environments often cannot be actively scanned, and yet active system feedback is needed for risk assessment and compliance. This paper presents a non-invasive, MCP-grounded multi-agent pipeline that converts natural-language system descriptions into source-verified knowledge graph and audit-ready artifacts in the NIST OSCAL format for continuous automated compliance management. The architecture decouples LLM-based reasoning from deterministic knowledge retrieval against authoritative threat-intelligence sources, reducing the risk of fabricated vulnerabilities and hallucinated attack paths. In an evidence-based synthetic scenario of a water utility, the pipeline achieves 0.90 CVE recall and perfect D3FEND recall. It generates a schema-valid OSCAL System Security Plan and an OSCAL Security Assessment Report. Nevertheless, the core insight is not that grounding via MCP eliminates errors (e.g., hallucinations) entirely from the pipeline, but that it shifts errors into the first phase of asset extraction from the natural language description. Here, a single incorrectly extracted entity can lead to genuine but irrelevant CVEs in subsequent stages of the pipeline, which consumes time and resources. However, it makes the remaining risk visible, verifiable, and suitable for a time-efficient manual review, since the infrastructure (e.g., version numbers, OS, etc.) is typically known.