Present the Ability of Risk Approaches to Adapt to Technology Evolution - Information Systems
For this assignment, you must create a PowerPoint presentation for technologists and managers in your selected organization that presents the ability of different risk approaches to adapt to the evolution of technology.
Your presentation should address the following:
Persuasive review of preparations needed to preempt future losses due to change, including the ability of the organization to adjust
Potential risks from technologies that may be adopted by your target organization
Anticipated changes resulting from changing threats
Implications resulting from new forms of defenses
Adjustments required because of compliance and changes in the legal process
Improvements available from new theories, models, and frameworks
Influences within the industry of your target organization and other external factors
Suggested changes to strategy, policy, and governance
Your presentation should comply with PowerPoint best practices and be appropriate for the intended audience:
Ensure each slide includes one main idea, a maximum of six bullet points, and a maximum of 30 total words. Use short phrases rather than full paragraphs.
Do not use more than 5 colors unless they indicate categories or sequences. Avoid using light text on a dark background.
Keep the font size between 18–30 points and use the same font throughout the presentation. Use the slide master feature to standardize the header placement and font sizes, etc.
Use PowerPoint features to create your own simple tables and images to support your content. Avoid the use of clipart.
Be sure all images support the content; they should not be used for decoration purposes.
Avoid the use of excessive movement (slide transitions, animated gifs, and word animations).
Length: 11 slide presentations with speaker notes of each slide.
References: Include at least 5 scholarly references
The completed presentation should address all the assignment requirements, exhibit evidence of concept knowledge, and demonstrate thoughtful consideration of the content presented in the course. The writing should integrate scholarly resources, reflect academic expectations, and current APA standards
Enabling Risk Management for Smart Infrastructures with an Anomaly Behavior
Analysis Intrusion Detection System
Jesus Pacheco1 Xiaoyang Zhu2 Youakim Badr2 Salim Hariri1
1Electrical and Computer Engineering Department
The University of Arizona
Tucson, USA
{Jpacheco, hariri}@email.arizona.edu
2University Lyon, INSA-Lyon,
LIRIS UMR 5205, F-69621
Lyon, France
{youakim.badr, xiaoyang.zhu}@insa-lyon.fr
Abstract— The Internet of Things (IoT) connects not only
computers and mobile devices, but it also interconnects smart
buildings, homes, and cities, as well as electrical grids, gas, and
water networks, automobiles, airplanes, etc. However, IoT
applications introduce grand security challenges due to the increase
in the attack surface. Current security approaches do not handle
cybersecurity from a holistic point of view; hence a systematic
cybersecurity mechanism needs to be adopted when designing IoT-
based applications. In this work, we present a risk management
framework to deploy secure IoT-based applications for Smart
Infrastructures at the design time and the runtime. At the design
time, we propose a risk management method that is appropriate for
smart infrastructures. At the design time, our framework relies on
the Anomaly Behavior Analysis (ABA) methodology enabled by
the Autonomic Computing paradigm and an intrusion detection
system to detect any threat that can compromise IoT infrastructures
by. Our preliminary experimental results show that our framework
can be used to detect threats and protect IoT premises and services.
Keywords- IoT; cyber security; anomaly behavior analysis; threat
model; risk management.
I. INTRODUCTION
Advances in mobile and pervasive computing, social
network technologies and the exponential growth in Internet
applications and services lead to the development of the next
generation of Internet services known as the Internet of
Things. It is expected that the number of IoT devices will
reach more than 50 billion devices by 2020 [1]. IoT-based
services will be a key enabling technology to the
development of smart cities that will revolutionize the way
we do business, maintain our health, manage critical
infrastructures, conduct education, and how we secure,
protect, and entertain ourselves [2][3].
IoT applications, such as critical infrastructures (e.g.,
smart grid) are large-scale distributed systems, comprised of
complex systems and characterized by interdependence,
independence, cooperation, competition, and adaptation
[4][5]. Examples of large-scale IoT applications comprise
electric grids interconnected with other sectors (smart grids),
the urban transportation sector interconnected with the
wireless network (smart transportation), building devices
integrated into a larger home monitoring system (smart
buildings), federated health information systems (smart
health), just to mention a few. In this context, systems
interact with each other using different levels of trust
relationships, and consequently, require ultimate security
solutions to protect information and processes.
With the use of IoT techniques, we are experiencing
grand challenges to secure and protect such advanced
information services due to the significant increase in the
attack surface [6]. The interconnections between growing
amounts of devices expose the vulnerability of IoT
applications to attackers. Even devices, which are intended to
operate only in local area networks, are sometimes connected
to the Internet due to careless configuration or to satisfy
special needs (e.g., they need to be remotely managed). As a
result, devices can be easily compromised and become
subject to cyber-security risks and attacks with severe
impacts (e.g., life threatening scenarios) [3][5].
In order to reduce security threats, risk management is
used to support information systems by identifying security
constraints on what should be protected by applying
systematic and reliable risk management methodologies [6].
However, applying risk management to the IoT is not as
straightforward as the risk management in information
systems [7]. In fact, IoT is still in its infancy with lack of
common standards and a wildly divergent number of
communication protocols, hardware and software platforms
to solve IoT problems, and rapid changes in technologies,
which bring new, and unforeseen risks.
Given this, a new risk management approach is needed to
protect IoT-based applications by continuously identifying
security risks not only at design time of IoT-based
applications but also at runtime.
To this end, we introduce an IoT risk management
framework for smart Infrastructures to recognize
vulnerabilities and identify possible countermeasures in
order to mitigate their exploitation. Our framework consists
of four layers: devices (end nodes), network, services, and
application and relies a general threat model covering risks at
each layer. At run-time, the framework provides an Anomaly
Behavior Analysis Intrusion Detection System (ABA-IDS)
to detect anomalies that could be triggered by attacks against
elements in each layer (e.g., sensors, protocols, wireless
2nd IEEE International Workshops on Foundations and Applications of Self* Systems
978-1-5090-6558-5/17 $31.00 © 2017 IEEE
DOI 10.1109/FAS*W.2017.71
323
2nd IEEE International Workshops on Foundations and Applications of Self* Systems
978-1-5090-6558-5/17 $31.00 © 2017 IEEE
DOI 10.1109/FAS*W.2017.71
324
2017 IEEE 2nd International Workshops on Foundations and Applications of Self* Systems (FAS*W)
978-1-5090-6558-5/17 $31.00 © 2017 IEEE
DOI 10.1109/FAS-W.2017.167
324
Authorized licensed use limited to: Northcentral University. Downloaded on October 19,2021 at 13:58:57 UTC from IEEE Xplore. Restrictions apply.
communication, etc.). The main feature of ABA-IDS is its
capability in detecting novel attacks. Our ABA-IDS defines a
baseline model for normal behavior of each layer through
off-line training, and considers any activity, which lies
outside of this normal model as anomaly.
From experimental standpoint, we have evaluated our
framework by launching several cyberattacks (e.g. Sensor
Impersonation, Replay, and Flooding attacks) against our
Smart Building testbed developed at the University of
Arizona Center for Cloud and Autonomic Computing. The
results show that our IoT security framework can be used to
develop effective security mechanisms to protect the normal
operations of each layer. Moreover, our framework can
detect known and unknown attacks against IoT elements
with high detection rate and low false alarms.
The rest of the paper is organized as follows. Section II
gives a brief overview on the related work. Section III is
devoted to explain our IoT security framework for smart
infrastructures. In section IV we show some of our
preliminary results for each layer of our framework. The last
section concludes the paper and discusses future research
directions.
II. RELATED WORK
The need for sharing resources and information expose
the vulnerability of IoT systems and their data to attacks
(e.g., falsification attacks), leading to incorrect information
delivery to users and causing them to take wrong and
dangerous actions. For example, the case with Stuxnet attack
[11], was successfully launched and compromised nuclear
plant facilities. In this case, the main concern was the
elevation of privileges to perform malicious actions against
cyber physical systems. Another example is in [12], where
the authors show how a Bluetooth connection was used in a
smart city to change traffic sensors firmware to gather
information and to modify the data provided by those
sensors. In this attack, the main concern is information
disclosure and falsification. The aforementioned examples
are some real-world scenarios that show how critically
important is to secure and protect IoT operations against
cyberattacks.
Studies have shown that security in any IoT application
will be crucial in the years to come. Hence, various
approaches have been proposed in the literature to deal with
key IoT elements (e.g., end devices, protocols, services, etc.).
For instance, in [14] the authors show how the pre-shared
keys solutions could be used in limited real-life scenarios
where the distribution of keys in an offline mode is possible.
In [15] an Internet Key Exchange compression scheme has
been proposed to provide a lightweight automatic
mechanism to establish security associations for IPsec and
HIP Base Exchange. Another approach can be seen in [16],
in which the authors introduced a delegation procedure that
enables a client to delegate certificate validation to a trusted
server. While the proposed delegation approaches reduce the
computational load at the constrained nodes, they break the
end-to-end principle by requiring a trusted third party.
Improving security and reducing risks in the Internet of
Things rely on analysing threats, risks and vulnerabilities to
specify appropriate countermeasures. Many methodologies
of risk assessments are proposed in literature for information
systems such as EBIOS [21], OCTAVE [22], CRAMM [23]
and MEHARI [24]. These methods cover the identification
of asset, access mode, actor involved, motivations, effect and
links them to actions and estimates their impacts and cost.
They require a well-known context definition as en entry
point to asset all related elements to the risk analysis and
vulnerability evaluation. Unfortunately, the context is
unpredictable in the Internet of Things since all devices and
actuators are distributed in a dynamic environment. Despite
their differences they share a main factor, which is “The
context definition”. This factor makes risk management
harder to be adapted in dynamic environments where the
system’s context may change permanently.
The pervasive, distributed, and evolving nature of IoT
applications makes it difficult to consider security from a
holistic point of view. To address this problem, we have
proposed an IoT risk management framework that can be
used at design time when architecting smart infrastructures.
We will discuss our approach in the next sections.
III. IOT RISK MANAGEMENT FRAMEWORK FOR SMART
INFRASTRUCTURES
In the realm of the Internet of Things, risk management
should take into account dynamic context. In addition,
Continuous evolution of dynamic environments and
advances of IoT-based technologies require new strategies to
secure resources connected devices. Risk evaluation should
be adapted to an ever-changing context during the execution
of connected devices and without loss of functionalities. A
global security policy must be adapted at any time to address
new changes, which leads to new challenges in risk
management in the Internet of Things.
We propose to extend the risk management in traditional
information systems to enable security and risk management
in the Internet of Things. The first step toward secured
critical infrastructures in the Internet of Things in a dynamic
environment tackles with the definition of the ‘context’ and
the identification of functionalities and characteristics to
establish a risk management framework of trust
communities.
Our proposed risk management framework aims at
reducing security risks not only at the design time by
assessing risks but also at runtime by enabling an Anomaly
Behavior Analysis Intrusion Detection System (ABA-IDS).
The risk management framework consists of a risk
management methodology, covering four levels
(applications, services, communications and end nodes) and
applying four fundamental functions (see Fig. 1):
• Model Specification: To characterize the normal
operations for each layer. This is helpful to build the
reference model that describes the normal behavior of
the system at each stage.
324325325
Authorized licensed use limited to: Northcentral University. Downloaded on October 19,2021 at 13:58:57 UTC from IEEE Xplore. Restrictions apply.
• Attack Surface Identification: To identify the entry
points that can be exploited by a cyber adversary.
• Impact Analysis: To analyze the impact of a cyber-
attack.
• Risk Mitigation: To accurately choose the protection
mechanism to be applied in compliance to the impact
analysis.
Applications
Services
Communi-
cations
End
Nodes
Applications
Model
Services Model
Communica-
tions Model
End Devices
Model
Attack
Surface
Attack
Surface
Attack
Surface
Attack
Surface
Impact
Impact
Impact
Impact
Mitigation
Mitigation
Mitigation
Mitigation
Priority
Priority
Priority
Priority
Fig. 1. IoT Risk Management Framework for Smart Infrastructures
In the first level (end nodes) the information passes
through physical devices to identify or modify the physical
world. These information include object properties,
environmental conditions, raw data, etc. The key
components in this level are sensors for capturing and
representing the physical world into the digital world,
actuators to modify the environment to a desired state, local
controllers to take immediate actions when required. The
targets at this level are local controllers, sensors, actuators,
and information. The impact can be loss or waste of energy,
human safety, and provider’s reputation. Mitigation
mechanisms include lightweight encryption, sensor
authentication, IDS, and behavior analysis.
Communications are responsible for reliable
transmissions of information from, and to end nodes. The
technologies used in this level include the Internet protocols
(HTTP, TCI/IP), radio and mobile communication networks
(LoRa, GSM, LTE, ...) and network infrastructures,. An
intruder can target protocols, firewalls, routers, or
communication bus to gather information or to launch
malicious commands. The impact can be measured in terms
of money loss, human safety, privacy, and energy
consumption. To overcome the mentioned issues,
authentication and encryption techniques can be used
(among other techniques).
