This work addresses the challenge of identifying and prioritizing multi-step attack paths in industrial control systems (ICS). The authors propose a semi-automated approach that integrates network topology and vulnerability data to construct a system model, and for the first time apply state-aware attack graph generation to a Siemens PCS7 water treatment plant blueprint. Leveraging a state-aware traversal algorithm, the method derives multi-step attack chains driven by CVEs and misconfigurations, enabling visualization of critical attack paths. Experimental results demonstrate that a single point of failure can compromise network segmentation, while remediation of key vulnerabilities effectively protects entire security zones. These findings offer actionable security insights for ICS risk mitigation.

Assessing the security posture of Industrial Control Systems (ICS) is critical for protecting essential infrastructure. However, the complexity and scale of these environments make it challenging to identify and prioritize potential attack paths. This paper introduces a semi-automated approach for generating attack graphs in ICS environments to visualize and analyze multi-step attack scenarios. Our methodology integrates network topology information with vulnerability data to construct a model of the system. This model is then processed by a stateful traversal algorithm to identify potential exploit chains based on preconditions and consequences. We present a case study applying the proposed framework to the Siemens PCS7 Cybersecurity Blueprint for Water Treatment Plants. The results demonstrate the framework's ability to simulate different attack scenarios, including those originating from known CVEs and potential device misconfigurations. We show how a single point of failure can compromise network segmentation and how patching a critical vulnerability can protect an entire security zone, providing actionable insights for risk mitigation.