A Taxonomy of Cyberattacks against Critical Infrastructure

The purpose of the project is to create a taxonomy and organize existing knowledge on cybercrimes against critical infrastructure such as power plants, water treatment facilities, dams, and nuclear facilities. The current study is utilizing Routine Activity Theory (Clarke and Felson 1993; Cohen and Felson 2003) to create a three-dimensional taxonomy (Figure 1). The first dimension, hacker motivation, is related to the offenders which could be politically, socio-culturally, and/or economically motivated. The second dimension represents the cyber, physical, and cyber-physical components of any cyber-physical system (CPS) and is a differentiation of the various aspects of the suitable target. The third dimension, security, is related to the threats, vulnerabilities, and controls that represent the lack of the capable guardian. The focus of the study is to provide recommendations for improving the guardianship aspect of the taxonomy and offer practical advice for security professionals. While similar taxonomies exist, none of them have been verified due to the sensitive nature of the data, so this would be one of the first empirically validated approaches on this topic. The methodology guiding this study is Design Science Research (DSR) (Hevner and Chatterjee 2010). I will be using qualitative data to evaluate the utility and usability of the taxonomy by conducting semi-structured interviews with security practitioners working in critical infrastructure facilities. Figure 1. Proposed Taxonomy