Multimodel-Based Incident Prediction and Risk Assessment in Dynamic Cybersecurity Protection for Industrial Control Systems

Currently, an increasing number of information/communication technologies are adopted into the industrial control systems (ICSs). While these IT technologies offer high flexibility, interoperability, and convenient administration of ICSs, they also introduce cybersecurity risks. Dynamic cybersecurity risk assessment is a key foundational component of security protection. However, due to the characteristics of ICSs, the risk assessment for IT systems is not completely applicable for ICSs. In this paper, through the consideration of the characteristics of ICSs, a targeted multilevel Bayesian network containing attack, function, and incident models is proposed. Following this proposal, a novel multimodel-based hazardous incident prediction approach is designed. On this basis, a dynamic cybersecurity risk assessment approach, which has the ability to assess the risk caused by unknown attacks, is also devised. Furthermore, to improve the accuracy of the risk assessment, which may be reduced by the redundant accumulation of overlaps amongst different consequences, a unified consequence quantification method is presented. Finally, to verify the effectiveness of the proposed approach, a simulation of a simplified chemical reactor control system is conducted in MATLAB. The simulation results can clearly demonstrate that the proposed approach has the ability to dynamically calculate the cybersecurity risk of ICSs in a timely manner. Additionally, the result of a different comparative simulation shows that our approach has the ability to assess the risk caused by unknown attacks.

[1]  Aiko Pras,et al.  Flow whitelisting in SCADA networks , 2013, Int. J. Crit. Infrastructure Prot..

[2]  Leonardo Dueñas-Osorio,et al.  Probabilistic study of cascading failures in complex interdependent lifeline systems , 2011, Reliab. Eng. Syst. Saf..

[3]  Jiaoli Shi Security Risk Assessment about Enterprise Networks on the Base of Simulated Attacks , 2011 .

[4]  Adnan Darwiche,et al.  Inference in belief networks: A procedural guide , 1996, Int. J. Approx. Reason..

[5]  Yu-Lun Huang,et al.  An Analytic Hierarchy Process-Based Risk Assessment Method for Wireless Networks , 2011, IEEE Transactions on Reliability.

[6]  T. M. Chen,et al.  Stuxnet, the real start of cyber warfare? [Editor's Note] , 2010, IEEE Netw..

[7]  Ketil Stølen,et al.  Model-based risk assessment to improve enterprise security , 2002, Proceedings. Sixth International Enterprise Distributed Object Computing.

[8]  Mariana Hentea,et al.  Smart power grid security: A unified risk management approach , 2010, 44th Annual 2010 IEEE International Carnahan Conference on Security Technology.

[9]  Jill Slay,et al.  Lessons Learned from the Maroochy Water Breach , 2007, Critical Infrastructure Protection.

[10]  Shikun Cheng,et al.  Application of fault tree approach for technical assessment of small-sized biogas systems in Nepal. , 2014 .

[11]  Homayoon Dezfuli,et al.  Probabilistic Risk Assessment Procedures Guide for NASA Managers and Practitioners (Second Edition) , 2011 .

[12]  W. Aspinall,et al.  Developing an Event Tree for probabilistic hazard and risk assessment at Vesuvius , 2008 .

[13]  David Heckerman,et al.  Decision-theoretic troubleshooting , 1995, CACM.

[14]  Mark G. Stewart,et al.  Security risks and probabilistic risk assessment of glazing subject to explosive blast loading , 2008, Reliab. Eng. Syst. Saf..

[15]  Carol Woody,et al.  Introduction to the OCTAVE ® Approach , 2003 .

[16]  G. Stoneburner,et al.  Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology , 2002 .

[17]  Dale C. Rowe,et al.  A survey SCADA of and critical infrastructure incidents , 2012, RIIT '12.

[18]  Luigi Portinale,et al.  Improving the analysis of dependable systems by mapping fault trees into Bayesian networks , 2001, Reliab. Eng. Syst. Saf..

[19]  Walter Ukovich,et al.  A Risk Assessment Framework for Hazmat Transportation in Highways by Colored Petri Nets , 2015, IEEE Transactions on Systems, Man, and Cybernetics: Systems.

[20]  Bjørn Axel Gran,et al.  An Approach for Model-Based Risk Assessment , 2004, SAFECOMP.

[21]  Jhp Julwan Hendry Purba,et al.  A fuzzy-based reliability approach to evaluate basic events of fault tree analysis for nuclear power plant probabilistic safety assessment , 2014 .

[22]  Ernest J. Henley,et al.  Reliability engineering and risk assessment , 1981 .