At service level, all the required computational power is
mostly provided as a cloud and/or fog services. This level is
used for remotely monitoring and controlling the system, as
well as to store data and analyze large amount of
information. An attacker can target cloud storage to gather
information or change the content in cloud-based
databases/containers, leading to scenarios such as life
threatening scenarios, loss of money, and information
disclosure. Mitigation mechanisms at this level include
encryption, intrusion detection systems, selective disclosure,
and data distortion.
The application layer provides the personalized services
according to the needs of the user. The access to the IoT
services is through this layer and it can be via mobile
technology such as cellphone, mobile applications, or a smart
appliance or device. In this layer, data sharing is an
important characteristic and consequently application
security must address data privacy, and access control.
At each level, risk management is assessed by enforcing
accurate security policies, this way our framework complies
with the National Institute of Standards and Technology
(NIST) Security Framework for Critical Infrastructures [8].
As shown in Fig. 1, each layer of the IoT architecture has its
own threat model that can be defined in terms of five
components: Layer service model, Attack surface, Impact,
Mitigation and Priority. For each level, after we define the
behavior or functional model, we identify the Attack Surface
that characterizes the entry points that can be exploited by
attackers to inject malicious events to impact the normal
operations of that layer. Then we identify the potential
impact of exploiting the vulnerabilities. With the obtained
information, we identify the mitigation mechanisms that can
be implemented to diminish these threats. Finally we
prioritize the mitigation strategies according to the potential
impact to the system. By following this architecture, we can
ensure the development of highly secure and trustworthy IoT
services.
IV. PRELIMINARY RESULTS
A. End Nodes Level
As we previously mentioned, the key components in this
layer are the sensors, actuators, and local controllers. We
have experimented with sensors in the first level to detect
when an IoT sensor has been compromised by an adversary.
For this case we first extract unique signatures to describe
the behavior of sensors using Discrete Wavelet Transform
(DWT) [3]. A set of signatures is used to build the reference
model which is built taking into consideration the Euclidean
Distance (ED) between signatures. From the obtained EDs,
we compute the mean and standard deviation to create
establish the limits of normal operation [3]. The reference
model contains a sample signature and the limits of normal
operation. After we obtain the reference model, we extract
runtime signatures to detect any drift in the behavior (when
ED exceeds normal operation limits) that we call it
abnormal behavior. This method can be also used to create
signatures for known attacks (e.g., replay attack), this way
our risk management approach can take more accurate
mitigation actions. Table I shows some of the results we
obtained for a set of attacks against IoT sensors.
TABLE I. TESTED ATTACKS VS DETECTION RATE FOR END NODES
Attack Detection Rate
Replay Attack [17] 98 \%
Delay Attack [18] 98 \%
DoS Attack [18] 99.9 \%
Flooding Attack [18] 98 \%
Sensor Impersonation [19] 97.4 \%
Pulse DoS [18] 96 \%
Noise injection [20] 100 \%
325326326
Authorized licensed use limited to: Northcentral University. Downloaded on October 19,2021 at 13:58:57 UTC from IEEE Xplore. Restrictions apply.
From Table I, the pulse DoS and noise injection attacks
were not used to train the system but they can be detected.
There are two cases that trigger false positives, the first case
happens when the behavior is not considered in the training
phase (e.g. a cold object near the temperature sensor). In the
second case, the sensor needs to reach its steady state after
an attack. Our experiments show that at most 3.2\% of these
situations produced false positives alerts.
B. Communications Level
A key component in the communications level is the
secure gateway which is the point of access (locally) to the
system, to monitor sensors or issue commands to the
actuators. To highlight the usability of our framework, in this
layer we have developed an anomaly behavior analysis
(ABA) methodology to detect attacks targeting the
availability of a secure gateway, which is part of the
communication layer in our IoT risk management
framework. Our ABA methodology uses as principle that,
systems normal behavior can be characterized using global
variables such as system memory, devices mounted,
hardware configuration, etc. We divided our methodology in
two stages:
• Offline training. The final goal of this stage is to create
the reference model of the system. The first step is to
select the features that are useful to characterize the
system, after verifying the correlation of 260 system
variables available, we found that 11 are enough to
represent the secure gateway normal behavior. The next
step is to create a dataset of the selected features. Our
dataset contains both the normal data, which represents
the normal behavior of the system, and the abnormal
data, which represents the behavior of the system under
known attacks. We built the model of normal
operations based on the selected features using
datamining techniques (e.g., JRip [9]). Once the model
is extracted, it is tested in the second stage (runtime)
looking for detection accuracy and false positive alerts.
• Runtime testing. The main goal of the runtime unit is
to classify the behavior of the system and rank the
impact of an abnormal behavior to perform accurate
risk management. The first step is to collect the
information (monitoring) about the selected features.
Then we classify the incoming traffic as normal or
abnormal having into consideration a rule-based model
created using JRip. If the traffic has determined to be
abnormal, the impact of the abnormality is classified
using a decision tree [9].
Some of the obtained results at this level are shown in
Table II. As it can be seen from Table II, the worst-case
scenario for our methodology is 92.3\% detection rate for
Pulse DoS. However some of the detected attacks were not
trained in the system, meaning that our ABA methodology
can be used to detect known and unknown attacks with high
detection rate and low false positives (less than 3\% in the
worst-case scenario).
TABLE II. TESTED ATTACKS VS DETECTION RATE FOR COMMUNICATIONS
Attack Detection Rate (\%)
Flooding [18] 94.2
Replay [17] 96.3
PulseDoS [18] 92.3
HTTP GET [20] 98.0
Replay + HTTP GET 99.2
C. Services Level
At services layer, all the required computational power is
mostly provided by cloud services. This layer is used for
remotely monitoring and controlling IoT systems, as well as
to store data and analyze large amount of information. In
general, IoT services can be allocated in four categories:
1) identity services,
2) information aggregation services,
3) collaborative-aware services, and
4) ubiquitous services.
Based on our work in [10], we adopted a holistic
approach to define a security conceptual model that covers
all elements at the business, service, and infrastructure levels
(Fig. 2) and illustrates the casual relationships between these
levels. In practice, the dependency model is a complex graph
because it is built from instances of each type of essential
assets, and, hence, it can be learned from lists of essential
assets using Bayesian networks for example.
Since the information security is subject to uncertain and
unforeseen threats, we proposed a fuzzy logic decision
system that helps identify security risks based on the security
conceptual model and select appropriate security measures
based on security objectives.
Fig. 2. The Dependency Model
326327327
Authorized licensed use limited to: Northcentral University. Downloaded on October 19,2021 at 13:58:57 UTC from IEEE Xplore. Restrictions apply.
D. Application Level
The application layer provides the services requested by
customers. For instance, a mobile application can report
home temperature measurements when it is requested by the
home user. The relevance of this layer from the point of view
of the IoT is that it has the ability to provide high-quality
smart services to meet users’ needs. In [6] we distinguish
between steady and dynamic environments in which
information systems are deployed and monitored. We
demonstrated that a global security policy must be adapted at
any time to address new changes in dynamic environments to
cope with new challenges in risk management. We introduce
a holistic approach for risk and security management through
the definition of Service Characteristics Infrastructure,
including certificate authorities, signed service
characteristics, and security policies.
V. CONCLUSION AND FUTURE WORK
Due to the exponential growth in number of
interconnected devices, cyber-security in the IoT is a major
challenge. It heavily relies on the digital identity concept to
build security mechanisms such as authentication and
authorization. In this paper we introduced an IoT Risk
Management Framework for Smart Infrastructures that can
be used as a systematic way to build general protection
mechanisms for IoT applications rather than creating ad-hoc
solutions for each IoT application.
We are currently experimenting with a Blockchain-based
Identity Framework for IoT (BIFIT). The idea is to apply our
approach to IoT smart infrastructures to autonomously
extract appliances signatures and creates Blockchain-based
identities for the appliance owners.
Acknowledgements: This work is supported by Thomson
Reuters in the framework of the Partner University Fund
project: “Cybersecurity Collaboratory: Cyberspace Threat
Identification, Analysis and Proactive Response”. The
Partner University Fund is a program of the French Embassy
in the United States and the FACE Foundation and is
supported by American donors and the French government.
REFERENCES
[1] Verizon (May, 2017). Create intelligent, more meaningful business
connections. Retrieved from
http://www.verizonenterprise.com/solutions/connected-machines/
[2] Z. Andrea, B. Nicola, Angelo C., Lorenzo V., and Michele Z.,
“Internet of Things for Smart Cities”, IEEE Internet of Things
journal, vol. 1, no. 1, February 2014.
[3] J. Pacheco, S. Hariri, “IoT Security Framework for Smart Cyber
Infrastructures”, IEEE 1st International Workshops on Foundations
and Applications of Self-* Systems, Germany, 2016.
[4] V. Chiprianov, L. Gallon, M. Munier, P. Aniorte, and V. Lalanne..
Challenges in Security Engineering of Systems-of-Systems. In
Troisième Conférence en IngénieriE du Logiciel (p. 143).
[5] R. Valerdi, A.M. Ross, and D.H. Rhodes. A framework for evolving
system of systems engineering.
[6] P.B. Nassar, Y. Badr, K. Barbar, and F. Biennier, “Risk management
and security in service-based architectures.” In Advances in
Computational Tools for Engineering Applications, 2009.
ACTEA09. International Conference on, pp. 214-218. IEEE, 2009.
[7] H. Suo, J. Wan, C. Zou, J. Liu, “Security in the Internet of Things: A
Review”, International Conference on Computer Science and
Electronics Engineering (ICCSEE), 2012, vol. 3.
[8] National Institute of Standards and Technology (NIST), and United
States of America. “Framework for Improving Critical Infrastructure
Cybersecurity.” (2017)
[9] I. Witten, F. Eibe, A.H. Mark, and J.P. Christopher. Data Mining:
Practical machine learning tools and techniques. Morgan Kaufmann,
2016.
[10] Y. Badr, and Soumya Banerjee. “Managing End-to-End Security
Risks with Fuzzy Logic in Service-Oriented Architectures.” In
Services (SERVICES), 203 IEEE Ninth World Congress on, pp. 111-
117. IEEE, 2013.
[11] D. Kushner, “The Real Story of Stuxnet, How Kaspersky Lab tracked
down the malware that stymied Iran’s nuclear-fuel enrichment
program”, IEEE Spectrum, February 2013.
[12] D. Legezo (Kaspersky lab): How to trick traffic sensors. (April 2016).
Retrieved from: https://securelist.com/blog/research/74454/how-to-
trick-traffic-sensors/
[13] D. Takahashi, Y. Xiao, and F. Hu, “A survey of security in
telemedicine with wireless sensor networks.” Mobile Telemedicine:
A Computing and Networking Perspective (2008): 209-235.
[14] Prashar M, Vashisht R. Survey on pre-shared keys in wireless sensor
network. Int J Sci Emerging Technol Latest Trends. 2012;4(1):42–48.
[15] Sahraoui S, Bilami A. Efficient HIP-based approach to ensure
lightweight end-to-end security in the internet of things. Comput
Networks. 2015;91:26–45.
[16] T. Freeman, R. Housley, A. Malpani, D. Cooper, W. Polk, 2007.
Server-based certicate validation protocol (scvp). Internet Proposed
Standard RFC 5055.
[17] A. Hoehn, P. Zhang. “Detection of replay attacks in cyber-physical
systems.” In American Control Conference (ACC), 2016, pp. 290-
295. IEEE, 2016.
[18] V. Namboodiri, V. Aravinthan, S. Mohapatra, B. Karimi, W. Jewell,
“Toward a Secure Wireless-Based Home Area Network for Metering
in Smart Grids,” Systems Journal, IEEE, vol.PP, no.99, pp.1,12, 0
doi: 10.1109/JSYST.2013.2260700
[19] N. Tanabe, E. Kohno, Y. Kakuda. “A path authenticating method
using bloom filters against impersonation attacks on relaying nodes
for wireless sensor networks.” In 2013 IEEE 33rd International
Conference on Distributed Computing Systems Workshops 2013 Jul
8 (pp. 357-361). IEEE.
[20] V.P. Illiano, E. Lupu. “Detecting malicious data injections in wireless
sensor networks: A survey”. ACM Computing Surveys (CSUR). 2015
Nov 21;48(2):24.
[21] DCSSI: EBIOS - Expression of Needs and Identification of Security
Objectives. 2004
http://www.ssi.gouv.fr/en/confidence/ebiospresentation.html
[22] J. Eom, S. Park, Y. Han, T. Chung, Risk Assessment Method Based
on Business Process-Oriented Asset Evaluation for Information
System Security, proc. ICCS 2007, Lecture Notes in Computer
Science, Vol. 4489 (Springer Berlin, 2007) 1024-1031.
[23] Insight Consulting: CRAMM (CCTA Risk Analysis and Management
Method) User Guide version 5.0. SIEMENS http://www.cramm.com/
[24] CLUSIF: MEHARI 2007 (Méthode Harmonisée dAnalyse du Risque
Informatique). https://www.clusif.asso.fr/fr/production/mehari/
327328328
Authorized licensed use limited to: Northcentral University. Downloaded on October 19,2021 at 13:58:57 UTC from IEEE Xplore. Restrictions apply.
