A Dynamic Decision-Making Approach for Cyber-Risk Reduction in Critical Infrastructure

Critical infrastructure (CI) is of vital importance to national economy and social stability. Although the rapid development of information technology improves the system performance of CI, it also makes CI more vulnerable to cyber attackers. However, due to the CI characteristics which include complex cyber-physical interaction and the interdependence in physical network, the cybersecurity protection methods of ITs cannot be used in CI directly. This paper provides a dynamic decision-making approach about cybersecurity protection for CI based on risk reduction. Firstly, a dynamic risk assessment is presented for CI after the attack-defense strategy is executed. Then, the optimal defense strategies are chosen in each station in CI, with considering the resource constraints. Finally, several simulations are carried out on a water-supply system. The simulation results demonstrate the effectiveness of the proposed approach.

[1]  S. Kaplan,et al.  On The Quantitative Definition of Risk , 1981 .

[2]  Ji Yi,et al.  A Game Theoretical Attack-Defense Model Oriented to Network Security Risk Assessment , 2008, 2008 International Conference on Computer Science and Software Engineering.

[3]  Irene Eusgeld,et al.  "System-of-systems" approach for interdependent critical infrastructures , 2011, Reliab. Eng. Syst. Saf..

[4]  Youki Kadobayashi,et al.  Exploring attack graph for cost-benefit security hardening: A probabilistic approach , 2013, Comput. Secur..

[5]  Jan Eric Larsson,et al.  Diagnosis Based on Explicit Means-End Models , 1996, Artif. Intell..

[6]  Richard Piggin Cyber security trends: What should keep CEOs awake at night , 2016, Int. J. Crit. Infrastructure Prot..

[7]  Ralph Langner,et al.  Stuxnet: Dissecting a Cyberwarfare Weapon , 2011, IEEE Security & Privacy.

[8]  Naixue Xiong,et al.  Multimodel-Based Incident Prediction and Risk Assessment in Dynamic Cybersecurity Protection for Industrial Control Systems , 2016, IEEE Transactions on Systems, Man, and Cybernetics: Systems.

[9]  Michel Dagenais,et al.  ARITO: Cyber-attack response system using accurate risk impact tolerance , 2013, International Journal of Information Security.

[10]  Yacov Y. Haimes,et al.  Risk‐based multiobjective resource allocation in hierarchical systems with multiple decisionmakers. Part I: Theory and methodology , 2011, Syst. Eng..

[11]  Indrajit Ray,et al.  Dynamic Security Risk Management Using Bayesian Attack Graphs , 2012, IEEE Transactions on Dependable and Secure Computing.

[12]  Yacov Y. Haimes,et al.  Risk-based multiobjective resource allocation in hierarchical systems with multiple decisionmakers. Part II. A case study , 2011, Syst. Eng..

[13]  Lawrence A. Gordon,et al.  A framework for using insurance for cyber-risk management , 2003, Commun. ACM.

[14]  Riichiro Mizoguchi,et al.  Ontology-based systematization of functional knowledge , 2004 .

[15]  Dale C. Rowe,et al.  A survey SCADA of and critical infrastructure incidents , 2012, RIIT '12.