Kybernetika 60 no. 6, 779-796, 2024

Method for quantitative risk assessment of cyber-physical systems based on vulnerability analysis

Rasim Alguliyev, Ramiz Aliguliyev and Lyudmila SukhostatDOI: 10.14736/kyb-2024-6-0779

Abstract:

Cyber-physical system protection against cyber-attacks is a serious problem that requires methods for assessing the cyber security risks. This paper proposes a quantitative metric to evaluate the risks of cyber-physical systems using the fuzzy Sugeno integral. The simulated attack graph, consisting of vulnerable system components, allows for obtaining various parameters for assessing the risks of attack paths characterizing the elements in the cyber and physical environment and are combined into a single quantitative assessment. Experiments are performed on a threat model using the example of a cyber-physical system for wind energy generation. The model integrates a cyber-physical network's topology and vulnerabilities, proving the proposed method's effectiveness in ensuring cyber resilience.

Keywords:

cyber-physical system, risk assessment, attack graph, graph centrality measures, Sugeno $\lambda $‐measure, fuzzy Sugeno integral, attack path

Classification:

68M15

paper.pdf

References:

  1. A. Akbarzadeh and S. Katsikas: Identifying critical components in large scale cyber physical systems. In: IEEE/ACM 42nd International Conference on Software Engineering Workshops (ICSEW), IEEE 2020, pp. 230-236.   DOI:10.1145/3387940.3391473
  2. M. Alhomidi and M. Reed: Attack graph-based risk assessment and optimization approach. Int. J. Netw. Secur. Appl. 6 (2014), 3, 31-43.   DOI:10.5121/ijnsa.2014.6303
  3. J. Beyza and J. M. Yusta: Integrated risk assessment for robustness evaluation and resilience optimisation of power systems after cascading failures. Energies 14 (2021), 7, 1-18.   DOI:10.3390/en14072028
  4. M. Z. A. Bhuiyan, G. J. Anders, J. Philhower and S. Du: Review of static risk-based security assessment in power system. IET Cyper-Phys. Syst.: Theory Appl. 4 (2019), 3, 233-239.   DOI:10.1049/iet-cps.2018.5080
  5. A. Chermitti, M. Bencherif, Z. Nakoul, N. Bibitriki and B. Benyoucef: Assessment parameters and matching between the sites and wind turbines. Physics Procedia 55 (2014), 192-198.   DOI:10.1016/j.phpro.2014.07.028
  6. B. Chen, Z. Yang, Y. Zhang, Y. Chen and J. Zhao: Risk assessment of cyber-attacks on power grids considering the characteristics of attack behaviors. IEEE Access 8 (2020), 8, 148331-148344.   DOI:10.1109/ACCESS.2020.3014785
  7. Y. Cheng, E. Elsayed and X. Chen: Random multi hazard resilience modeling of engineered systems and critical infrastructure. Reliab. Eng. Syst. Safe. 209 (2021), 1-13.   DOI:10.1016/j.ress.2021.107453
  8. CVSS: Common Vulnerability Scoring System version 3.1, 2020.   https://www.first.org/cvss/v3-1/cvss-v31-specification r1.pdf
  9. D. Z. Fang, A. K. David, C. Kai and C. Yunli: Improved hybrid approach to transient stability assessment. IEE Proc., Gener. Transm. Distrib. 152 (2005), 2, 201-207.   DOI:10.1049/ip-gtd:20041223
  10. L. C. Freeman: A set of measures of centrality based on betweenness. Sociometry 40 (1977), 35-41.   DOI:10.2307/3033543
  11. FVL: Forescout Vedere Labs. OT: ICEFALL: The legacy of “insecure by design” and its implications for certifications and risk management, 2022.   https://www.forescout.com/resources/ot-icefall-report/
  12. P. Henneaux, P. E. Labeau, J. C. Maun and L. Haarla: A two-level probabilistic risk assessment of cascading outages. IEEE Trans. Power Syst. 31 (2015), 2393-2403.   DOI:10.1109/TPWRS.2015.2439214
  13. N. Kartli, E. Bostanci and M.S. Guzel: Heuristic algorithm for an optimal solution of fully fuzzy transportation problem. Computing 106 (2024), 3195-3227.   DOI:10.1007/s00607-024-01319-5
  14. L. Katz: A new status index derived from sociometric data analysis. Psychometrika 18 (1953), 39-43.   DOI:10.1007/BF02289026
