A method for evaluating the consequence propagation of security attacks in cyber-physical systems

Abstract Estimating the possible impacts of security attacks on physical processes can help to rank the critical assets based on their sensitivity to performed attacks and predict their attractiveness from the attacker’s point of view. To address this challenge, this paper proposes a new method for assessing the direct and indirect impacts of attacks on cyber–physical systems (CPSs). The proposed method studies the dynamic behavior of systems in normal situation and under security attacks and evaluates the consequence propagation of attacks. The inputs to the model are control parameters including sensor readings and controller signals. The output of the model is evaluating the consequence propagation of attacks, ranking the important assets of systems based on their sensitivity to conducted attacks, and prioritizing the attacks based on their impacts on the behavior of system. The validation phase of the proposed method is performed by modeling and evaluating the consequence propagation of attacks against a boiling water power plant (BWPP).

[1]  Marina Krotofil,et al.  Are You Threatening My Hazards? , 2014, IWSEC.

[2]  Yuan Xue,et al.  A language for describing attacks on cyber-physical systems , 2015, Int. J. Crit. Infrastructure Prot..

[3]  Ing-Ray Chen,et al.  Modeling and Analysis of Attacks and Counter Defense Mechanisms for Cyber Physical Systems , 2016, IEEE Transactions on Reliability.

[4]  Aditya Ashok,et al.  Cyber-physical security of Wide-Area Monitoring, Protection and Control in a smart grid environment , 2013, Journal of advanced research.

[5]  Alvaro A. Cárdenas,et al.  Attacks against process control systems: risk assessment, detection, and response , 2011, ASIACCS '11.

[6]  Béla Genge,et al.  A system dynamics approach for assessing the impact of cyber attacks on critical infrastructures , 2015, Int. J. Crit. Infrastructure Prot..

[7]  Hsin-Hung Wu,et al.  A case study of using DEMATEL method to identify critical factors in green supply chain management , 2015, Appl. Math. Comput..

[8]  Wen Tan,et al.  Analysis and control of a nonlinear boiler-turbine unit , 2005 .

[9]  S. Shankar Sastry,et al.  Understanding the physical and economic consequences of attacks on control systems , 2009, Int. J. Crit. Infrastructure Prot..

[10]  Hsin-Hung Wu,et al.  A DEMATEL method to evaluate the causal relations among the criteria in auto spare parts industry , 2011, Appl. Math. Comput..

[11]  Munir Majdalawieh Security Framework For Dnp3 And Scada , 2008 .

[12]  Yu Cheng,et al.  Cooperative Message Authentication in Vehicular Cyber-Physical Systems , 2013, IEEE Transactions on Emerging Topics in Computing.

[13]  Hsin-Hung Wu,et al.  Analysis of critical evaluation factors of the EWPS scale for boundary -- spanners using DEMATEL , 2014 .

[14]  Avishai Wool,et al.  Accurate modeling of Modbus/TCP for intrusion detection in SCADA systems , 2013, Int. J. Crit. Infrastructure Prot..

[15]  Gülçin Büyüközkan,et al.  A novel hybrid MCDM approach based on fuzzy DEMATEL, fuzzy ANP and fuzzy TOPSIS to evaluate green suppliers , 2012, Expert Syst. Appl..

[16]  Dieter Gollmann,et al.  Cyber-Physical Systems Security: Experimental Analysis of a Vinyl Acetate Monomer Plant , 2015, CPSS@ASIACSS.

[17]  Manjaree Pandit,et al.  A parallel computing approach for integrated security assessment of power system , 2016 .

[18]  H. Vincent Poor,et al.  Multicast Routing for Decentralized Control of Cyber Physical Systems with an Application in Smart Grid , 2012, IEEE Journal on Selected Areas in Communications.

[19]  Béla Genge,et al.  An Experimental Study on the Impact of Network Segmentation to the Resilience of Physical Processes , 2012, Networking.

[20]  A. Torres,et al.  Power Systems Security Evaluation Using Petri Nets , 2010, IEEE Transactions on Power Delivery.

[21]  Adam Hahn,et al.  A multi-layered and kill-chain based security analysis framework for cyber-physical systems , 2015, Int. J. Crit. Infrastructure Prot..

[22]  Ing-Ray Chen,et al.  A survey of intrusion detection techniques for cyber-physical systems , 2014, ACM Comput. Surv..

[23]  David Hutchison,et al.  A survey of cyber security management in industrial control systems , 2015, Int. J. Crit. Infrastructure Prot..

[24]  Dong Wei,et al.  Protecting Smart Grid Automation Systems Against Cyberattacks , 2011, IEEE Transactions on Smart Grid.

[25]  Wenxia Liu,et al.  Security Assessment for Communication Networks of Power Control Systems Using Attack Graph and MCDM , 2010, IEEE Transactions on Power Delivery.

[26]  Kazi Tanvir Ahmmed,et al.  Automated Irrigation Control and Security System with Wireless Messaging , 2013, 2013 International Conference on Informatics, Electronics and Vision (ICIEV).

[27]  Thomas H. Morris,et al.  Modeling Cyber-Physical Vulnerability of the Smart Grid With Incomplete Information , 2013, IEEE Transactions on Smart Grid.

[28]  Dieter Gollmann,et al.  Vulnerabilities of cyber-physical systems to stale data - Determining the optimal time to launch attacks , 2014, Int. J. Crit. Infrastructure Prot..

[29]  Dieter Gollmann Veracity, Plausibility, and Reputation , 2012, WISTP.

[30]  Kai Liu,et al.  Adaptive fuzzy clustering based anomaly data detection in energy system of steel industry , 2014, Inf. Sci..

[31]  Chen-Ching Liu,et al.  Anomaly Detection for Cybersecurity of the Substations , 2011, IEEE Transactions on Smart Grid.

[32]  Jiunn-I Shieh,et al.  A DEMATEL method in identifying key success factors of hospital service quality , 2010, Knowl. Based Syst..

[33]  Christos Siaterlis,et al.  Impact of Network Infrastructure Parameters to the Effectiveness of Cyber Attacks Against Industrial Control Systems , 2014, Int. J. Comput. Commun. Control.

[34]  Alvaro A. Cárdenas,et al.  Resilience of Process Control Systems to Cyber-Physical Attacks , 2013, NordSec.

[35]  A. Gabus,et al.  World Problems, An Invitation to Further Thought within the Framework of DEMATEL , 1972 .

[36]  Karen A. Scarfone,et al.  Guide to Industrial Control Systems (ICS) Security , 2015 .

[37]  Taeshik Shon,et al.  Challenges and research directions for heterogeneous cyber-physical system based on IEC 61850: Vulnerabilities, security requirements, and security architecture , 2016, Future Gener. Comput. Syst..

[38]  Jiang Lu,et al.  Robust Cyber-Physical Systems: Concept, models, and implementation , 2016, Future Gener. Comput. Syst..

[39]  Dieter Gollmann,et al.  The Process Matters: Ensuring Data Veracity in Cyber-Physical Systems , 2015, AsiaCCS.