PAPER PLAINE

Fresh research, simply explained. Updates twice daily.

From Legacy Documentation to OSCAL: An MCP-Based Agent Pipeline for Threat-Informed Continuous Compliance in Critical Infrastructure

Converting operator notes into official compliance documents without scanning critical systems

Researchers built an AI system that converts written descriptions of water treatment plants and other critical infrastructure into official compliance documents, without needing to scan the live systems. The system correctly identified 90% of known vulnerabilities and avoided fabricating attack paths by anchoring its reasoning to verified threat databases rather than relying on the AI's own knowledge.

Critical infrastructure like power plants and water utilities can't be actively scanned for security holes without risking operational failure. This pipeline lets operators generate auditable compliance reports from existing documentation, making their actual security posture visible to regulators. When errors do occur, they happen in the initial translation step rather than cascading through the entire analysis—meaning a human can quickly spot and fix a mistaken asset description before it wastes resources chasing irrelevant vulnerabilities.