A method for quantitative evaluation of security risk in cyber-physical systems

Document Type : Original Article

Author

Assistant Professor, Department of Computer Engineering, Technical and Vocational University (TVU), Tehran, Iran.

Abstract

Cyber-physical systems were introduced with the introduction of the cyber sector into physical systems and the emergence of Industry 4.0. Although the main purpose of this combination has been to increase the efficiency, stability and manageability of physical systems, but this combination and integration has created very serious threats to physical systems. Successful attacks on these systems may lead to disruption or physical damage such as damage to equipment, products or even damage to humans. Therefore, the security of cyber-physical systems has become one of the important research topics. In this article, a method for quantitative assessment of security risk in cyber-physical systems is presented. This method divides the important and vital components affecting the security risks of cyber-physical systems into two categories: attacker profile and system profile, and quantitatively estimates the risk based on the index components of these two profile categories. These components include attack possibility, attack detection, attacker's knowledge of the target system, time to failure, system cost, system recovery and repair cost, and vulnerability rate. Finally, in order to demonstrate the applicability, the proposed method has been applied to a cyber-physical system and the security risk has been evaluated.

Keywords


Smiley face

[1]      F. Hu, Y.  Lu, A.V. Vasilakos, Q. Hao, R. Ma, Y. Patil, ... & N.N. Xiong, “Robust cyber–physical systems: Concept, models, and implementation,” FUTURE GENER COMP SY, vol. 56, pp. 449-475, 2016.
[2]      J. P. A. Yaacoub, O. Salman, H. N. Noura, N. Kaaniche, A. Chehab, and M. Malli, “Cyber-physical systems security: Limitations, issues and future trends.” MICROPROCESS MICROSY, vol. 77, p.103201, 2020.
[3]      Y. Ashibani, Q. H. Mahmoud, “Cyber physical systems security: Analysis, challenges and solutions.” COMPUT SECUR, vol. 68, pp.81-97, 2017
[4]      X. Lyu, Y. Ding, S.H. Yang, “Safety and security risk assessment in cyber‐physical systems.” IET Cyber‐Physical Systems: Theory & Applications, vol. 4, pp.221-232 2019.
[5]      Bernardi, S., Gentile, U., Marrone, S., Merseguer, J., & Nardone, R. (2021). Security modelling and formal verification of survivability properties: Application to cyber–physical systems. Journal of Systems and Software, 171, 110746.
[6]      H. Kopetz, Real-Time Systems: Design Principles for Distributed Embedded Applications, 2d. ed., Real-Time Systems Series, 2011.
[7]      H. Orojloo, M. Abdollahi Azgomi, Predicting the behavior of attackers and the consequences of attacks against cyber‐physical systems. Security and Communication Networks, vol. 9, pp. 6111-6136, 2016.
[8]      H. Orojloo, M. Abdollahi Azgomi, “A stochastic game model for evaluating the impacts of security attacks against cyber-physical systems.” Journal of Network and Systems Management, vol. 26, pp.929-965, 2018.
[9]      M. Krotofil and et.al., "Vulnerabilities of cyber-physical systems to stale data-Determining the optimal time to launch attacks," International Journal of Critical Infrastructure Protection, vol. 7, pp. 213-232, 2014.
[10]   B. Potteiger, A. Dubey, F. Cai, X. Koutsoukos, Z. Zhang, “Moving target defense for the security and resilience of mixed time and event triggered cyber–physical systems.” J SYST ARCHITECT”, vol. 125, p.102420, 2022.
[11]   A. Makkar, J. H. Park, “SecureCPS: Cognitive inspired framework for detection of cyber attacks in cyber–physical systems.” INFORM PROCESS MANAG, vol. 59, p.102914, 2022.
[12]   M. Krotofil and et.al., "CPS: Driving cyber-physical systems to unsafe operating conditions by timing DoS attacks on sensor signals," in 30th Annual Computer Security Applications Conference, 2014, pp. 146-155.
[13]   C. Barreto, G. Schwartz, A.A. Cardenas, “Cyber-Risk: Cyber-Physical Systems Versus Information Technology Systems.” In Safety, Security and Privacy for Cyber-Physical Systems (pp. 319-345). Springer, Cham.
[14]   A. Humayed, J. Lin, F. Li, B. Luo, “Cyber-physical systems security—A survey”. IEEE Internet of Things Journal, vol. 4, pp.1802-1831, 2017.
[15]   H. Orojloo, M. Abdollahi Azgomi, “A method for evaluating the consequence propagation of security attacks in cyber–physical systems,” Future Generation Computer Systems, vol. 67, pp. 57-71, 2017.
[16]   A. Yeboah-Ofori, S. Islam, “Cyber Security Threat Modeling for Supply Chain Organizational Environments”. Future Internet, vol. 11, 2019.
[17]   R. Schlegel, S. Obermeier, and J. Schneider, Structured system threat modeling and mitigation analysis for industrial automation systems. In 2015 IEEE 13th International Conference on Industrial Informatics (INDIN) (pp. 197-203). IEEE, 2015.
[18]   D.G. Rosado, A. Santos-Olmo, L.E., Sánchez, M.A. Serrano, et. all, “Managing cybersecurity risks of cyber-physical systems: The MARISMA-CPS pattern”. COMPUT IND, vol. 142, p.103715, 2022.
[19]   A. Tantawy, S. Abdelwahed, A. Erradi, and K. Shaban, “Model-based risk assessment for cyber physical systems security”. COMPUT SECUR, vol. 96, p.101864, 2020.
[20]   W. Wu, R. Kang, & Z. Li, “Risk assessment method for cyber security of cyber physical systems. In 2015 first international conference on reliability systems engineering (ICRSE) (pp. 1-5). IEEE, 2015.
[21]   K. Huang, C. Zhou, Y.C. Tian, S. Yang, Y. Qin, “Assessing the physical impact of cyberattacks on industrial cyber-physical systems”. IEEE T IND ELECTRON, vol. 65, pp. 8153-8162, 2018.
[22]   X. Lyu, Y. Ding, S.H. Yang, “Bayesian network based C2P risk assessment for cyber-physical systems”. IEEE Access, vol. 8, pp. 88506-88517, 2020.
[23]   H. A. Kholidy, “Autonomous mitigation of cyber risks in the Cyber–Physical Systems”. FUTURE GENER COMP SY, vol. 115, pp.171-187, 2021.
[24]   H. Sepehrzadeh, “A method for assessing the security risk in cyber-physical systems with incomplete information using Bayesian game theory,” Karafan Quarterly Research Journal, DOI:10.48301/KSSA.2022.320681.1909. in Persian, 2021.
[25]   NCCIC, Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). ⟨https://us-cert.cisa.gov/ics⟩ (accessed 19 August 2022).
[26]   M. Yampolskiy, P. Horváth, X.D. Koutsoukos, Y. Xue, and J. Sztipanovits, “A language for describing attacks on cyber-physical systems.” International Journal of Critical Infrastructure Protection, vol. 8, pp.40-52, 2015.
[27]   R. Alguliyev, Y. Imamverdiyev, L. and Sukhostat, “Cyber-physical systems and their security issues.” COMPUT IND, 100, pp.212-223, 2018.
[28]   M. Krotofil, J. and Larsen,. Are you threatening my hazards?. In International Workshop on Security. Springer, Cham, 2014, pp. 17-32.
Volume 11, Issue 2 - Serial Number 42
No. 42, Summer
July 2023
Pages 71-80
  • Receive Date: 20 August 2022
  • Revise Date: 18 December 2022
  • Accept Date: 17 May 2023
  • Publish Date: 22 June 2023