Integrated Safety and Cybersecurity Risk Analysis
of Cooperative Intelligent Transport Systems
Giedre Sabaliauskaite, Jin Cui, Lin Shen Liew, and Fengjun Zhou
Centre for Research in Cyber Security (iTrust)
Singapore University of Technology and Design
Singapore 487372, Singapore
[email protected], jin [email protected], linshen [email protected], fengjun [email protected]
Abstract—Automated Vehicles (AVs), the self driving vehicles,
are expected to outperform human drivers and improve road
safety in the near future. However, to achieve these goals,
they need to communicate with each other and the other
road participants and coordinate their actions. The systems of
connected cooperative AVs are called Cooperative Intelligent
Transport Systems (C-ITS). Similar to AVs, C-ITS are vulnerable
to failures and cyberattacks. In our previous work, we proposed
a method US2 for AV risk analysis. This paper extends US2 and
presents a method for integrated C-ITS safety and cybersecurity
risk analysis. It takes into consideration automotive safety and
cybersecurity standards ISO 26262 and SAE J3061, and utilizes
the elements of the previously proposed risk analysis methods
US2, EVITA, TVRA, and RACE.
Index Terms—automated vehicle, cooperative intelligent trans-
port system, safety, security, risk analysis
I. INTRODUCTION
Automated Vehicles (AVs) are the self-driving vehicles.
In AVs, the automated driving system is able to partially
or completely replace a human driver in performing the
driving functions required to operate the vehicle in on-road
traffic. AV technology is promising, as it can help to reduce
commuting time and enable more people to enjoy freedom
of traveling (e.g. elderly and people with disabilities). But,
most importantly, it could help in significantly reducing traffic
injuries and fatalities [1]. However, to achieve these goals, AVs
must be safe and secure. Unfortunately, the first fatal crash of
an AV including pedestrian has been reported in March 2018
[2]. Thus, there is an the urgent need to assure AV safety
and security to prevent such accidents from happening in the
future.
AVs are complex Cyber-Physical Systems (CPSs), which
integrate embedded computing technology into physical phe-
nomena, and therefore they are vulnerable not only to failures,
but also to cyberattacks [3]. Thus, safety and security have to
be considered while developing, testing, and deploying AVs on
public roads [1]. In order to outperform human drivers, AVs
need to communicate with the other traffic participants. The
communications will allow road users and traffic managers to
share and use information to coordinate their actions [4]. The
systems of connected cooperative AVs are called Cooperative
Intelligent Transport Systems (C-ITS) [4] [5]. C-ITS may
include AVs, roadside infrastructure, and other systems.
In Europe, a CAR-2-CAR Communication Consortium
(C2C-CC) has been established with the primary objective of
further increasing road traffic safety and efficiency by means of
C-ITS [6]. C2C-CC has defined a 4-phase roadmap for deploy-
ment of C-ITS: awareness driving phase (vehicles disseminate
only their status information), sensing driving phase (vehicles
exchange their sensor information), cooperative driving phase
(vehicles share their intentions with other traffic participants),
and, finally, synchronized cooperative driving phase (vehicles
exchange and synchronize their driving trajectories to achieve
optimal driving patterns) [5].
C-ITS are vulnerable to failures and attacks just as AVs.
Thus, assuring safety and security of C-ITS is crucial. How
can we assess C-ITS safety and security risks, taking into
consideration the above-mentioned C-ITS deployment phases?
In our previous research, we proposed a method, US2 [7],
for AV safety and security risk analysis at a single vehicle
level. In this paper, we extend the earlier approach to enable
safety and security risk analysis at C-ITS level.
The remainder of the paper is structured as follows. Sec-
tion II includes the preliminaries. Section III describes the
related work in the area of AV safety and security risk analysis.
Section IV explains the proposed approach. Finally, Section V
concludes the paper.
II. PRELIMINARIES
A. Automated Vehicles
Automated road vehicles perform the driving functions
required to operate the vehicle in on-road traffic. These are
the real-time operational and tactical functions, which include
lateral and longitudinal vehicle motion control, monitoring
the driving environment, object and event response execution,
maneuver planning, and enhancing conspicuity via lighting,
signaling, etc. These functions are collectively called the
Dynamic Driving Task (DDT) [8].
AVs perform entire or part of DDT depending of their au-
tomation level. International standard SAE J3016 [8] describes
six driving automation levels. At level 0, the human driver
performs entire DDT. At level 1, an automated system can
assist the human driver to perform either the lateral or the
longitudinal vehicle motion. At level 2, an automated system
performs the lateral and the longitudinal vehicle motion,
while driver monitors the driving environment. At level 3, an
723
2018 Joint 10th International Conference on Soft Computing and Intelligent Systems and 19th International Symposium
on Advanced Intelligent Systems
978-1-5386-2633-7/18/$31.00 ©2018 IEEE
DOI 10.1109/SCIS-ISIS.2018.00120
Authorized licensed use limited to: Northcentral University. Downloaded on October 19,2021 at 14:00:03 UTC from IEEE Xplore. Restrictions apply.
automated system can perform entire DDT, but the human
driver must be ready to take back control when the automated
system requests. There is no human driver at level 4; an
automated system conducts the entire DDT, but it can operate
only in certain environments and under certain conditions.
Finally, at level 5, an automated system performs entire DDT
in all environments.
Sensor Fusion
Self
Localization
Real world
projection
Path planning
Mission
planning
Path
following &
control
MAP
Sensing
World Model
Trajectory
Execution
Maintenance & Diagnostics Emergency Response
Figure 1. AV functions [9].
The automated system implements DDT using a set of
functions, which can be grouped into three main categories:
perception (perception of the external environment/context
in which vehicle operates), decision & control (decisions
and control of vehicle motion, with respect to the external
environment/context that is perceived), and vehicle platform
manipulation (sensing, control and actuation of the vehicle,
with the intention of achieving desired motion) [9] (see Fig. 1).
In addition, maintenance&diagnostics, which handles software
and hardware error information and report to manufacturer,
and emergency response functions are included in AVs.
V2X Network
C-ITS level
AV level
AVAV
RSU
RSU
C-CU
On-board
computer
Sensors and
actuators
ECU
ECU
Sensors and
actuators
LiDAR
Camera
GNSS
Figure 2. AV components and communications.
Fig. 2 shows the main components of an AV at two
levels: AV level and C-ITS level. The AV’s sensors such as
radar, camera and LiDAR (Light Detection and Ranging) are
responsible for sensing vehicle’s dynamics (e.g., location and
speed) as well as its immediate environment (e.g., distances
to neighboring vehicles, road traffic conditions, and traffic
signs). The on-board computer processes this information and
then sends control commands to the Electronic Control Units
(ECUs) which control the corresponding actuators accordingly
to achieve desired movement speed and direction. Global
Navigation Satellite System (GNSS) is often used by AVs to
obtain accurate location information.
The connections between on-board computer, sensors,
ECUs, and actuators form an in-vehicle network (also called
the on-board network). In addition, AVs can communicate with
other AVs as well as the road infrastructure (Road Side Units,
RSUs) by the use of V2X (Vehicle-to-everything) network. A
C-ITS station unit, Cooperative Communication Unit (C-CU),
is added to the AV to enable communication with the V2X
network, as shown in Fig. 2. See next sub-section for more
details.
B. Connected Vehicles and Cooperative ITS (C-ITS)
Cooperation and coordination among AVs and other traffic
participants is becoming increasingly important with the de-
velopment of highly automated vehicles in order to produce
transportation system benefits [4] [5]. The communication
among AVs would enable them to drive closer to each other,
operate with better control and have quicker reaction, and
eventually avoid collisions.
In C-ITS, the service provision is enabled by the use of live
dynamic data from other vehicles and infrastructure, which are
implemented using vehicle-to-vehicle (V2V) and vehicle-to-
infrastructure (V2I) communications, collectively called V2X.
An on-board communication unit, C-CU, is used by the AV
to enable V2X communication, as shown in Fig. 2.
To the best of authors’ knowledge, there are no interna-
tional standards for designing C-ITS developed yet. Thus,
the standard ISO 21217 (Intelligent transport systems com-
munications access for land mobiles (CALM) architecture),
which has been developed for defining the common ar-
chitectural framework of intelligent transport systems [10],
could be used for this purpose. ITS is a system-of-systems,
which consists of various traffic participants (systems), such
as vehicles, roadside infrastructure, portable devices, control
centers, etc., which are connected via various networking and
access technologies including the Internet, public and private
networks, Bluetooth, Wifi, cellular technologies, etc. Each of
these systems contains a communication unit - ITS station - a
functional entity specified by ITS architecture. In C-ITS, ITS
station corresponds to C-CU.
C-ITS is expected to be launched in Europe in 2019 [4] [5]
and deployment in four phases:
1 Awareness Driving phase (vehicles disseminate their sta-
tus information allowing other vehicle to be aware of the
presence of other vehicles and hazards);
2 Sensing Driving phase (vehicles exchange their sensor
information, such as camera and radar data, which allows
724
Authorized licensed use limited to: Northcentral University. Downloaded on October 19,2021 at 14:00:03 UTC from IEEE Xplore. Restrictions apply.
other vehicles see with the eyes of others and detect
otherwise hidden objects);
3 Cooperative Driving phase (vehicles share their trajecto-
ries or planned maneuvers data with other traffic partic-
ipants, allowing them to accurately predict other traffic
participant behavior and optimize their own decisions);
4 Synchronized Cooperative Driving phase (vehicles ex-
change their coordination data and synchronize their
driving trajectories to achieve optimal driving patterns).
Fig. 3 shows the C-ITS deployment phases with correspond-
ing services and data shared among vehicles, which enables the
implementation of these services. The amount of exchanged
data varies among phases, e.g., in phase 1, AVs exchange only
their status data, while in phase 3 - their status, sensor, and
intention data. The deployment of C-ITS needs to be closely
coordinated with the AV development and deployment, as C-
ITS phases 3 and 4 are feasible only for highly automated
vehicles (automation levels 4 and 5).
C-ITS
services
C-ITS
deployment
phases
AV driving
automation
level
Phase 1:
Awareness driving
Phase 2:
Sensing driving
Phase 3:
Cooperative
driving
Phase 4:
Synchronized
cooperative driving
Basic warning services:
• Intersection warning
• Emergency vehicle
warning
• Hazard warning
• Etc.
Advanced warning
services:
• Vulnerable road user
warning
• Overtaking warning
• Etc.
• Roadworks
assistance
• Lane-merging
assistance
• Platooning
• Etc.
• Cooperative merging
• Overtaking
assistance
• Dynamic platooning
• Etc.
Status data Sensor data
Status data
Intention data
Sensor data
Status data
Coordination data
Intention data
Sensor data
Status data
Level 1: Driving assistance Level 5: Full automation
Data shared
among AVs
Figure 3. C-ITS deployment phases [5].
The functions of the AVs, participating in C-ITS, have to
be expanded to enable the use of data, received from other ve-
hicles. Fig. 4 show two additional functions, Co-sensor fusion
and Co-localization, added to AV in C-ITS deployment phases
1 and 2. Co-sensor fusion combines the sensor information of
the local sensors, installed in AV, with the sensor information
of other vehicles. Co-localization identifies the location of
other vehicles. In C-ITS deployment phases 3 and 4, additional
functions, such as Mission co-planning and Path co-planning,
will be implemented in AVs to manage data of other AV’s
planned trajectories and maneuvers.
The deployment of C-ITS in Europe will start with phase 1
in 2019 and will continue up to the final phase (EC 2016).
III. RELATED WORK IN THE AREAS OF AV SAFETY AND
CYBERSECURITY RISK ANALYSIS
System safety is the state of a system that does not cause
harm to life, property, or the environment, collectively called
safety losses, while cybersecurity is the state that does not
allow exploitation of vulnerabilities to lead to losses, such as
financial, operational, privacy, or safety losses [11]. Thus, in
addition to safety, cybersecurity aims at protecting finances,
operations, and privacy.
Sensor Fusion
Self
Localization Real world
projection
Path planning
Mission
planning
Path
following &
controlMAP
Sensing
World Model
Trajectory
Execution
Maintenance & Diagnostics Emergency Response
Co-
Localization
Co-Sensor
Fusion
Figure 4. AV functions in C-ITS deployment phases 1 and 2.
Ensuring the safety of autonomous vehicles, i.e., reducing
the number of traffic crashes to prevent injuries and save lives,
is a top priority in autonomous vehicle development. Safety
and security are interdependent (e.g., security attacks can cause
safety failures, or security countermeasures may weaken CPS
safety and vice versa), therefore they have to be aligned in the
early system development phases to ensure the required level
of protection [12] [13].
The ISO 26262 standard [14], which defines functional
safety for automotive equipment applicable throughout the
life-cycle of all automotive Electronic and Electrical (E/E)
safety-related, is currently being used for AV safety analysis.
It aims to address possible hazards caused by the malfunc-
tioning behavior E/E systems. The safety process consists of
several phases, such as concept, product development, and
production, operation, service and decommissioning. Hazard
Analysis and Risk Assessment (HARA) is performed during
the concept phase, where hazardous events, safety risks and
goals are identified and analyzed. These goals are further
refined into the safety requirements, and, subsequently, safety
countermeasures are designed and implemented to satisfy the
requirements.
