Assessing the Physical Impact of Cyberattacks on Industrial Cyber-Physical Systems

Industrial cyber-physical systems (ICPSs) are widely applied in critical infrastructures such as chemical plants, water distribution networks, and power grids. However, they face various cyberattacks, which may cause physical damage to these industrial facilities. Therefore, ensuring the security of ICPSs is of paramount importance. For this purpose, a new risk assessment method is presented in this paper to quantify the impact of cyberattacks on the physical system of ICPSs. This method helps carry out appropriate attack mitigation measures. The method uses a Bayesian network to model the attack propagation process and infers the probabilities of sensors and actuators to be compromised. These probabilities are fed into a stochastic hybrid system (SHS) model to predict the evolution of the physical process being controlled. Then, the security risk is quantified by evaluating the system availability with the SHS model. The effectiveness of the proposed method is demonstrated with a case study on a hardware-in-the-loop simulation test bed.

[1]  Naixue Xiong,et al.  Multimodel-Based Incident Prediction and Risk Assessment in Dynamic Cybersecurity Protection for Industrial Control Systems , 2016, IEEE Transactions on Systems, Man, and Cybernetics: Systems.

[2]  Alvaro A. Cárdenas,et al.  Attacks against process control systems: risk assessment, detection, and response , 2011, ASIACCS '11.

[3]  Zhiliang Wang,et al.  False sequential logic attack on SCADA system and its physical impact analysis , 2016, Comput. Secur..

[4]  Indrajit Ray,et al.  Dynamic Security Risk Management Using Bayesian Attack Graphs , 2012, IEEE Transactions on Dependable and Secure Computing.

[5]  S. Shankar Sastry,et al.  Secure Control: Towards Survivable Cyber-Physical Systems , 2008, 2008 The 28th International Conference on Distributed Computing Systems Workshops.

[6]  Karen Scarfone,et al.  Common Vulnerability Scoring System , 2006, IEEE Security & Privacy.

[7]  Okyay Kaynak,et al.  Industrial Cyberphysical Systems: A Backbone of the Fourth Industrial Revolution , 2017, IEEE Industrial Electronics Magazine.

[8]  Weiyi Liu,et al.  On Hybrid State Estimation for Stochastic Hybrid Systems , 2014, IEEE Transactions on Automatic Control.

[9]  Karl Henrik Johansson,et al.  Secure Control Systems: A Quantitative Risk Management Approach , 2015, IEEE Control Systems.

[10]  Ayan Banerjee,et al.  Ensuring Safety, Security, and Sustainability of Mission-Critical Cyber–Physical Systems , 2012, Proceedings of the IEEE.

[11]  Peter K. Kitanidis,et al.  Unbiased minimum-variance linear state estimation , 1987, Autom..

[12]  Marek J. Druzdzel,et al.  Learning Bayesian network parameters from small data sets: application of Noisy-OR gates , 2001, Int. J. Approx. Reason..

[13]  Yu Jiang,et al.  Bayesian-Network-Based Reliability Analysis of PLC Systems , 2013, IEEE Transactions on Industrial Electronics.

[14]  Ludovic Piètre-Cambacédès,et al.  Modeling the Stuxnet attack with BDMP: Towards more formal risk assessments , 2012, 2012 7th International Conference on Risks and Security of Internet and Systems (CRiSIS).

[15]  Mohammad Abdollahi Azgomi,et al.  Evaluating the complexity and impacts of attacks on cyber-physical systems , 2015, 2015 CSI Symposium on Real-Time and Embedded Systems and Technologies (RTEST).

[16]  Farrokh Aminifar,et al.  Cybersecurity in Distributed Power Systems , 2017, Proceedings of the IEEE.

[17]  Yacov Y Haimes,et al.  A comprehensive Network Security Risk Model for process control networks. , 2009, Risk analysis : an official publication of the Society for Risk Analysis.

[18]  Yuan Xue,et al.  Taxonomy for description of cross-domain attacks on CPS , 2013, HiCoNS '13.

[19]  Ludovic Piètre-Cambacédès,et al.  A survey of approaches combining safety and security for industrial control systems , 2015, Reliab. Eng. Syst. Saf..

[20]  Ing-Ray Chen,et al.  A survey of intrusion detection techniques for cyber-physical systems , 2014, ACM Comput. Surv..