[23]  Karen A. Scarfone,et al.  Guide to Industrial Control Systems (ICS) Security , 2015 .

[24]  N. Siu,et al.  Risk assessment for dynamic systems: An overview , 1994 .

[25]  Konrad S. Wrona,et al.  Real-time automated risk assessment in protected core networking , 2010, Telecommun. Syst..

[26]  S. Shankar Sastry,et al.  Research Challenges for the Security of Control Systems , 2008, HotSec.

[27]  Qiang Meng,et al.  Uncertainty Propagation in Quantitative Risk Assessment Modeling for Fire in Road Tunnels , 2012, IEEE Transactions on Systems, Man, and Cybernetics, Part C (Applications and Reviews).

[28]  Alvaro A. Cárdenas,et al.  Attacks against process control systems: risk assessment, detection, and response , 2011, ASIACCS '11.

[29]  V. Vittal,et al.  Online Risk-Based Security Assessment , 2002, IEEE Power Engineering Review.

[30]  Nasa Probabilistic Risk Assessment Procedures Guide for NASA Managers and Practitioners: Second Edition , 2018 .

[31]  Wei-Ho Chung,et al.  Cyberphysical Security and Dependability Analysis of Digital Control Systems in Nuclear Power Plants , 2016, IEEE Transactions on Systems, Man, and Cybernetics: Systems.

[32]  D. K. Lorenzo,et al.  Evaluating Process Safety in the Chemical Industry: A User's Guide to Quantitative Risk Analysis , 2000 .

[33]  Ralph Langner,et al.  Stuxnet: Dissecting a Cyberwarfare Weapon , 2011, IEEE Security & Privacy.

[34]  Borut Mavko,et al.  Application of the fault tree analysis for assessment of power system reliability , 2009, Reliab. Eng. Syst. Saf..

[35]  Marvin Rausand,et al.  Risk Assessment: Theory, Methods, and Applications , 2011 .

[36]  Jorge Lobo,et al.  Risk-based security decisions under uncertainty , 2012, CODASPY '12.

[37]  S. Kaplan,et al.  On The Quantitative Definition of Risk , 1981 .

[38]  W. D. Rowe,et al.  Risk Assessment Review Group Report to the U. S. Nuclear Regulatory Commission , 1979, IEEE Transactions on Nuclear Science.

[39]  Marcin Szpyrka,et al.  Telecommunications Networks Risk Assessment with Bayesian Networks , 2013, CISIM.

[40]  Enrico Zio,et al.  Some considerations on the treatment of uncertainties in risk assessment for practical decision making , 2011, Reliab. Eng. Syst. Saf..

[41]  Peng Liu,et al.  Using Bayesian networks for cyber security analysis , 2010, 2010 IEEE/IFIP International Conference on Dependable Systems & Networks (DSN).

[42]  Kevin Murphy,et al.  Bayes net toolbox for Matlab , 1999 .

[43]  Jeffrey L. Hieb,et al.  Cyber security risk assessment for SCADA and DCS networks. , 2007, ISA transactions.

[44]  Ricardo J. Rodriguez,et al.  On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets , 2016, IEEE Transactions on Systems, Man, and Cybernetics: Systems.

[45]  Michel Dagenais,et al.  Intrusion Response Systems: Survey and Taxonomy , 2012 .

[46]  Gary Stoneburner,et al.  SP 800-30. Risk Management Guide for Information Technology Systems , 2002 .

[47]  AVAILABILITY NOTICE Availability of Reference Materials Cited in NRC Publications , 1986 .

[48]  Igor Nai Fovino,et al.  Critical State-Based Filtering System for Securing SCADA Network Protocols , 2012, IEEE Transactions on Industrial Electronics.

[49]  Gregory F. Cooper,et al.  The Computational Complexity of Probabilistic Inference Using Bayesian Belief Networks , 1990, Artif. Intell..

[50]  Indrajit Ray,et al.  Dynamic Security Risk Management Using Bayesian Attack Graphs , 2012, IEEE Transactions on Dependable and Secure Computing.

[51]  Minqiang Li,et al.  An information systems security risk assessment model under uncertain environment , 2011, Appl. Soft Comput..

[52]  Valerio Cozzani,et al.  Domino effects in the process industries : modelling, prevention and managing , 2013 .

[53]  Luigi Portinale,et al.  Dynamic Bayesian Networks for Fault Detection, Identification, and Recovery in Autonomous Spacecraft , 2015, IEEE Transactions on Systems, Man, and Cybernetics: Systems.

[54]  Ketil Stølen,et al.  Towards a UML Profile for Model-Based Risk Assessment , 2002 .