To analyze safety risks and determine their criticality, an
Automotive Safety Integrity Level (ASIL) is assigned to each
identified hazard during HARA phase [14]. The hazards are
quantified according the severity (S), probability of exposure
(E), and controllability (C), as shown in Table I. There are
three levels of severity: S1 - light or moderate injuries, S2 -
severe injuries, and S3 - life-threatening injuries. Probability
of exposure can be equal to very low (E1), low (E2), medium
(E3), or high (E4). Finally, four levels of controllability are
defined: C0 - controllable in general, C1 - simply controllable,
C2 - normally controllable, and C3 - difficult to control or
uncontrollable.
ASIL A is the lowest safety integrity level, while ASIL D
is the highest. QM (Quality Management) indicates that the
hazard is of low risk and therefore is not required to comply
with the ISO 26262.
Currently available version of ISO 26262, published in
2011, requires the presence of the human driver to respond
to unexpected environments and conditions, and therefore is
not sufficient for highly automated AVs. A new version of ISO
725
Authorized licensed use limited to: Northcentral University. Downloaded on October 19,2021 at 14:00:03 UTC from IEEE Xplore. Restrictions apply.
Table I
AUTOMOTIVE SAFETY INTEGRITY LEVEL (ASIL) [14].
Severity
S
Exposure
E
Controllability C
0 1 2 3
1
E1 QM QM QM QM
E2 QM QM QM QM
E3 QM QM QM A
E4 QM QM A B
2
E1 QM QM QM QM
E2 QM QM QM A
E3 QM QM A B
E4 QM A B C
3
E1 QM QM QM A
E2 QM QM A B
E3 QM A B C
E4 A B C D
26262, which will consider highly automated AVs, should be
published by the end of 2018.
SAE J3061 is a vehicle cybersecurity standard [11], which
was developed using the ISO 26262 standard as a guideline.
Thus, both standards, ISO 26262 and SAE J3061, consist
of similar phases. Security process, defined by SAE J3061,
includes concept, product development, and production & op-
eration phases. Threat Analysis and Risk Assessment (TARA)
is performed during the concept phase, where threats, security
risks, and security goals are defined and analyzed. ISO and
SAE are currently jointly developing vehicle standard ISO
21434 [15], which will replace SAE J3061 in 2019.
SAE J3061 [11] does not provide an unified method for cy-
bersecurity risk analysis, however includes several examples,
such as EVITA [16] and HEAVENS methods. In addition,
the European Telecommunications Standard Institute (ETSI)
proposed the TVRA (Threat, Vulnerability, and Risk Analysis)
method [17]. Furthermore, in our previous work we proposed
the US2 method [7] for unified safety and security risk
analysis.
There are no standards, which define AV system-of-systems
safety and security, available yet. Thus, we can adapt 26262
and SAE J3061 for analyzing C-ITS safety and security risks.
In [18], Boudguiga et al. proposed a RACE (Risk Analysis for
Cooperative Engines) methods for C-ITS cybersecurity risk
analysis, based on EVITA and TVRA methods.
In this paper, we extend the US2 [7] method and propose an
approach for C-ITS cybersecurity and safety analysis, based
on the ISO 26262 and SAE J3061 standards, which uses
the elements of previously proposed methods US2, EVITA,
TVRA, and RACE.
IV. AN APPROACH FOR AV SAFETY AND CYBERSECURITY
RISK ANALYSIS IN C-ITS
In order to estimate risks, two main factors have to be de-
fined: likelihoods (or probabilities) and impacts (or severities).
During vehicle hazard risk analysis, likelihood is addressed
by the probability of exposure, while impact - by the severity
and controllability [14] (see Section III), while cybersecurity
threats are evaluated with respect to the severity of the possible
outcome of an attack and the likelihood that a potential attack
can be successfully carried out (attack potential) [11].
We assume that the AV safety and security risk analysis
has been completed at a single AV level before performing
the analysis of C-ITS risks.
As we can see from Fig. 2, the main C-ITS components are:
communication units C-CUs, installed inside AVs, roadside
infrastructure, and V2X communication network. C-ITS safety
analysis includes the risk analysis of hazards caused by the
accidental failures of these components and, consequently,
the failures of the C-ITS functions (co-sensor fusion and
co-localization functions, as shown in Fig. 4), while the
cybersecurity risk analysis focuses on cyberattacks on V2X
and C-CU and their affect on C-ITS functions.
C-ITS safety risk analysis is performed using the HARA
process, defined by the ISO26262 standard [14] (see Sec-
tion III). The following sub-sections describe the C-ITS cy-
bersecurity risk analysis and its integration with the safety risk
analysis.
A. C-ITS cybersecurity risk analysis
1) Attack potential: In EVITA [16], the authors define
attack potential using the following five parameters: elapsed
time, expertise, knowledge of system, window of opportunity
and equipment. However, Macher et al. [19] point out that such
attack potential classification is too complex and requires a lot
of effort. Out of these five parameters, knowledge of system
and required equipment are the key parameters, which affect
the success of an attack. Thus, we have previously included
only these two parameters in US2 method [7] for defining
the attack potential P . The same two parameters are used for
defining C-ITS attack potential as described below.
Three levels of attackers’ knowledge, K, are identified: 0
- attackers do not require prior knowledge of the C-ITS; 1 -
attackers need some basic knowledge or some basic under-
standing of the C-ITS; level 2 - attackers need comprehensive
domain knowledge.
The equipment required to perform a successful attack, R,
can also be assigned to three levels: 0 - no special equipment
is needed; 1 - standard equipment is needed, which can be
easily obtained; 2 - specialized, not easy to obtain equipment
is required.
Using the knowledge K and required equipment R, we can
define the attack potential P , as shown in Table II. First, we
define two extreme situations: if exerting a threat does not
require any tool (R = 0) and any knowledge (K = 0), this
threat is of the high attack potential (P = 3); in contrast, if
exerting a threat requires advanced tool (R = 2) and specific
training or knowledge (K = 2), such threat is of very low
attack potential (P = 0). In situations when for achieving a
threat an attacker needs either specific knowledge (K = 2) or
specific tool (R = 2), the attack potential is considered as low
(P = 1). If the requirement of knowledge and equipment is
medium (K = 1 or R = 1), the attack potential is also medium
(P = 2). All the combinations of (K, R) and associated attack
potential are listed in Table II.
726
Authorized licensed use limited to: Northcentral University. Downloaded on October 19,2021 at 14:00:03 UTC from IEEE Xplore. Restrictions apply.
Table II
ATTACK POTENTIAL P .
Potential P Description (K,R) combinations
0 Very low (2,2)
1 Low (2,0)(0,2)(1,2)(2,1)
2 Medium (1,1)(0,1)(1,0)
3 High (0,0)
2) Attack severity: Cyberattacks can lead to four different
types of losses, i.e. safety, privacy, financial, and operational
(as defined by the SAE J3061 standard [11]), which have to
be considered while assessing the cybersecurity risks. EVITA
[11] [16] has defined attack severity SA as a vector of four
components: SS (safety), SP (privacy), SF (financial), and SO
(operational). The SS evaluates the attack damage to driver or
passengers. SP is related to personal data exposure and vehicle
tracking. SF defines economical losses for users and vehicle
manufacturers. Finally, SO describes the impact of the attack
on vehicle performance.
The attack severity types, proposed by EVITA [16], can
be applied for evaluating C-ITS attack severity as well, as
shown in RACE method [18]. Thus, we will use the same
attack severity types in our approach. The severity levels for
each severity type are shown in Tables III and IV, where four
levels of severity, 0-3, are defined.
If an attack causes several types of losses with different
level of severity, the highest level is assigned to an attack and
its severity SA is determined. E.g., if SS=2 and SP=3, then
SA=3.
Table III
ATTACK SEVERITY WITH RESPECT TO SAFETY AND PRIVACY (FROM
RACE METHOD [18]).
Severity SA Safety SS Privacy SP
0 No injuries No unauthorized ac-
cess to data
1 Light injuries Access to anonymous
data
2 Severe injuries, with survival Identification of vehi-
cle or driver
3 Life threatening, possible death Driver or vehicle
tracking
Table IV
ATTACK SEVERITY WITH RESPECT TO FINANCIAL AND OPERATIONAL
LOSSES (FROM RACE METHOD [18]).
Severity SA Financial SF (in $) Operational SO
0 0 < loss < 100 No impact on performance
1 100 < loss < 1000 Impact not detected by
driver/system
2 1000 < loss < 10000 Driver/system aware of per-
formance degradation
3 loss > 10000 Significant impact on perfor-
mance
Several authors argue that to compute the final attack sever-
ity value, S, we need to consider the attack intensity I, as in
TVRA and RACE methods method [17] [18]. Attack intensity
is important in C-ITS risk analysis, since the attack severity
value is different depending not only on attack instances but
also the number of targeted vehicles [18]. Thus, we include
the intensity value in computing the total attack severity S.
The intensity ranges from 0 to 2, where 0 corresponds to a
single attack instance, 1 - moderate number of attack instances
on one vehicle or one attack on moderate number of vehicles,
and 2 - heavy number of attack instances on many vehicles.
The total attack severity, S, is computed as S = SA + I with
a truncation to 3 if S >3 (same as in RACE method [18]).
3) AV automation level: Driving automation levels of AV
is another important factor, which has to be considered during
risk analysis. As the automation level increases, the amount
of driving tasks, controlled by the system, increases, while
the role of the human driver reduces (see Section II-A for
more details). Thus, the risk analysis has to be performed for
all automation levels of and AV, at which it is expected to
operate.
The driving automation level L has not been considered
neither in EVITA, nor in RACE methods. However, we took
it into account in US2 method [7], where we grouped the
automation levels into three groups: low (levels 1 and 2),
medium (level 3), and high (levels 4 and 5). The same groups
are used in this approach.
4) Cybersecurity risk values: Using the attacks’ total sever-
ity S, potential P , and vehicle automation level L values,
we can define the Cyber Security Risk Level (CSRL), as
shown in Table V. CSRL values 0-3 indicate that the risk
is minor, therefore there is no primary need for security
countermeasures. CSRL values 4-5 represent major risks,
for which countermeasures should be applied. Finally, CSRL
values 6-7 indicate critical risks, which should be minimized
with highest priority.
In EVITA and RACE methods, controllability factor C is
added for risk evaluation of attacks that cause safety losses
(SS >0). However, controllability is part of safety risk analysis
and determination of ASIL level, as described in Section III.
Thus, instead of including controllability into the cybersecu-
rity risk analysis, we integrate cybersecurity and safety risk
analysis processes. In this way, the controllability of attacks
that cause safety losses is assessed using the ISO 26262. See
Section IV-B for more details.
Table V
CYBER SECURITY RISK LEVEL (CSRL).
Total
Severity S
Automation
Level L
Potential P
0 1 2 3
1
Low (1-2) 1 1 2 3
Medium (3) 1 2 3 4
High (4-5) 2 3 4 5
2
Low (1-2) 2 2 3 4
Medium (3) 2 3 4 5
High (4-5) 3 4 5 6
3
Low (1-2) 3 3 4 5
Medium (3) 3 4 5 6
High (4-5) 4 5 6 7
727
Authorized licensed use limited to: Northcentral University. Downloaded on October 19,2021 at 14:00:03 UTC from IEEE Xplore. Restrictions apply.
B. Integration of C-ITS security and safety risk analysis
SAE J3061 standard [11] emphasizes that although automo-
tive safety and cybersecurity analysis processes can be per-
formed separately, they need to communicate with each other
in order to maintain consistency and completeness between
them. It can be done via communication links between various
phases of safety and cybersecurity processes. One of such links
has to be established between safety and cybersecurity risk
analysis phases, since cybersecurity vulnerabilities may lead
to violation of safety goals. However, SAE J3061 [11] does
not provide details on how to establish these links.
Hazard identification
C-ITS safety risk analysis
(ISO 26262)
C-ITS cybersecurity risk analysis
(proposed)
Hazard risk analysis
Hazard ASIL levels
Safety requirements
Threat risk analysis
Attack CSRL levels
Security
requirements
Safety
losses
Privacy
losses
Financial
losses
Operational
losses
Threat identification
Integrated requirement
analysis
Figure 5. Integration of C-ITS safety and cybersecurity risk analysis.
We integrate C-ITS safety and cybersecurity risk analysis
processes as shown in Fig. 5. Both processes are performed
in parallel, and there are two communication links between
them:
• The first communication link is from cybersecurity
threat risk analysis step to safety hazard identification
step. This link is needed for the situations when an attack
can cause safety losses SS, as described in Section IV-A.
In such cases, the information about possible safety losses
due to an attack is transferred to the safety analysis
process, where hazards related to the attack are identified,
analyzed, and their ASIL level is determined;
• The second communication link is between safety and
security requirements, which are defined based on ASIL
and CSRL levels. At the end of safety and cybersecurity
risk analysis phases, the safety and security analysts have
to work together and review all the requirements to ensure
their completeness and consistency.
