Getting Started with D3FEND for OT

Apply the D3FEND Ontology to Operational Technology (OT) security scenarios.

Target Audience

Cyber Threat Intel Analysts, Incident Responders, Model-based Systems Engineers

Published: Dec 16, 2025, Last Modified: Dec 16, 2025

1.3.0

Authors

Emma Holt, Peter Kaloroumakis

Prerequisites

Basic D3FEND Overview: Detect, Deny, and Disrupt with MITRE D3FEND
How to Build D3FEND Graphs with D3FEND CAD
Threat Modeling with the D3FEND Ontology & D3FEND CAD

Purpose

This guide will help you get started using CAD with D3FEND for OT (Operational Technology). D3FEND for OT enables OT engineers, security engineers, and cyber threat intelligence analysts to model their security scenarios using the D3FEND Ontology. You can use CAD to model your system components, map sensor events to detectable attacks, document real incidents step-by-step, to help design more secure architectures.

D3FEND CAD Basics

Review and understand the prerequisites above.
Review the use cases in the next section to see examples of which are applicable to you and your organization.
Review the mapping of the high level artifacts to the Purdue model below to see how we have captured OT concepts.
Review the set of example CAD graphs on the D3FEND for OT Landing Page to see specific instances of D3FEND for OT in use. See how OT concepts are captured in the ontology. Explore the example CAD graphs to understand how others model OT environments.
Begin building your own OT-related knowledge graphs in CAD! Start a new CAD graph, add your core artifacts (use the explode feature to accelerate), connect them with the correct object properties, and apply CAD’s inferencing to suggest relevant attacks, associated artifacts, and countermeasures.

D3FEND for OT Use Cases

We envision a variety of use cases for CAD graphs utilizing D3FEND for OT additions, for example:

Use Case	Steps
Model an existing OT system to reveal assets, attack paths, and defensive gaps.	Start by building a new CAD graph. Add the core artifacts that make up your system. Tip: Utilize the “explode” feature and allow the ontology to help you build out your graph! Connect the artifacts in the graph using the correct set of object properties. Use CAD’s inferencing abilities to determine and add attacks and countermeasures applicable to your artifacts.
Map OT sensor events to affected assets and attack techniques to understand detection coverage.	Start by building a new CAD graph. Add the core artifacts that make up your system. Tip: Utilize the “explode” feature and allow the ontology to help you build out your graph! Add the events to the graph observed by the sensors. Use CAD’s inferencing abilities to determine and add the associated artifacts. Use CAD’s inferencing abilities to determine and add the associated attacks.
Document observed OT threats and incidents step-by-step to analyze impact and communicate findings.	Start by building a new CAD graph. Add the attacks in the sequence that they were observed, linking them together with the correct object properties as appropriate. Use CAD’s inferencing abilities to determine and add the associated artifacts that were involved in the attack. Add any additional artifacts to flesh out the graph.
Design or refine secure OT architectures by modeling component relationships, attacks, and countermeasures.	Start by building a new CAD graph. Add the core artifacts that make up your system. Tip: Utilize the “explode” feature and allow the ontology to help you build out your graph! Connect the artifacts in the graph using the correct set of object properties. Use CAD’s inferencing abilities to determine and add attacks and countermeasures applicable to your artifacts.

D3FEND for OT Artifacts and the Purdue Model

For those familiar with the Purdue Model, we have mapped Purdue levels zero through five to the corresponding D3FEND Artifacts in CAD. We have both a simple and detailed view.

Open Purdue Model (simple) in D3FEND CAD

Open Purdue Model (detailed) in D3FEND CAD

We render the simple version below: