Quantitative Security Risk Assessment for Industrial Control Systems: Research Opportunities and Challenges

Due to the gradual implementation of the Industry 4.0 vision, information technology is becoming increasingly important in industrial control systems (ICSs), such as production systems. Although the digital transformation of ICSs represents the foundation for resource-efficient and flexible industrial plants, this change increases the attack surface, leading to the emergence of new threats. Moreover, ICSs constitute an attractive target for attackers who may disrupt plant operation, causing severe physical/material damages (PD/MD), such as machinery breakdowns. In further consequence, asset owners (i.e., plant operators) may suffer from business interruption (BI) and loss of profit (LOP). Thus, security risks must be managed in all phases of the ICSs’ lifecycle, starting from engineering to decommissioning. Risk assessment is an integral part of the risk management process in which risks are identified, analyzed, and evaluated. In this context, the quantitative assessment is vital, since measuring cyber risks is required to establish an effective decision-making process for security investments. This survey article reviews the state of the art concerning quantitative security risk assessments for ICSs and identifies promising opportunities for future research and associated challenges. We report that the current state of quantitatively assessing cyber risks for ICSs is characterized by the absence of adequate (dynamic) security risk assessment methods tailored to the peculiarities of ICSs. This is aggravated by the fact that the complexity of the threat landscape increases in the light of Industry 4.0, and historical data on security incidents is lacking. As a consequence, asset owners may fail to quantitatively assess their cyber risk exposure, leaving them uncertain about security decisions. Furthermore, if they purchase cyber insurance in order to transfer the risks of non-PD BI, the underlying problem remains unsolved as (re)insurers potentially take on these unassessed risks. As an initial step to guide individuals seeking to improve the quantification of cyber risks pertaining to ICSs, this article concludes by outlining several directions for further research that are worth pursuing.

[1]  Vincent Naessens,et al.  Extracting Vulnerabilities in Industrial Control Systems using a Knowledge-Based System , 2015, ICS-CSR.

[2]  Mathias Ekstedt,et al.  The Cyber Security Modeling Language: A Tool for Assessing the Vulnerability of Enterprise System Architectures , 2013, IEEE Systems Journal.

[3]  Stefan Fenz,et al.  Formalizing information security knowledge , 2009, ASIACCS '09.

[4]  Aida Čaušević,et al.  Safety and Security Co-Analyses: A Systematic Literature Review , 2019, IEEE Systems Journal.

[5]  Ludovic Apvrille,et al.  Designing Safe and Secure Embedded and Cyber-Physical Systems with SysML-Sec , 2015, MODELSWARD.

[6]  Karl Henrik Johansson,et al.  Secure Control Systems: A Quantitative Risk Management Approach , 2015, IEEE Control Systems.

[7]  Phhilippe Jorion Value at Risk: The New Benchmark for Managing Financial Risk , 2000 .

[8]  Miles A. McQueen,et al.  Time-to-Compromise Model for Cyber Risk Reduction Estimation , 2006, Quality of Protection.

[9]  Benjamin W. P. Ramsey,et al.  A framework for incorporating insurance in critical infrastructure cyber risk strategies , 2016, Int. J. Crit. Infrastructure Prot..

[10]  Robert J. Ellison,et al.  Attack Trees , 2009, Encyclopedia of Biometrics.

[11]  Ludovic Piètre-Cambacédès,et al.  A survey of approaches combining safety and security for industrial control systems , 2015, Reliab. Eng. Syst. Saf..

[12]  Fabrizio Baiardi,et al.  CyVar: Extending Var-At-Risk to ICT , 2015, RISK.

[13]  Andreas Ekelhart,et al.  Securing Cyber-Physical Systems through Digital Twins , 2018, ERCIM News.

[14]  B. Sinopoli,et al.  Simulation of Network Attacks on SCADA Systems , 2010 .

[15]  Andreas Ekelhart,et al.  Towards Security-Aware Virtual Environments for Digital Twins , 2018, CPSS@AsiaCCS.

[16]  Kevin Jones,et al.  A review of cyber security risk assessment methods for SCADA systems , 2016, Comput. Secur..

[17]  Michael Hamburg,et al.  Meltdown: Reading Kernel Memory from User Space , 2018, USENIX Security Symposium.

[18]  William McKeever,et al.  Threat modeling for security assessment in cyberphysical systems , 2013, CSIIRW '13.

[19]  Chen-Ching Liu,et al.  Vulnerability Assessment of Cybersecurity for SCADA Systems Using Attack Trees , 2007, 2007 IEEE Power Engineering Society General Meeting.

[20]  Jian Guan,et al.  A digraph model for risk identification and mangement in SCADA systems , 2011, Proceedings of 2011 IEEE International Conference on Intelligence and Security Informatics.

[21]  Ralph Langner To Kill a Centrifuge A Technical Analysis of What Stuxnet ’ s Creators Tried to Achieve , 2013 .

[22]  Richard Candell,et al.  Towards a systematic threat modeling approach for cyber-physical systems , 2015, 2015 Resilience Week (RWS).

[23]  Borka Jerman-Blazic,et al.  An economic modelling approach to information security risk management , 2008, Int. J. Inf. Manag..

[24]  Peter Kieseberg,et al.  Security in cyber-physical production systems: A roadmap to improving IT-security in the production system lifecycle , 2017, 2017 AEIT International Annual Conference.

[25]  Leandros A. Maglaras,et al.  Measuring the Risk of Cyber Attack in Industrial Control Systems , 2016, ICS-CSR.

[26]  Nahid Shahmehri,et al.  An Ontology of Information Security , 2007, Int. J. Inf. Secur. Priv..

[27]  Marie-Laure Potet,et al.  Generation of Applicative Attacks Scenarios Against Industrial Systems , 2017, FPS.

[28]  Daniele Sgandurra,et al.  Automating the assessment of ICT risk , 2014, J. Inf. Secur. Appl..

[29]  D. Vose Risk Analysis: A Quantitative Guide , 2000 .

[30]  Chunjie Zhou,et al.  Application of Bayesian network to data-driven cyber-security risk assessment in SCADA networks , 2017, 2017 27th International Telecommunication Networks and Applications Conference (ITNAC).

[31]  G. Dondossola,et al.  Supporting cyber risk assessment of Power Control Systems with experimental data , 2009, 2009 IEEE/PES Power Systems Conference and Exposition.

[32]  Alexander Fay,et al.  Ontology and life cycle of knowledge for ICS security assessments , 2016, ICS-CSR.

[33]  Alexander Fay,et al.  Wissensbasiertes Engineering automatisierter Anlagen unter Verwendung von AutomationML und OWL , 2016, Autom..

[34]  M. Krotofil,et al.  Rocking the pocket book: Hacking chemical plants for competition and extortion , 2015 .

[35]  Bart De Decker,et al.  An Assessment of Security Analysis Tools for Cyber-Physical Systems , 2016, RISK.

[36]  Bart De Decker,et al.  Security Evaluation of Cyber-Physical Systems Using Automatically Generated Attack Trees , 2017, CRITIS.

[37]  Daniele Sgandurra,et al.  Assessing ICT risk through a Monte Carlo method , 2013, Environment Systems and Decisions.

[38]  R. Howard Microrisks for Medical Decision Analysis , 1989, International Journal of Technology Assessment in Health Care.

[39]  Johannes Schneider,et al.  Structured system threat modeling and mitigation analysis for industrial automation systems , 2015, 2015 IEEE 13th International Conference on Industrial Informatics (INDIN).

[40]  Keyun Ruan,et al.  Introducing cybernomics: A unifying economic framework for measuring cyber risk , 2017, Comput. Secur..

[41]  S. Kaplan,et al.  On The Quantitative Definition of Risk , 1981 .

[42]  Ludovic Piètre-Cambacédès,et al.  Modeling the Stuxnet attack with BDMP: Towards more formal risk assessments , 2012, 2012 7th International Conference on Risks and Security of Internet and Systems (CRiSIS).

[43]  Adam Hahn Operational Technology and Information Technology in Industrial Control Systems , 2016 .

[44]  Michael Hamburg,et al.  Spectre Attacks: Exploiting Speculative Execution , 2018, 2019 IEEE Symposium on Security and Privacy (SP).

[45]  Youssef Laarouchi,et al.  A Model Based Approach For SCADA Safety And Security Joint Modelling: S-Cube , 2015 .

[46]  Andreas Ekelhart,et al.  A Specification-based State Replication Approach for Digital Twins , 2018, CPS-SPC@CCS.

[47]  Edgar R. Weippl,et al.  Security Ontology: Simulating Threats to Corporate Assets , 2006, ICISS.

[48]  Kristof Meixner,et al.  Securing the testing process for industrial automation software , 2019, Comput. Secur..

[49]  Adam Shostack,et al.  Threat Modeling: Designing for Security , 2014 .

[50]  Barbara Kordy,et al.  DAG-based attack and defense modeling: Don't miss the forest for the attack trees , 2013, Comput. Sci. Rev..

[51]  Douglas W. Hubbard,et al.  How to Measure Anything in Cybersecurity Risk , 2016 .

[52]  Yuan Xue,et al.  Systematic analysis of cyber-attacks on CPS-evaluating applicability of DFD-based approach , 2012, 2012 5th International Symposium on Resilient Control Systems.

[53]  Edgar R. Weippl,et al.  Security Ontologies: Improving Quantitative Risk Analysis , 2007, 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).

[54]  Frank Swiderski,et al.  Threat Modeling , 2018, Hacking Connected Cars.

[55]  Siv Hilde Houmb,et al.  CSIRA: A Method for Analysing the Risk of Cybersecurity Incidents , 2017, GraMSec@CSF.

[56]  Tianbo Lu,et al.  Security Analysis on Cyber-physical System Using Attack Tree , 2013, 2013 Ninth International Conference on Intelligent Information Hiding and Multimedia Signal Processing.

[57]  Sakir Sezer,et al.  STRIDE-based threat modeling for cyber-physical systems , 2017, 2017 IEEE PES Innovative Smart Grid Technologies Conference Europe (ISGT-Europe).

[58]  William H. Sanders,et al.  Model-based Security Metrics Using ADversary VIew Security Evaluation (ADVISE) , 2011, 2011 Eighth International Conference on Quantitative Evaluation of SysTems.

[59]  Peng Liu,et al.  Using Bayesian networks for cyber security analysis , 2010, 2010 IEEE/IFIP International Conference on Dependable Systems & Networks (DSN).

[60]  Barbara Kordy,et al.  Quantitative Questions on Attack-Defense Trees , 2012, ICISC.

[61]  Gabor Karsai,et al.  The Generic Modeling Environment , 2001 .

[62]  Alexander Fay,et al.  Informationsbedarf für automatische IT-Sicherheitsanalysen automatisierungstechnischer Anlagen , 2017, Autom..

[63]  Pankaj Pandey,et al.  A Performance Assessment Metric for Information Security Financial Instruments , 2015, 2015 International Conference on Information Society (i-Society).

[64]  Daphne Koller,et al.  Probabilistic Relational Models , 1999, ILP.

[65]  Valerio Senni,et al.  Challenges and Opportunities for Model-Based Security Risk Assessment of Cyber-Physical Systems , 2019, Resilience of Cyber-Physical Systems.

[66]  Chunjie Zhou,et al.  A Model-Data Integrated Cyber Security Risk Assessment Method for Industrial Control Systems , 2018, 2018 IEEE 7th Data Driven Control and Learning Systems Conference (DDCLS).

[67]  Indrajit Ray,et al.  Dynamic Security Risk Management Using Bayesian Attack Graphs , 2012, IEEE Transactions on Dependable and Secure Computing.

[68]  B. Obama Executive Order 13691: Promoting Private Sector Cybersecurity Information Sharing , 2015 .

[69]  Andreas Ekelhart,et al.  Digital Twins for Cyber-Physical Systems Security: State of the Art and Outlook , 2019, Security and Quality in Cyber-Physical Systems Engineering.

[70]  Daniel E. Geer,et al.  Information Security: Why the Future Belongs to the Quants , 2003, IEEE Secur. Priv..

[71]  Fabio Massacci,et al.  Security Events and Vulnerability Data for Cybersecurity Risk Estimation , 2017, Risk analysis : an official publication of the Society for Risk Analysis.

[72]  Igor Nai Fovino,et al.  Modbus/DNP3 State-Based Intrusion Detection System , 2010, 2010 24th IEEE International Conference on Advanced Information Networking and Applications.

[73]  Mohammad Abdollahi Azgomi,et al.  A method for evaluating the consequence propagation of security attacks in cyber-physical systems , 2017, Future Gener. Comput. Syst..

[74]  Stefan Biffl,et al.  Security Development Lifecycle for Cyber-Physical Production Systems , 2019, IECON 2019 - 45th Annual Conference of the IEEE Industrial Electronics Society.

[75]  Doan B. Hoang,et al.  Security threat probability computation using Markov Chain and Common Vulnerability Scoring System , 2018, 2018 28th International Telecommunication Networks and Applications Conference (ITNAC).

[76]  Ludovic Piètre-Cambacédès,et al.  Beyond Attack Trees: Dynamic Security Modeling with Boolean Logic Driven Markov Processes (BDMP) , 2010, 2010 European Dependable Computing Conference.

[77]  Kagermann Henning Recommendations for implementing the strategic initiative INDUSTRIE 4.0 , 2013 .

[78]  Jack Jones,et al.  Measuring and Managing Information Risk: A FAIR Approach , 2014 .

[79]  E. Byres,et al.  The Use of Attack Trees in Assessing Vulnerabilities in SCADA Systems , 2004 .

[80]  S. Shankar Sastry,et al.  Understanding the physical and economic consequences of attacks on control systems , 2009, Int. J. Crit. Infrastructure Prot..

[81]  Miles A. McQueen,et al.  Quantitative Cyber Risk Reduction Estimation Methodology for a Small SCADA Control System , 2006, Proceedings of the 39th Annual Hawaii International Conference on System Sciences (HICSS'06).

[82]  Ludovic Apvrille,et al.  SysML-sec: A sysML environment for the design and development of secure embedded systems , 2013 .

[83]  Enrico Zio,et al.  A Monte Carlo-based exploration framework for identifying components vulnerable to cyber threats in nuclear power plants , 2018, Reliab. Eng. Syst. Saf..

[84]  Can Saygin,et al.  A simulation-based platform for assessing the impact of cyber-threats on smart manufacturing systems , 2018 .

[85]  Bart De Decker,et al.  A SysML Extension for Security Analysis of Industrial Control Systems , 2014, ICS-CSR.

[86]  Khurram Shahzad,et al.  P2CySeMoL: Predictive, Probabilistic Cyber Security Modeling Language , 2015, IEEE Trans. Dependable Secur. Comput..

[87]  Luigi Portinale,et al.  Decision Networks for Security Risk Assessment of Critical Infrastructures , 2018, ACM Trans. Internet Techn..

[88]  Alexander Fay,et al.  Knowledge-based Engineering of Automation Systems using Ontologies and Engineering Data , 2015, KEOD.

[89]  Dong Seong Kim,et al.  Cyber security analysis using attack countermeasure trees , 2010, CSIIRW '10.

[90]  Mathias Ekstedt,et al.  Quantitative Information Security Risk Estimation Using Probabilistic Attack Graphs , 2016, RISK.

[91]  Frank Kargl,et al.  Sequence-aware Intrusion Detection in Industrial Control Systems , 2015, CPSS@ASIACSS.

[92]  J. Hull Options, Futures, and Other Derivatives , 1989 .

[93]  Eduardo B. Fernández,et al.  Threat Modeling in Cyber-Physical Systems , 2016, 2016 IEEE 14th Intl Conf on Dependable, Autonomic and Secure Computing, 14th Intl Conf on Pervasive Intelligence and Computing, 2nd Intl Conf on Big Data Intelligence and Computing and Cyber Science and Technology Congress(DASC/PiCom/DataCom/CyberSciTech).

[94]  Chunjie Zhou,et al.  Assessing the Physical Impact of Cyberattacks on Industrial Cyber-Physical Systems , 2018, IEEE Transactions on Industrial Electronics.

[95]  David M. Nicol,et al.  CyberSAGE: A Tool for Automatic Security Assessment of Cyber-Physical Systems , 2014, QEST.

[96]  Mathias Ekstedt,et al.  CySeMoL: A tool for cyber security analysis of enterprises , 2013 .

[97]  Yuan Xue,et al.  Taxonomy for description of cross-domain attacks on CPS , 2013, HiCoNS '13.

[98]  Edgar R. Weippl,et al.  Security Challenges in Cyber-Physical Production Systems , 2018, SWQD.

[99]  Fabrizio Baiardi,et al.  Security Stress: Evaluating ICT Robustness Through a Monte Carlo Method , 2014, CRITIS.

[100]  Lorrie Faith Cranor,et al.  Building an Ontology of Cyber Security , 2014, STIDS.

[101]  Michael Huth,et al.  Future Developments in Cyber Risk Assessment for the Internet of Things , 2018, Comput. Ind..

[102]  Vincent Naessens,et al.  CPS Security Assessment using Automatically Generated Attack Trees , 2018 .

[103]  Mark G. Stewart,et al.  Cost-benefit analysis of airport security: Are airports too safe? , 2014 .

[104]  William H. Sanders,et al.  Implementing the ADVISE security modeling formalism in Möbius , 2013, 2013 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).