The integrated C-ITS safety and security analysis process
enables comprehensive analysis of C-ITS risks.
V. CONCLUSIONS
This paper presents a method for integrated C-ITS safety
and cybersecurity risk analysis. It takes into consideration
automotive safety and cybersecurity standards ISO 26262
and SAE J3061, and utilizes the elements of the previously
proposed methods US2, EVITA, TVRA, and …
1540-7993/19©2019IEEE Copublished by the IEEE Computer and Reliability Societies March/April 2019 39
ADOPTION DYNAMICS OF IoT PRODUCTS
Cyber risk for buyers is a major obstacle to broad adoption of the Internet of Things (IoT). Using a system
dynamics approach, we conducted a case study of a connected lighting product to understand how
cybersecurity influences IoT adoption.
T he research in this article was conducted to better understand the mechanisms by which cybersecu-
rity will influence IoT technology adoption. By focus-
ing on innovation and marketing to power the growth of
a product, there may be unintended consequences for
security, such as leaving the product vulnerable to hack-
ing. For developers, there is a strong tension between
prioritizing product usability and product security, and
their responses to the following questions about these
new issues will shape the future marketplace. What
standards will emerge for the IoT products? How will
they prove their security to the market? Will a few key
players dominate the market, or will it remain highly
fragmented with a high firm entry and exit?
Despite the growing literature on cybersecurity, the
direct mechanisms by which it may influence IoT adop-
tion have not been studied. Given the IoT’s unique vul-
nerabilities and relative infancy in the marketplace, it is
unclear how a cyberincident could impact consumers’
willingness to adopt it. Will IoT products experience the
rapid “hockey stick” growth exhibited by tech companies
such as Facebook? (See the green line in Figure 1.) On
the other hand, could publicized cyberincidents hamper
the growth of an IoT product to an extent that it never
gets off the ground? (See the “Start-and-Fizzle” red dot-
ted line in Figure 1.) Is the reality somewhere between
these two extremes? (See the “Still Successful” and “Par-
tially Successful” red dotted lines in Figure 1.) Also, will
growth occur for the market as a whole, or will a few dom-
inant players emerge? If the latter occurs, will those play-
ers be mature companies or start-ups? An example of a
cyberincident’s effect on product sales is the “My Friend
Cayla” doll. After a feature of the doll (voice transmission
to a U.S.-based voice recognition company) was found
to be vulnerable to independent and possibly malicious
hackers, it received a “trash it” recommendation from the
German telecommunication regulator.1
We performed a case study of IoT product develop-
ment for commercial building applications. Our subject
was a connected lighting product at a large electronics
company, which we analyzed using a system dynamics
approach. This approach generates a framework that IT
executives at supplier companies can use in strategic deci-
sion making to better understand what consequences—
both intended and unintended—may arise from the
The Internet of Things Promises
New Benefits and Risks
A Systematic Analysis of Adoption
Dynamics of IoT Products
Mohammad S. Jalali, Jessica P. Kaiser, Michael Siegel, and Stuart Madnick | Sloan School of Management,
Massachusetts Institute of Technology
Digital Object Identifier 10.1109/MSEC .2018.2888780
Date of publication: 2 April 2019
Authorized licensed use limited to: Northcentral University. Downloaded on October 19,2021 at 13:55:53 UTC from IEEE Xplore. Restrictions apply.
40 IEEE Security & Privacy March/April 2019
ADOPTION DYNAMICS OF IoT PRODUCTS
choices they make during IoT product development. We
refer to customer organizations as adopters and organi-
zations that produce IoT products as suppliers. Without
this systematic perspective, supplier decision makers
might focus on a com-
ponent of the system
(e.g., innovation) and
optimize it locally to
achieve suitable out-
comes and grow in
the market. However,
when feedback mech-
anisms from other
components of the
system are activated
(e.g., cyber risks), the
initially successful strategies may not only become inef-
fective but may actually damage their position in the
marketplace. Therefore, it is essential to take a systematic
approach by looking at the big picture and analyzing the
components of the systems and their interconnections.
This article proceeds in two sections. In the first, we
provide an overview of the concepts we explored in our
case study and model. We begin with an overview of
the IoT. We then explain the basics of diffusion mod-
els, particularly the risk–reward ratio, a concept that our
research showed to greatly influence IoT technology
purchase decisions. Next, we describe current cyber-
security standards for technology purchase decisions.
In the second section, we enter the case study, describ-
ing the IoT product market studied and then the model
derived from our research and its implications. Four
cybersecurity-related guidelines that managers can
use to influence the market adoption of IoT products
are included in “Cybersecurity-Focused Guidelines for
Robust and Resilient Market Adoption.”
Overview of Concepts
Introduction to the IoT
“Connected systems are too big of an opportunity to
miss because we have some jerks who are hacking into
things.”—Potential IoT adopter
The goal of the IoT is to translate the physical world into
digital signals, ripe for the improvements promised by
faster communication and better analytics. Although
there is no universally agreed-upon definition of the
IoT, most definitions describe systems that collect data
from the physical world on devices that process infor-
mation.2 The Internet society provides a good summary
that explores the benefits and challenges of the IoT.2 The
digital processes are often intended to produce kinetic
effects and rely heavily on networking with other external
devices. Declines in the cost of computing and simultane-
ous improvements in sensor performance and range make
innovations possible. There is a range of settings for which
the IoT might be deployed, ranging from the intimate (i.e.,
personal health data) to the massive (i.e., a connected sys-
tem of street lights,
parking meters, tran-
sit, and autonomous
vehicles that could be
used to collect useful
municipality data and
optimize the delivery
of city services to citi-
zens). The potential
value generated by
the IoT is estimated
to be at least US$3.9
trillion and possibly up to US$11.1 trillion by 2025, with
the higher estimate representing 11\% of projected global
gross domestic product in the same year.3
One of the greatest obstacles to broad market adop-
tion of IoT technology is the buyers’ fear of cyber risk,
both real and perceived. The Open Web Application
Security Project4 described IoT technologies as having
three unique weaknesses with regard to cybersecurity: a
large number of endpoints, inconsistent protocols, and
physical safety concerns. There are currently no mecha-
nisms that could manage consistent endpoint security
for a system that is so vast. Additionally, the diversity of
standards across the IoT defrays the responsibility of any
single actor in the technology chain for security. As of
now, there are two commercially available certification
programs for IoT security, one from Underwriter Labora-
tories and one from ICSA Labs, an independent division
of Verizon (New York). Both were launched in 2016 and
have been met with some skepticism, as noted in an ar-
ticle in The Register.5 Because the IoT represents a linked
N
u
m
b
e
r
o
f
A
d
o
p
te
rs
Great Growth;
No Impact of Cyberincident
Still
Successful
Partially
Successful
Start and
Fizzle...
Time (Year)
Cyberincident
Product
Introduction
Figure 1. A range of product adoption curves in response
to a cyberincident. A better understanding of how a breach
may affect product adoption can guide managers who are
making security investment decisions early in a product’s
development.
One of the greatest obstacles to broad mar-
ket adoption of IoT technology is the buyers’
fear of cyber risk, both real and perceived.
Authorized licensed use limited to: Northcentral University. Downloaded on October 19,2021 at 13:55:53 UTC from IEEE Xplore. Restrictions apply.
www.computer.org/security 41
set of physical devices, it gives malicious actors the op-
portunity to move their criminal activities—previously
confined to cyberspace—into the physical world.
These characteristics of IoT cybersecurity are not
merely pedantic; they are being exploited. A large-scale,
distributed denial-of-service (DDoS) attack that took
place in 2016 exemplifies this exploitation. In the time
leading up to the attack, AT&T tracked a 400\% increase
in scans of IoT ports and protocols.6 The attackers took
advantage of mostly unaltered default passwords across a
huge number of IoT devices to hobble the critical infra-
structure of the Internet. Attacks like this have also been
documented in private organizations, where a large quan-
tity of nodes are used to overwhelm a network with traffic.
Finally, both individual and organizational adopt-
ers of the IoT have concerns about its security and pri-
vacy implications. The 2015 Icontrol State of the Smart
Home study found that more than 40\% of Americans
were very concerned about the possibility that their
information could be stolen from their smart homes.7
Furthermore, potential regulators in the Federal Trade
Commission have noted that such concerns may pre-
vent IoT technologies from reaching their full potential,
although it is not clear how these concerns alter con-
sumers’ purchases.8 In industries that have an increased
exposure to technology, such as banking, defense, and
health care, security concerns are heightened.
Basics of the Diffusion Model of Technology
One of the most influential adoption models in technol-
ogy products is the Bass diffusion model. Our frame-
work expands on this model by including the influence
of additional market factors related to cybersecurity;
however, understanding our new model requires a
review of the original Bass diffusion model. Diffusion
describes the process by which an innovation spreads
and explains the typical S curve seen with product
adoption. The S curve describes how the user base is
small to start, then increases as adoption increases, and
eventually approaches the limit of the potential market.
Cybersecurity-Focused Guidelines
for Robust and Resilient Market Adoption
T o increase their market size and keep their market resilient to cyberincidents, Internet of Things (IoT) product managers should consider these four guidelines, which we have compiled through our case study
partner and which were built by our model.
1. Invest in cybersecurity capabilities from product design to sales to ongoing support: Cybersecurity expertise is
required not only to build security products and processes, but to explain it to customers. As cybersecurity
becomes a top-of-mind concern for most customers, it will become more important to have cybersecurity
experts at every customer touchpoint. These experts can address concerns, prevent and detect threats, and
respond to incidents. Additionally, organizations must have a detailed incident-response plan with clear
actions and owners. Make sure transferring ownership is a part of succession planning and conduct regular
reviews of the response plan to ensure that it remains up to date.
2. Measure and monitor your product’s risk–reward ratio: The risk–reward ratio measures the benefits and risks of
adopting a new technology, and can help developers to understand the potential impact of a cyberincident
on market adoption. It can also guide investment decisions as you develop the product or its new features.
The risk–reward ratio of IoT products has a dynamic mechanism and changes over time, so be sure to mea-
sure and monitor it regularly.
3. Capture data at the granularity level that shows measurable benefits for customers, and no lower : The benefits
of many IoT technologies cannot be fully realized without granular data capture and processing. If it is too
granular, however, two things happen: 1) cyber-risk exposure increases considerably and 2) the product’s
benefits become more difficult to understand and capture. In both cases, market adoption slows. When ex-
panding into new market features and more granular data is required, partner with firms with strong analytic
capabilities and data-protection practices for case studies that show measurable benefits.
4. Take responsibility for security along your technology supply chain, up to the last mile: If you choose to develop
on a platform, choose a platform that has a reputation for strong security. If you develop your own platform,
work with third-party companies to certify its safety. If creating hardware, buy it from manufacturers with
certifications and reputations to uphold. Only allow customers to customize the final layer of the product to
ensure that built-in protections cannot be overridden.
Authorized licensed use limited to: Northcentral University. Downloaded on October 19,2021 at 13:55:53 UTC from IEEE Xplore. Restrictions apply.
42 IEEE Security & Privacy March/April 2019
ADOPTION DYNAMICS OF IoT PRODUCTS
It has been observed in the diffusion of many diverse
innovations, such as electricity, the washing machine,
and most recently social media networks such as Face-
book (shown with the green line in Figure 1).
Vernardakis9 grounds the underlying Bass diffusion
model on an understanding of the diffusion process as
an epidemic. The innovation spreads through infor-
mation exchange, and the time lags between potential
users and installed users explain the observed S curve.
In addition to potential users and installed users, some
entities (firms or individuals) learn about the innova-
tion but do not adopt it. This suggests that there is an
adoption process that includes the awareness, consider-
ation, opinion formation, and implementation phases.
A crucial variable in diffusion models is the speed
of diffusion, which several factors affect. A critical fac-
tor that affects the speed of diffusion is what relative
advantage the innovation provides. The relative advan-
tage is the amount by which the innovation improves
upon previous circumstances. The number of potential
adopters is another such factor as a larger number cre-
ates more opportunities for sharing information about
the innovation. The information channels and the sup-
plier’s ability to affect these channels also are powerful
forces affecting information transmission.
A feature of the Bass diffusion model is that it leads
to “winner-take-most” scenarios because only an infor-
mation exchange is needed to catalyze the innovation
adoption process. Systems scientists have defined tipping
point as the point at which adoption begins to grow so
quickly that one supplier can become market dominant
simply by riding a wave of rapid adoption. Standards play
an important role in innovation diffusion because they
demonstrate that a product is compliant, and compliance
reduces the friction and delays that would otherwise
present themselves during the opinion formation stage.
Many supplier companies compete to become the stan-
dard in their industry and thus reach the tipping point.
Krishnan et al.10 show that additional products
entering an innovation marketplace late can increase the
speed of diffusion, although the evidence is mixed with
regard to how it impacts the incumbent’s market share. For
start-ups, this is a powerful incentive to enter the market-
place as a small start-up can capture sales growth by accel-
erating the speed of diffusion for the overall technology.
For both mature companies and start-ups, this presents a
conundrum in regard to developing standards. It might be
better to achieve immediate revenue by adopting another
company’s standard and reducing decision friction for
customers. However, if a firm can create its own standards,
it might be able to prevent other firms from entering the
marketplace and thus reduce competitors’ market share.
The Risk–Reward Ratio: The IoT’s Relative
Advantage to the Status Quo
“[Cybersecurity] is more a concern for late-majority
adopters.” —Product manager
Within the context of IoT technologies, a product gains an
advantage if connecting an object to a network improves
the adopter’s operations. The data that IoT devices pro-
duce is often what creates the relative advantage. In our
research, we call this the risk–reward ratio, noting that as
the granularity and utility of data produced by an IoT prod-
uct increase, security and privacy risks increase as well.
With many firms eager to capitalize on data, a cursory
glance may suggest that an IoT product’s relative advan-
tage would be enormous because some data must be better
than no data. However, not every IoT product is adopted
as quickly as expected. Although many individuals are
installing connected thermostats, few are connecting
their microwaves, and connecting stove knobs is unheard
of despite the benefit that acquiring cooking data could
bring. As we will explore, in the case of commercial build-
ing operators, businesses have adopted connected heat-
ing, ventilation, and air-conditioning (HVAC) systems
more quickly than they have adopted connected lighting,
despite the cost-savings benefits across both products.
Therefore, it must be the case that there are drawbacks to
an IoT product, decreasing its relative advantage.
These are just two examples of IoT products in build-
ing technologies. Other examples could be in plumbing
or in physical security. Connecting these infrastructures
can provide multiple benefits, most frequently the cen-
tral control and visibility that allow building managers
to manage their use and maintenance more efficiently.
We will discuss more benefits for connected lighting
systems (CLS) in particular over the course of this arti-
cle. We summarize the effects of the risk–reward ratio
on adoption in Figure 2 and discuss this framework
more in our case study in the “Adoption of Connected
Lighting Systems” section.
Risk
Reward
High Risk
Low Reward
High Risk
High Reward
Low Risk
High Reward
Low Risk
Low Reward
No Adoption
Variable Adoption
Affected by
Cyberincidents
High AdoptionLow Adoption
Figure 2. The adoption of the IoT based on risk and reward.
Authorized licensed use limited to: Northcentral University. Downloaded on October 19,2021 at 13:55:53 UTC from IEEE Xplore. Restrictions apply.
www.computer.org/security 43
Cybersecurity Standards in
Technology Adoption Decisions
It is valuable to review how practitioners assess the secu-
rity risk in technology when making purchasing decisions.
However, because cybersecurity as a discipline is evolving
rapidly, practitioners have not yet arrived at consistent,
universal standards for evaluating cybersecurity risks. The
National Institute of Standards and Technology (NIST)
Cybersecurity Framework, born out of a 2013 Executive
Order and now in Draft Version 1.1, is the leading frame-
work that has emerged. It provides high-level direction on
steps that organizations should take to improve cyberse-
curity iteratively, steps that an organization would use to
adopt a new technology. They roughly align with the adop-
tion process that we discussed in the “Basics of the Diffu-
sion Model of Technology” section.
One critique by IoT adopters is that no standards cur-
rently define the market. Suppliers, however, have a mixed
perspective. Although the lack of standards is a possible
strategic advantage, particularly for start-ups because it is
easier to enter the market, the lack of standards also makes
it difficult to articulate to adopters how to manage cyber
risk. The NIST framework is technology neutral precisely
because no standards yet exist. The government has been
ineffective in creating and enforcing standards for the
technology industry, leaving it instead to private players.
Taken together, these facts suggest that we are early in the
adoption process of the IoT, before the winner-take-most
effect takes hold in the marketplace. The current market
presents a potentially lucrative opportunity for IoT sup-
pliers, start-ups, and incumbents alike.
Adoption of Connected Lighting Systems
Case Study Approach to Effects of
Cybersecurity on CLS Adoption
“Right now, [customers] can’t see the reward [of IoT]. We
can’t install products. We can’t show the benefits because
we don’t meet their cybersecurity requirements.” —Sales
representative
Although there is research on cybersecurity, the IoT, and
technology adoption individually, research that articulates
how each contributes to overall market adoption is lacking.
In this article, we approach cybersecurity and IoT adoption
from a systems science perspective. We interviewed prac-
titioners from the security, product, marketing, and sales
departments of a large electronics company that produces
an IoT lighting product. We also interviewed potential
adopters and experts in the industry. From these inter-
views, we describe the benefits and risks associated with
the IoT lighting product and a connected HVAC prod-
uct that is closely associated with lighting. Based on their
articulation and a comparison of the risk–reward ratios for
both products, we use their responses to adjust the typi-
cal Bass diffusion model to include cybersecurity-related
variables. Next, we use this model to articulate implica-
tions that reflect what impact cyberincidents may have on
an IoT product market. Finally, we encourage managers to
adopt IoT products by using these implications to outline
four cybersecurity-related guidelines.
CLS: Product Benefits
“People are clear on the rhetoric of IoT, but not what value
it delivers.” —Manager for lighting products
CLS are one of a few building infrastructures that can
be transitioned to the IoT because: 1) they are a point
of frequent interaction for building occupants; 2) there
is a large number of nodes, and light bulbs are good can-
didates for granular data collection; and 3) there is an
opportunity for personalization as lighting preference
is highly individualized. Connecting lighting systems to
a network can provide both local and central control,
making it easier to provide personalization and energy
savings simultaneously.
Lighting systems have already benefitted from inno-
vations that have recouped significant cost savings,
without transitioning them to an IoT product. Two
examples are occupancy sensors and LED light bulbs.
Occupancy sensors turn lights on and off only when
they are needed, without end-user intervention, and
LED light bulbs require little maintenance.
When describing the benefits of CLS, interview-
ees used the “US$3–US$30–US$300 rule” to describe
the value opportunity of CLS. No external source was
found to validate this rule. Connecting lighting alone
represents an energy-efficiency cost-savings opportu-
nity of only US$3 per square foot per year, but space
optimization represents US$30 and employee produc-
tivity is an additional US$300 cost per square foot per
year savings opportunities. This rule is derived from ex
post facto analysis and has not been verified empirically.
Connected light bulbs can detect that a company uses a
conference room only 20\% of the time while employees use
desks outside the conference room 100\% of the time. These
data could signal that the space is underoccupied and that
they could use the conference room space more efficiently.
Also, consider an office building that has an “open desk”
policy, in which employees are not assigned to desks and
can use any open space. Motion sensors on light bulbs can
detect which desks employees are using, allowing IT sys-
tems to direct employees to an available desk when they enter
the building. Practitioners believe that occupancy data and
space-saving systems such as these represented a US$30 per
square foot per year cost-saving opportunity.
The ultimate goal of CLS for commercial applications
lies in collecting data about productivity that occurs under
Authorized licensed use limited to: Northcentral University. Downloaded on October 19,2021 at 13:55:53 UTC from IEEE Xplore. Restrictions apply.
44 IEEE Security & Privacy March/April 2019
ADOPTION DYNAMICS OF IoT PRODUCTS
the light bulbs. Practitioners note that lighting has a strong
physiological and psychological effect on workers, so a
CLS could adjust the hues and saturation of light to create
a personalized environment to complement an employ-
ee’s work style and thus generate additional productivity
for a firm. If implemented correctly, interviewees believe
that this application represents an enormous cost-savings
opportunity of US$300 per square foot per year.
For home rather than business adopters, the US$3–
US$30–US$300 rule is believed to apply directionally.
However, adopters are unlikely to attempt to justify
their purchase by quantifying the benefits without the
resources of a larger organization. Instead, the product’s
relative advantage depends on how important customiz-
ing lighting hues and saturation in a home environment is
to a customer. Given the lack of case studies or empirical
data supporting the rule, the underlying theory has not
been proven and makes the relative advantage of CLS
confusing to both home and business adopters.
The confusion regarding the benefits of CLS is in
contrast to connected HVAC systems, another build-
ing system that has been connected to the IoT. When
compared with HVAC systems, which represent about
44\% of energy costs in commercial buildings, light-
ing systems represent about only 10\% of a building’s
energy costs.12 Because HVAC systems contribute such
a large portion of a building’s energy bill, and compo-
nents such as chillers are more expensive to maintain
proactively, connecting HVAC systems to the IoT pres-
ents immediate and easily quantifiable benefits to the
adopter. Interviewees felt that the rewards of connected
HVAC systems are easy to measure. This means that
the relative advantage is more apparent to adopters than
the relative advantage of CLS. However, they felt that
CLS offered potentially higher rewards that were simply
more difficult to quantify.
Potential Cyber Risks of CLS
“It’s so complicated that to minimize the risk, we just
don’t network the lighting system… it’s slowed us and
the market.” —Director of infrastructure operations
responsible for over 150 networked buildings
When describing the features of CLS most often con-
sidered prior to adoption, an important yet confusing
aspect is its “cybersecurity” component. Interestingly,
only one feature of CLS presents a cyber risk that is
unique to lighting, yet interviewees are more concerned
about the cyber-risk exposure of CLS than about the
cyber-risk exposure of HVAC. (See Table 1 for a list of
features and their achievements across CLS.) We pro-
pose four possible explanations for this discrepancy.
1. CLS has orders of magnitude more nodes than
HVAC (e.g., multiple light bulbs in a room versus
one control panel on a floor), which makes it more
difficult to manage endpoint security.
2. The cost of a single point of failure or overload for
CLS is much lower than for other building systems
(e.g., less than US$100 for a light bulb, versus thou-
sands of dollars for a chiller).
3. Potential adopters did not have the internal analytic
capabilities, including sufficient data security and
Table 1. Feature-exploit analysis of connected building infrastructure (e.g., CLS and HVAC).
Feature Value Exploit
Personalization
(e.g., color or
temperature control)
Greater occupant satisfaction and
productivity
Ability to create annoyance, harassment, or
physical discomfort
Ability to overload output for physical damage
Wireless control system Insight into energy, occupant
utilization, and component use
Integration to improve efficiency and
occupant satisfaction
Ability to access core IT for espionage or use in
illegal activities
Packet sniffing, replay, trashcan, social
engineering, and others
Central and local
control
Balance between energy use and
occupant comfort
Greater ease of use
Potential for DDoS attacks through nodes
Opportunity to sabotage or interfere with
operations through ransomware
Occupancy sensor Greater ease of use
Space optimization
Coordinated responses
Energy efficiency
Passive surveillance
Maximization of damage during kinetic attacks
Minimized risk of being caught (e.g., burglary)
Power over Ethernet Lower installation costs
Energy reporting
Potentially easier to disrupt
Limited security literature
Only the power over Ethernet is unique to CLS.
Authorized licensed use limited to: Northcentral University. Downloaded on October 19,2021 at 13:55:53 UTC from IEEE Xplore. Restrictions apply.
www.computer.org/security 45
privacy protection, to leverage the space optimiza-
tion and productivity benefits of CLS.
4. The product and its associated service do not meet the
cybersecurity standards of the adopting organization.
In connected building infrastructures, it …
Risk Analysis, Vol. 39, No. 9, 2019 DOI: 10.1111/risa.13269
A Robust Approach for Mitigating Risks
in Cyber Supply Chains
Kaiyue Zheng1 and Laura A. Albert 2,∗
In recent years, there have been growing concerns regarding risks in federal information tech-
nology (IT) supply chains in the United States that protect cyber infrastructure. A critical
need faced by decisionmakers is to prioritize investment in security mitigations to maximally
reduce risks in IT supply chains. We extend existing stochastic expected budgeted maximum
multiple coverage models that identify “good” solutions on average that may be unaccept-
able in certain circumstances. We propose three alternative models that consider different
robustness methods that hedge against worst-case risks, including models that maximize the
worst-case coverage, minimize the worst-case regret, and maximize the average coverage in
the (1 − α) worst cases (conditional value at risk). We illustrate the solutions to the robust
methods with a case study and discuss the insights their solutions provide into mitigation
selection compared to an expected-value maximizer. Our study provides valuable tools and
insights for decisionmakers with different risk attitudes to manage cybersecurity risks un-
der uncertainty.
KEY WORDS: Cybersecurity; infrastructure risk mitigation; robust optimization
1. INTRODUCTION
Reliance on a global supply chain introduces
enormous cybersecurity risks to the information
technology (IT) in the United States, including risks
due to counterfeit materials, malicious software,
unqualified vendors, and poorly trained employees.
Cybersecurity risks in the federal IT supply chains
have increased dramatically in recent years (Director
of National Intelligence, 2015; U.S. Government
Accountability Office, 2013). According to a 2015
Government Accountability Office report (2015),
the number of reported cyber incidents has increased
1,121\% between 2006 and 2014. The White House
(2013a, 2013b) proposed new policy directives for
securing critical IT physical assets that reflect the
1Amazon, Seattle, WA, USA.
2University of Wisconsin–Madison, Madison, WI, USA.
∗Address correspondence to Laura A. Albert, Industrial and Sys-
tems Engineering, University of Wisconsin–Madison, Madison,
WI 53706, USA; tel: +1-1-608-262-3002; [email protected]
awareness of the increasing concern of cyber security
in critical infrastructure and for directing federal
funding to develop mitigation approaches for global
supply chain risk management (2015). There is great
interest in studying how to prioritize the investment
in security mitigations to balance cost and threat
reduction, since federal agencies have a limited
budget for selecting and deploying mitigations
(Hamlet et al., 2015). Moreover, cyber risks stem
from various sources, vary in their forms, and vary
in their severity of impact, which makes these risks
very difficult to assess and analyze (Edwards, Kao,
Hamlet, Bailon, & Liptak, 2016). Effort has been
made toward assessing the risks in federal IT supply
chains (Hamlet et al., 2015; The White House, 2016).
However, comprehensive security policies and mit-
igations have not been developed and implemented
(U.S. Government Accountability Office, 2015).
Therefore, there is a need to identify policies that
systematically design cost-effective processes for
reducing the risk introduced by supply chains.
2076 0272-4332/19/0100-2076$22.00/1 C© 2019 Society for Risk Analysis
https://orcid.org/0000-0001-7079-4473
A Robust Approach for Mitigating Risks in Cyber Supply Chains 2077
Federal organizations’ IT infrastructure rely
on a complex network of third-party suppliers, and
some attacks against IT networks originate in supply
chains. Adversarial attacks in IT supply chains target
weak links in the supply network, including activities
involved in handling, distributing, manufacturing,
and processing. For example, as one of the largest
data breaches in the private sector, more than 40 mil-
lion Target customers’ payment cards were stolen in
2013 after malware was introduced into the retailer’s
point of sale (POS) system. The initial intrusion
to Target’s main system can be traced back to a
third-party heating, ventilation, and air conditioning
(HVAC) vendor (supplier), where attackers ex-
ploited a vulnerability in its remote diagnostics and
stole network credentials (Krebs, 2014). It is believed
that another large retailer, Home Depot, which expe-
rienced credit card breaches in 2014, traced its initial
security breach to a third-party vendor (Kirk, 2014).
Automated teller machine (ATM) malware attacks
in recent years are another example of a supply
chain attack. In 2014, the so-called Tyupkin malware
affected ATMs from a major manufacturer running
Microsoft Windows’ 32-bit operating system, and
spread to several countries including Russia, the
United States, India, and China (Kaspersky Lab,
2014). Federal IT infrastructure faces similar risks
brought by the globalization and increasing sophisti-
cation of supply chains. Public information regarding
federal supply chain attacks is limited due to confi-
dentiality. One published incident is the data breach
of the U.S. Office of Personnel Management (OPM)
in 2015, when over 22 million federal employees’
information was hacked. Investigation shows that
the attackers likely exploited the vulnerability in a
third-party background-check provider, KeyPoint
Government Solutions, by stealing credentials and
inserting malware.
To reduce cyber risks in the supply chain, deci-
sionmakers need to design a cost-effective process to
support supply chain risk management to systemat-
ically prevent IT infrastructure from being exposed
to new risks. This process supports policy-level de-
cisions for reducing risk across the supply chain life
cycle, not merely acquisition decisions. Examples of
IT supply chain mitigations include replacing physi-
cal components of the IT infrastructure that contain
vulnerabilities, replacing malicious or unqualified
vendors, requiring tamper-proof components, estab-
lishing security policies or procedures, and training
employees. The National Institute of Standards and
Technology (NIST) provides guidance to federal
agencies for identifying, assessing, and implementing
risk management processes and controls to proac-
tively manage supply chain risks (2015). This article
explores how to operationalize these recommenda-
tions by formulating models that identify a set of
security controls that are cost effective, reduce risk,
and are robust to uncertainty or the role of adaptive
adversaries. These security controls form the basis of
a secure process to inform best practices. The process
design decisions studied in this article are updated
periodically, such as yearly, and are separate from
response and recovery decisions, such as installing
software updates to patch known software vulnera-
bilities, and real-time intrusion-detection decisions.
This article builds upon initial work in this area
by Zheng, Albert, Luedtke, and Towle (2018), who
propose deterministic and stochastic budgeted max-
imum multiple coverage models (MaxCoverage and
MaxExpCoverage, respectively) that investigate how
to identify the best combination of mitigations to
maximize the coverage of vulnerabilities in the sys-
tem with a layered defense. These models generalize
the maximal covering location problem (Church &
ReVelle, 1974) and the maximal expected cover-
age location problem (Daskin, 1983) by explicitly
considering the steps taken to carry out a complete
attack on system vulnerabilities. Accordingly, they
model attacks as “attack paths,” each of which
contains multiple nodes that represent the vulnera-
bilities (exploits) required to successfully carry out
an attack. Attack paths are used to characterize
the possible attacks against a system and identify
protections against such attacks (Mauw & Oostdijk,
2006). An attack path could capture the threat of
hardware delivered with malware installed on it
after the hardware is intercepted from legitimate
suppliers. Two of the possible vulnerability nodes on
this attack path could represent stealing the hard-
ware’s shipping information and breaching a cargo
container shipping the hardware. Mitigations that
prevent a vulnerability from being exploited are said
to “cover” the vulnerability. Mitigations sometimes
have overlapping capabilities and mutually affect the
same vulnerabilities. Additionally, some mitigations
do not prevent a vulnerability as expected and may
“fail,” which occurs because cyber threats have
evolved or subject matter experts (SMEs) do not
manage to accurately assess the effectiveness of the
mitigations (Edwards et al., 2016).
In the expected-value stochastic model (Max-
ExpCoverage), random variables characterize
two states of the mitigation coverage, effective
2078 Zheng and Albert
or ineffective. Zheng et al. (2018) show that the
stochastic solution tends to select mitigations that
cover vulnerabilities multiple times, so that they
are likely to remain covered in the case when
some mitigations are not effective as anticipated.
By maximizing the expected coverage over all
scenarios, MaxExpCoverage provides a solution
that performs well on average, i.e., a solution that
is satisfactory in most scenarios when uncertainty
regarding mitigation effectiveness arises. However,
an expected-value model like MaxExpCoverage
does not always provide solutions that prepare the
system against worst-case scenarios. It is possible
that a combination of mitigations could not prevent
vulnerabilities as intended and leaves the system
unacceptably vulnerable to a serious attack. As a
result, expected-value solutions might lead to actual
situations that are unacceptable for decisionmakers.
To address these limitations, we introduce and
compare three robust models that extend MaxExp-
Coverage to capture risk associated with uncertain
mitigation performance. A mitigation “fails” if it
is ineffective and does not in actuality cover the
vulnerability node. We model the effectiveness
of a mitigation covering a vulnerability node as a
binary random variable that is only known to the
decisionmaker through a probability mass distribu-
tion with a finite probability space or a finite set of
scenarios. Therefore, the mitigation uncertainty is
considered through the coverage functions. The goal
is to compare and contrast risk-based models for
cyber security planning in their ability to identify
robust ways to prioritize the selection of mitigations.
The models inform decisions regarding how to use
a budget to select a portfolio of mitigations that is
robust to worst-case failures over uncertainties in
the performance of the mitigations.
First, we consider two of the most common
robustness measures in a maximization context:
maximizing the minimal coverage across all sce-
narios, and minimizing the maximal regret across
all scenarios. Both measures are robust in that
they are “distribution-free” and focus only on the
worst-case performance of the system regardless of
the probability distribution that represents the un-
certainty. Regret is defined for each scenario as the
difference between the coverage of a solution in that
scenario and the coverage of the optimal solution
for that single scenario. This involves presolving the
problem for each individual scenario to obtain a
corresponding optimal solution, which can be seen
as the best strategy that would have been selected
if this realization of the future occurred. Therefore,
regret is often interpreted as the opportunity loss for
an uncertain future.
Moreover, we are interested in the conditional
value at risk (CVaR), a popular risk measure in
stochastic programming (Ahmed, 2006). CVaR is
defined as the expected loss in the α worst-case tail
of the loss distribution, initially proposed to quantify
the risk for loss in finance (Rockafellar & Uryasev,
2000, 2002). CVaR is coherent and computationally
tractable through linear programming techniques. In
our context, CVaR is the expected coverage in the
(1 − α) worst-case scenarios. Compared to max-min
coverage and min-max regret, the quantile-based
CVaR measure is less pessimistic, since it provides
solutions that are robust to the worst cases and
also captures the magnitude of the coverage in
the worst cases. Unlike maximizing the minimal
coverage and minimizing the maximal regret, CVaR
is not distribution-free. By varying the confidence
level α, the decisionmaker can select a solution
corresponding to different risk preferences, with
α = 1 being totally risk conservative and α = 0 being
totally risk neutral.
1.1. Literature Review
Robust optimization methodologies provide a
useful analytical framework for homeland security
applications given their practical advantages. Robust
methods typically require as input a set of realiza-
tions of the uncertain parameters, not an explicit
probability distribution as in stochastic optimization
and, therefore, robust methods have a clear advan-
tage in homeland security applications where many
of the model inputs rely on the estimation from the
SMEs who have limited knowledge of the problem,
its inputs, and associated probability distributions.
Robust optimization has been a powerful and
popular tool for decision making in different areas,
such as supply chain disruption planning (Snyder,
Scaparra, Daskin, & Church, 2006) and adversarial
risk analysis (McLay, Rothschild, & Guikema, 2012).
We refer to Bertsimas, Brown, and Caramanis
(2010) for a recent review on robust optimization
that highlights its computational tractability and
broad range of application, and Ben-Tal, Ghaoui,
and Nemirovski (2009) for a textbook treatment.
We include CVaR in our robust method frame-
work, since it also provides risk insights for a robust
decisionmaker who wants to maximize the per-
formance for a set of worst-case scenarios. Unlike
A Robust Approach for Mitigating Risks in Cyber Supply Chains 2079
robust optimization, CVaR requires an estimation
of probability distributions. Chen, Daskin, Shen, and
Uryasev (2006) apply CVaR to a facility location
problem where they compare the model and its com-
putational efficiency to earlier models that feature
an α-reliable min-max regret model (Daskin, Hesse,
& ReVelle, 1997) and demonstrate the advantage of
CVaR. Noyan (2012) incorporates CVaR in a two-
stage stochastic disaster preparedness management
problem, where a weighted sum of expected value
and CVaR is optimized to determine the facility lo-
cations, and their corresponding inventory levels are
determined under different types of uncertainties.
Our study similarly demonstrates the applicability of
CVaR in robust decision making.
Robust optimization methods have been applied
to coverage problems. Church, Scaparra, and Mid-
dleton (2004) propose and formulate an interdiction
covering problem (RIC) and interdiction median
problem (RIM) that identify the most critical fa-
cilities whose loss leads to the most damage to the
system. The facilities are analogous to mitigations
in our article. Scaparra and Church (2008a, 2008b)
extend the interdiction median problem to consider
a fortification layer that identifies the subset of
facilities to fortify to protect against worst-case
interdiction of the unfortified facilities. They formu-
late the interdiction-fortification model as a bi-level
defender–attacker Stackelberg game and identify a
tree search algorithm (2008a) and an interval search
algorithm (2008b) for solving the interdiction model.
Scaparra and Church (2012) introduce a tri-level
fortification and interdiction problem to inform
disaster mitigation planning. The interdiction papers
study a system’s vulnerability due to the worst-case
combination of failures, which could occur due to the
actions of an adversary. In contrast, in this article,
we consider mitigation failure scenarios that could
reflect uncertainty in the mitigations’ effectiveness
due to SME estimation errors, SME misperceptions
of the mitigations’ level of control, or the decision
of an adversary who selects a scenario instead of a
combination of mitigation failures.
1.2. Contribution
The central contribution of this article is to intro-
duce and assess models for managing risk associated
with cyber security planning decisions. These models
apply robust coverage models to a new application
area to inform supply chain risk management and
planning decisions that are cost effective and reduce
worst-case risks introduced by adversaries. We com-
pare three robust models that address uncertainty
in mitigation effectiveness that together form a risk
analysis framework for a robust decisionmaker, and
we compare these models to an expected coverage
model. The robust methods are more conservative
to worst-case risks than an expected-value maxi-
mization model, and thereby provide insight into
planning for the risks introduced by adversarial
attacks or disastrous events, which is important
in security applications like cyber security, where
incidents often lead to tremendous loss and damage.
The robust optimization models provide insight
into a defensive stance against adversarial attacks
by assuming the adversary (e.g., hackers, criminal
groups, nations, terrorists, etc.) is limited to select
the worst-case attack scenario(s). Earlier research
that applies expected coverage models to cyber secu-
rity planning problems does not consider the impact
of an adaptive adversary. Decisionmakers can gain
practical insights quickly from the robust methods
without the need to quantify the adversarial attacks
in cyber infrastructure, which can be very challenging
given lack of information (e.g., attacker profiles), or
solve two-stage interdiction models (Morton, 2010;
Smith, Prince, & Geunes, 2013; Scaparra & Church,
2008b), which can be computationally intensive.
Each robust method provides a different per-
spective into interpreting the worst-case response,
which can be employed by decisionmakers to eval-
uate the tradeoffs and select the solution that best
suits their goals. The robust model solutions provide
decisionmakers with a set of solutions, which is often
more useful in practice than a single “best” solution.
