Geodesic
Method for quantitative risk assessment of cyber-physical systems based on vulnerability analysis
Kybernetika, Tome 60 (2024) no. 6, pp. 779-796
Cet article a éte moissonné depuis la source Czech Digital Mathematics Library

Voir la notice de l'article

Cyber-physical system protection against cyber-attacks is a serious problem that requires methods for assessing the cyber security risks. This paper proposes a quantitative metric to evaluate the risks of cyber-physical systems using the fuzzy Sugeno integral. The simulated attack graph, consisting of vulnerable system components, allows for obtaining various parameters for assessing the risks of attack paths characterizing the elements in the cyber and physical environment and are combined into a single quantitative assessment. Experiments are performed on a threat model using the example of a cyber-physical system for wind energy generation. The model integrates a cyber-physical network's topology and vulnerabilities, proving the proposed method's effectiveness in ensuring cyber resilience.
Cyber-physical system protection against cyber-attacks is a serious problem that requires methods for assessing the cyber security risks. This paper proposes a quantitative metric to evaluate the risks of cyber-physical systems using the fuzzy Sugeno integral. The simulated attack graph, consisting of vulnerable system components, allows for obtaining various parameters for assessing the risks of attack paths characterizing the elements in the cyber and physical environment and are combined into a single quantitative assessment. Experiments are performed on a threat model using the example of a cyber-physical system for wind energy generation. The model integrates a cyber-physical network's topology and vulnerabilities, proving the proposed method's effectiveness in ensuring cyber resilience.
DOI : 10.14736/kyb-2024-6-0779
Classification : 68M15
Keywords: cyber-physical system; risk assessment; attack graph; graph centrality measures; Sugeno $\lambda $‐measure; fuzzy Sugeno integral; attack path 
@article{10_14736_kyb_2024_6_0779,
     author = {Alguliyev, Rasim and Aliguliyev, Ramiz and Sukhostat, Lyudmila},
     title = {Method for quantitative risk assessment of cyber-physical systems based on vulnerability analysis},
     journal = {Kybernetika},
     pages = {779--796},
     year = {2024},
     volume = {60},
     number = {6},
     doi = {10.14736/kyb-2024-6-0779},
     zbl = {07980822},
     language = {en},
     url = {http://geodesic.mathdoc.fr/articles/10.14736/kyb-2024-6-0779/}
}
TY  - JOUR
AU  - Alguliyev, Rasim
AU  - Aliguliyev, Ramiz
AU  - Sukhostat, Lyudmila
TI  - Method for quantitative risk assessment of cyber-physical systems based on vulnerability analysis
JO  - Kybernetika
PY  - 2024
SP  - 779
EP  - 796
VL  - 60
IS  - 6
UR  - http://geodesic.mathdoc.fr/articles/10.14736/kyb-2024-6-0779/
DO  - 10.14736/kyb-2024-6-0779
LA  - en
ID  - 10_14736_kyb_2024_6_0779
ER  - 
%0 Journal Article
%A Alguliyev, Rasim
%A Aliguliyev, Ramiz
%A Sukhostat, Lyudmila
%T Method for quantitative risk assessment of cyber-physical systems based on vulnerability analysis
%J Kybernetika
%D 2024
%P 779-796
%V 60
%N 6
%U http://geodesic.mathdoc.fr/articles/10.14736/kyb-2024-6-0779/
%R 10.14736/kyb-2024-6-0779
%G en
%F 10_14736_kyb_2024_6_0779
Alguliyev, Rasim; Aliguliyev, Ramiz; Sukhostat, Lyudmila. Method for quantitative risk assessment of cyber-physical systems based on vulnerability analysis. Kybernetika, Tome 60 (2024) no. 6, pp. 779-796. doi: 10.14736/kyb-2024-6-0779

[1] Akbarzadeh, A., Katsikas, S.: Identifying critical components in large scale cyber physical systems. In: IEEE/ACM 42nd International Conference on Software Engineering Workshops (ICSEW), IEEE 2020, pp. 230-236. | DOI

[2] Alhomidi, M., Reed, M.: Attack graph-based risk assessment and optimization approach. Int. J. Netw. Secur. Appl. 6 (2014), 3, 31-43. | DOI

[3] Beyza, J., Yusta, J. M.: Integrated risk assessment for robustness evaluation and resilience optimisation of power systems after cascading failures. Energies 14 (2021), 7, 1-18. | DOI

[4] Bhuiyan, M. Z. A., Anders, G. J., Philhower, J., Du, S.: Review of static risk-based security assessment in power system. IET Cyper-Phys. Syst.: Theory Appl. 4 (2019), 3, 233-239. | DOI

[5] Chermitti, A., Bencherif, M., Nakoul, Z., Bibitriki, N., Benyoucef, B.: Assessment parameters and matching between the sites and wind turbines. Physics Procedia 55 (2014), 192-198. | DOI

[6] Chen, B., Yang, Z., Zhang, Y., Chen, Y., Zhao, J.: Risk assessment of cyber-attacks on power grids considering the characteristics of attack behaviors. IEEE Access 8 (2020), 8, 148331-148344. | DOI

[7] Cheng, Y., Elsayed, E., Chen, X.: Random multi hazard resilience modeling of engineered systems and critical infrastructure. Reliab. Eng. Syst. Safe. 209 (2021), 1-13. | DOI