  15. B. P. Leao, J. Vempati, S. Bhela, T. Ahlgrim and D. Arnold: Augmented digital twin for identification of most critical cyberattacks in industrial systems. (2023). In: arXiv preprint:   2306.04821
  16. X. Li, C. Zhou, Y. C. Tian, N. Xiong and Y. Qin: Asset-based dynamic impact assessment of cyberattacks for risk analysis in industrial control systems. IEEE Trans. Ind. Inf. 14 (2018), 608-618.   DOI:10.1109/TII.2017.2740571
  17. C. Liu, Y. Alrowaili, N. Saxena and C. Konstantinou: Cyber risks to critical smart grid assets of industrial control systems. Energies 14 (2021), 1-19.   DOI:10.3390/en14175501
  18. K. Liu, Y. Xie, S. Xie and L. Sun: SEAG: A novel dynamic security risk assessment method for industrial control systems with consideration of social engineering. J. Process Control 132 (2023), 1-10.   DOI:10.1016/j.jprocont.2023.103131
  19. X. Lyu, Y. Ding and S. H. Yang: Bayesian network based C2P risk assessment for cyber-physical systems. IEEE Access 8 (2020), 88506-88517.   DOI:10.1109/ACCESS.2020.2993614
  20. G.E. Martínez, C.I. Gonzalez, O. Mendoza and P. Melin: General type-2 fuzzy Sugeno integral for edge detection. J. Imaging 5 (2019), 8, 1-20.   DOI:10.3390/jimaging5080071
  21. O. Mason and M. Verwoerd: Graph theory and networks in biology. IET Syst. Boil. 1 (2007), 89-119.   DOI:10.1049/iet-syb:20060038
  22. T. Murofushi and M. Sugeno: A theory of fuzzy measures. Representation, the Choquet integral and null sets. J. Math. Anal. Appl. 159 (1991), 2, 532-549.   DOI:10.1016/0022-247X(91)90213-J
  23. A. Nourian and S. Madnick: A systems theoretic approach to the security threats in cyber physical systems applied to Stuxnet. IEEE Trans. Dependable Secur. Comput. 15 (2018), 1, 2-13.   DOI:10.1109/TDSC.2015.2509994
  24. X. Ou and A. Singhal: Quantitative Security Risk Assessment of Enterprise Networks. Springer, 2011.   CrossRef
  25. Z. Qu, W. Sun, J. Dong, J. Zhao and Y. Li: Electric power cyber-physical systems vulnerability assessment under cyber-attack. Front. Energy Res. 10 (2023), 1-12.   DOI:10.3389/fenrg.2022.1002373
  26. I. Rahman and J. Mohamad-Saleh: Hybrid bio-Inspired computational intelligence techniques for solving power system optimization problems: A comprehensive survey. Appl. Soft Comput. 69 (2018), 72-130.   DOI:10.1016/j.asoc.2018.04.051
  27. M. Salayma: Threat modelling in Internet of Things (IoT) environments using dynamic attack graphs. Front. Internet of Things 3 (2024), 1-25.   DOI:10.3389/friot.2024.1306465
  28. I. Semertzis, V. S. Rajkumar, A. Ştefanov, F. Fransen and P. Palensky: Quantitative risk assessment of cyber-attacks on cyber-physical systems using attack graphs. In: 10th IEEE Workshop on Modelling and Simulation of Cyber-Physical Energy Systems (MSCPES), IEEE 2022, pp. 1-6.   CrossRef
  29. Y. Shen and L. Lin: Adaptive output feedback stabilization for nonlinear systems with unknown polynomial-of-output growth rate and sensor uncertainty. Kybernetika 58 (2022), 4, 637-660.   DOI:10.14736/kyb-2022-4-0637
  30. R. Shikhaliyev: Cybersecurity risks management of industrial control systems: A review. Probl. Inf. Technol. 15 (2024), 1, 37-43.   DOI:10.25045/jpit.v15.i1.05
  31. C. Suh-Lee and J. Jo: Quantifying security risk by measuring network risk conditions. In: IEEE/ACIS 14thInternational Conference on Computer and Information Science (ICIS), IEEE 2015, pp. 9-14.   CrossRef
  32. Z. Wang, C. Zhai, H. Zhang, G. Xiao, G. Chen and Y. Xu: Coordination control and analysis of TCSC devices to protect electrical power systems against disruptive disturbances. Kybernetika 58 (2022), 2, 218-236.   DOI:10.14736/kyb-2022-2-0218
  33. F. Xiao and J. D. McCalley: Power system risk assessment and control in a multobjective framework. IEEE Trans. Power Syst. 24 (2009), 1, 78-85.   DOI:10.1109/TPWRS.2008.2004823
  34. Q. Zhang, C. Zhou, Y. C. Tian, N. Xiong, Y. Qin and B. Hu: A fuzzy probability Bayesian network approach for dynamic cybersecurity risk assessment in industrial control systems. IEEE Trans. Ind. Inf. 14 (2018), 6, 2497-2506.   DOI:10.1109/TII.2017.2768998