[8] CVSS: Common Vulnerability Scoring System version 3.1. 2020. DOI 

[9] Fang, D. Z., David, A. K., Kai, C., Yunli, C.: Improved hybrid approach to transient stability assessment. IEE Proc., Gener. Transm. Distrib. 152 (2005), 2, 201-207. | DOI

[10] Freeman, L. C.: A set of measures of centrality based on betweenness. Sociometry 40 (1977), 35-41. | DOI

[11] FVL: Forescout Vedere Labs. OT: ICEFALL: The legacy of “insecure by design” and its implications for certifications and risk management. 2022. DOI 

[12] Henneaux, P., Labeau, P. E., Maun, J. C., Haarla, L.: A two-level probabilistic risk assessment of cascading outages. IEEE Trans. Power Syst. 31 (2015), 2393-2403. | DOI

[13] Kartli, N., Bostanci, E., Guzel, M.S.: Heuristic algorithm for an optimal solution of fully fuzzy transportation problem. Computing 106 (2024), 3195-3227. | DOI | MR

[14] Katz, L.: A new status index derived from sociometric data analysis. Psychometrika 18 (1953), 39-43. | DOI | MR

[15] Leao, B. P., Vempati, J., Bhela, S., Ahlgrim, T., Arnold, D.: Augmented digital twin for identification of most critical cyberattacks in industrial systems. (2023). In: arXiv preprint: | arXiv

[16] Li, X., Zhou, C., Tian, Y. C., Xiong, N., Qin, Y.: Asset-based dynamic impact assessment of cyberattacks for risk analysis in industrial control systems. IEEE Trans. Ind. Inf. 14 (2018), 608-618. | DOI

[17] Liu, C., Alrowaili, Y., Saxena, N., Konstantinou, C.: Cyber risks to critical smart grid assets of industrial control systems. Energies 14 (2021), 1-19. | DOI

[18] Liu, K., Xie, Y., Xie, S., Sun, L.: SEAG: A novel dynamic security risk assessment method for industrial control systems with consideration of social engineering. J. Process Control 132 (2023), 1-10. | DOI

[19] Lyu, X., Ding, Y., Yang, S. H.: Bayesian network based C2P risk assessment for cyber-physical systems. IEEE Access 8 (2020), 88506-88517. | DOI

[20] Martínez, G.E., Gonzalez, C.I., Mendoza, O., Melin, P.: General type-2 fuzzy Sugeno integral for edge detection. J. Imaging 5 (2019), 8, 1-20. | DOI

[21] Mason, O., Verwoerd, M.: Graph theory and networks in biology. IET Syst. Boil. 1 (2007), 89-119. | DOI

[22] Murofushi, T., Sugeno, M.: A theory of fuzzy measures. Representation, the Choquet integral and null sets. J. Math. Anal. Appl. 159 (1991), 2, 532-549. | DOI | MR

[23] Nourian, A., Madnick, S.: A systems theoretic approach to the security threats in cyber physical systems applied to Stuxnet. IEEE Trans. Dependable Secur. Comput. 15 (2018), 1, 2-13. | DOI

[24] Ou, X., Singhal, A.: Quantitative Security Risk Assessment of Enterprise Networks. Springer, 2011.

[25] Qu, Z., Sun, W., Dong, J., Zhao, J., Li, Y.: Electric power cyber-physical systems vulnerability assessment under cyber-attack. Front. Energy Res. 10 (2023), 1-12. | DOI

[26] Rahman, I., Mohamad-Saleh, J.: Hybrid bio-Inspired computational intelligence techniques for solving power system optimization problems: A comprehensive survey. Appl. Soft Comput. 69 (2018), 72-130. | DOI

[27] Salayma, M.: Threat modelling in Internet of Things (IoT) environments using dynamic attack graphs. Front. Internet of Things 3 (2024), 1-25. | DOI

[28] Semertzis, I., Rajkumar, V. S., Ştefanov, A., Fransen, F., Palensky, P.: Quantitative risk assessment of cyber-attacks on cyber-physical systems using attack graphs. In: 10th IEEE Workshop on Modelling and Simulation of Cyber-Physical Energy Systems (MSCPES), IEEE 2022, pp. 1-6.

[29] Shen, Y., Lin, L.: Adaptive output feedback stabilization for nonlinear systems with unknown polynomial-of-output growth rate and sensor uncertainty. Kybernetika 58 (2022), 4, 637-660. | DOI | MR

[30] Shikhaliyev, R.: Cybersecurity risks management of industrial control systems: A review. Probl. Inf. Technol. 15 (2024), 1, 37-43. | DOI

[31] Suh-Lee, C., Jo, J.: Quantifying security risk by measuring network risk conditions. In: IEEE/ACIS 14thInternational Conference on Computer and Information Science (ICIS), IEEE 2015, pp. 9-14.

[32] Wang, Z., Zhai, C., Zhang, H., Xiao, G., Chen, G., Xu, Y.: Coordination control and analysis of TCSC devices to protect electrical power systems against disruptive disturbances. Kybernetika 58 (2022), 2, 218-236. | DOI

[33] Xiao, F., McCalley, J. D.: Power system risk assessment and control in a multobjective framework. IEEE Trans. Power Syst. 24 (2009), 1, 78-85. | DOI

[34] Zhang, Q., Zhou, C., Tian, Y. C., Xiong, N., Qin, Y., Hu, B.: A fuzzy probability Bayesian network approach for dynamic cybersecurity risk assessment in industrial control systems. IEEE Trans. Ind. Inf. 14 (2018), 6, 2497-2506. | DOI

Cité par Sources :