The first two worst-case robust methods, i.e., maxi-
mizing the worst coverage and minimizing the worst
regret, do not require an explicit distribution of the
uncertain parameters, which makes them practical
for homeland security problems. However, their
solutions are sensitive to the uncertainty scenarios
selected. The third robust method, maximizing the
expected coverage in the (1 − α) worst cases, can be
seen as a combination of the worst-case risk measure
and the expected-value measure. It allows decision-
makers the flexibility to obtain a solution with their
desired risk preference by adjusting α. Moreover, the
solutions are less sensitive to the uncertainty scenar-
ios selected, particularly for relatively small values
of α. This is advantageous in that it yields model so-
lutions that are useful for informing policy decisions.
We proceed as follows. In Section 2, we first
describe the MaxExpCoverage model in Zheng et al.
2080 Zheng and Albert
(2018) and introduce the robust coverage models
that maximize the worst-case coverage, minimize
the worst-case regret, and maximize the expected
coverage in the (1 − α) worst case, respectively.
In Section 3, we illustrate the model solutions and
insights with a case study. We provide additional
computational results conducted on a variety of
instances to further demonstrate the differences be-
tween proposed models and provide insight into the
types of solutions the models could yield in different
settings. In Section 4, we summarize the article.
2. THE ROBUST COVERAGE MODELS
In this section, we introduce and compare the fol-
lowing four models:
1. a model that maximizes the expected cover-
age across all scenarios, denoted MaxExpCov-
erage;
2. a model that maximizes the worst-case cover-
age across all scenarios, denoted MaxMinCov-
erage;
3. a model that minimizes the maximal regret
across all scenarios, denoted MinMaxRegret;
4. a model that maximizes the conditional ex-
pected coverage that does not exceed a
prespecified quantile level in the coverage
(CVaR), denoted MaxCVaR.
Attack scenario modeling is an important first
step in cyber security planning. In classic network
vulnerability analysis, SMEs construct attack trees
or attack graphs (Mauw & Oostdijk, 2006; Schneier,
1999) to characterize possible attacks and to identify
security controls to reduce risk. In the attack trees,
nodes represent attack states and arcs represent
transition of states completed by attack exploits. A
path from root to leaf corresponds to a likely attack
against the system. An attack tree is a powerful tool
to organize vulnerabilities in a system and to visual-
ize their dependencies. Attacks on IT supply chains
can be constructed in a similar manner, which also
corresponds to the recommendations of NIST (2015)
for a more structured approach to represent supply
chain threat scenarios. It is worth mentioning that
an extension of attack trees with countermeasures,
called the attack–defense trees, has been proposed
and formalized (Kordy, Mauw, Radomirović, &
Schweitzer, 2011). Kordy and Widel (2017) integrate
attack–defense trees with integer programming
to optimize the selection of countermeasures for
securing a system.
Cyber attackers exploit vulnerabilities in IT
supply chains and usually take several exploits to
achieve attack goals. In this article, we use attack
paths to represent supply chain attacks with multiple
nodes on each of them representing the attack steps
(exploits). Attack paths can be easily enumerated
from an attack tree. Input from collaborators sug-
gests that the size of attack trees for this application
is anticipated to be moderate, since there are limited
opportunities or access points for influence and
control in the supply chains under consideration.
Let S be a set of attack paths recognized by SMEs,
each of which contains a subset of vulnerability
nodes Ns , s ∈ S with
⋃
s∈S Ns = N the entire set of
nodes. Some attack paths may have more strategic
importance due to their potential consequences
if successful and, therefore, we let as capture the
importance (weight) of attack path s ∈ S.
Let M be the set of applicable mitigations iden-
tified by SMEs, and Mn be the subset of mitigations
that cover node n ∈ N. A vulnerability node is said
to be protected if it is covered by at least one mitiga-
tion. A layered defense is achieved through multiple
coverage of an attack path, i.e., covering different
nodes in an attack path. We define a general cover-
age function fs (·) to quantify the coverage of attack
path s ∈ S with respect to the number of nodes cov-
ered on it. We assume that it is nondecreasing and
concave, since better security is achieved when more
nodes are covered and the marginal benefit from
covering more nodes is decreasing. Additionally, we
associate each mitigation m ∈ M with a cost bm that
captures its deployment and implementation. Let
the total budget for selecting mitigations be B.
Inputs for the models are based on SME elicita-
tion. The attack paths can be constructed with the aid
of SMEs, which yields N, S, Ns , s ∈ S, and as , s ∈ S.
Similarly, the mitigations that control each node,
Mn, n ∈ N, can be obtained through SME elicitation.
Coverage functions are desirable for this application,
since they reduce the SME data elicitation burden
while also capturing the most salient aspects of the
application. Coverage functions could be constructed
from relative risk scores based on data collected from
stakeholders and SMEs via questionnaires, where the
data reflect risk indicators such as control, exposure,
and criticality (Edwards et al., 2016). A coverage
function could be constructed from the data by exam-
ining how an improvement in any risk indicator over
a base level, which could be achieved by a mitigation
A Robust Approach for Mitigating Risks in Cyber Supply Chains 2081
“covering” a node, would decrease the relative risk
score by, say, increased control over an entity or
step. Additionally, the risk scores are relative scores
and could therefore be mapped onto a coverage level
scaled between 0 and 1. The set of mitigations M,
their costs bm, m ∈ M, and total budget B can be ob-
tained from federal decisionmakers, managers, and
experts who are familiar with the mitigation options
available and have estimates of their associated costs.
Mitigation coverage may “fail”—meaning that
coverage is not realized—due to uncertain miti-
gation coverage or limited knowledge SMEs have
about their effectiveness. We consider a set of
realizations of mitigation effectiveness |�|, where
the corresponding random variable ξ ωmn is equal
to 1 if the coverage of m ∈ M on node n ∈ N is
effective in scenario ω, and 0 otherwise. We assume
that each scenario ω ∈ � occurs with probability
pω ∈ [0, 1], ω ∈ � with ∑
ω∈� p
ω = 1. Information
collected by SMEs can be used to construct a set of
realizations for mitigation effectiveness ξ ωmn, ω ∈ �
and their associated probabilities pω ∈ [0, 1], ω ∈ �
with
∑
ω∈� p
ω = 1, potentially by sampling.
All models use a common set of decision vari-
ables, which are defined as follows:
� xm = 1 if mitigation m ∈ M is chosen, and 0 oth-
erwise;
� zωn = 1 if node n ∈ N is covered by at least one
selected mitigation under scenario ω ∈ �, and 0
otherwise;
� yωs = the number of nodes in attack path s ∈ S
that are covered under scenario ω ∈ �.
The expected coverage maximization model,
MaxExpCoverage, which corresponds to the SAA-
EBMMC model in Zheng et al. (2018), is formu-
lated below.
MaxExpCoverage:
max
∑
ω∈�
pω
∑
s∈S
as fs (y
ω
s ) (1)
s.t. yωs ≤
∑
n∈NS
zωn , s ∈ S, ω ∈ �, (2)
zωn ≤
∑
m∈Mn
ξ
ω
mn xm, n ∈ N, ω ∈ �, (3)
∑
m∈M
bmxm ≤ B. (4)
xm ∈ {0, 1}, m ∈ M (5)
zωn ∈ {0, 1}, n ∈ N, ω ∈ � (6)
The objective function in (1) is the expected
value of the total coverage of all attack paths across
all scenarios. This nonlinear function can be easily
linearized by adding new variables and constraints;
see Zheng et al. (2018) for details. Constraint set (2)
sets the value of yωs , the number of nodes covered in
attack path s ∈ S in scenario ω ∈ �, and constraint
set (3) states that node n ∈ N is covered in scenario
ω ∈ � (i.e., zωn = 1) if there exists at least one se-
lected mitigation that covers it. Constraint (4) is the
budget constraint. Constraint sets (5) and (6) require
the x and z variables to be binary.
MaxExpCoverage returns a solution that
performs well on average. However, its actual per-
formance could be unacceptable to decisionmakers
for some realizations of ξ if it yields extremely low
coverage in a few scenarios to achieve a better
expected coverage across all scenarios. Therefore,
we are motivated to identify robust solutions that
avoid worst-case performance. The following ro-
bust models address the uncertainty from different
perspectives and identify solutions that plan for
different risk situations.
In the first robust model, we aim to identify a
solution that has the best worst-case performance
across all scenarios. Denote variable u as the min-
imal coverage across all scenarios. We present the
following model, MaxMinCoverage, that maximizes
the worst-case coverage.
MaxMinCoverage:
max u (7)
s.t. u ≤
∑
s∈S
as fs (y
ω
s ), ∀ω ∈ �. (8)
(2)−(6)
The minimal coverage u across all scenarios,
as defined by constraint (8), is maximized in the
objective (7). This measure is often considered
to be overly pessimistic by evaluating only the
most extreme scenario, regardless of the coverage
in other scenarios. We list two examples when
MaxMinCoverage is overly pessimistic. First, if the
worst-case scenario occurs with an extremely small
probability but requires an expensive mitigation to
cover, MaxMinCoverage would suggest selecting this
mitigation even when the coverage in most scenarios
is high. Second, consider the case when there are
several equivalent worst-case scenarios that employ
different sets of mitigations. If the total budget is
2082 Zheng and Albert
not enough to select all required mitigations, the
resulting minimal coverage is not improved after ex-
hausting the entire budget. Meanwhile, coverage in
most scenarios is neglected in this decision process.
While MaxMinCoverage allocates mitigations
to improve the worst-case scenarios, these scenarios
might not “demand” the most defensive resources.
In the case when the worst-case coverage is only
improved by a small amount in a MaxMinCoverage
solution, it is likely that other …
978-1-5386-7531-1/18/$31.00 ©2018 IEEE
Intelligent System for Risk Identification of
Cybersecurity Violations in Energy Facility
Gaskova Daria, Aleksei Massel
Laboratory of Information Systems in energetics
Melentiev Energy Systems Institute of SB RAS
Irkutsk, Russia
[email protected], [email protected]
Abstract—The article describes risk-based approach intended
for analyzing threat and assessing risk of cybersecurity violations
in the energy facilities. In the energy sector this approach should
consider harm produced by damage or demolition of the object
using quantitative and qualitative parameters. It is based on the
probability of damage or destruction of the facility resulting in
the cascade failure. It can be employed for developing the
information-analytical system aimed to monitor cybersecurity
violations in the energy sector.
Keywords—cybersecurity; critical infrastacture; risk
assessment; intelligent system
I. INTRODUCTION
The Russian energy infrastructure is truly significant, as it
combines power plants and energy systems, including energy
transporting main lines. The critical infrastructures are
currently being explored [1-2]. Because the energy penetrated
all life spheres in the modern society, it is believed to be the
vital component of national security [3]. It is noteworthy, that
energy security (ES) makes an important part of Russia’s
national security. The development of Smart Grid conception
in Russia exacerbates the problem of cybersecurity in energy.
ES threats are traditionally classified into five main groups:
economic, social-political, technogenous, natural and
managerial-legal [4]. This threat list was supplemented with the
cybersecurity threats [2], their implementation possibly
provoking serious emergency situations in energy fraught with
drastic reduction of energy resources to be provided to
consumers.
The rapid spread of the computer environment,
development of information technologies and the trend of
transition to intellectual energy make the cyber threats most
notable tactical threats of ES. As a matter of fact, both
systematic preventive measures of cyber threats averting and
continuous protection updating are underrated. It can lead to
significant long-term deficit of energy supply, which negative
impacts depend on cyber threats scale and damage.
Complimented by the reasons above, the authors propose to
create an intelligent system capable to identify risk of
cybersecurity violations in the energy facility based on a risk-
based approach.
II. ENERGY AS AN IMPORTANT CRITICAL INFRASTRUCTURE
Critical infrastructure is part of civil infrastructure, which
makes up a combination of physical or virtual systems and
means that are important for the country, as their failure or
destruction can trigger disastrous consequences in the fields of
defense, economy, and health and nation security [1].
The requirements for ensuring cybersecurity in the energy
sector were formed in the foreign countries [5]. Actually in
Russia the normative framework for ensuring cybersecurity in
critical infrastructures is beginning to be formed. Information
protection in the automatic process control system in energy is
usually provided on the basis of the Federal Service for
Technical and Export Control of Russia order № 31 [6]. This
order establishes requirements to ensure protection of
information in critical objects from illegal actions, including
computer attacks. The development of the normative
framework of the information protection in critical
infrastructure is that the project stage of the Federal Law “On
the Security of the Critical Information Infrastructure of the
Russian Federation (RF)”. The draft law establishes the main
directions and principles to ensuring security of critical
information infrastructure, the government agent powers of the
RF in this area, and also the rights, duties and responsibilities
of owners, communications, providers and operators and also
state information system operators that provide the functioning
and interaction of these facilities [7].
Investigations of critical infrastructure and, in particular,
identification of critically dangerous facilities are a focus area
in many countries and primarily in the United States. The
reason for this is that the development level of information
technologies and capacity of modern simulation complexes
constantly increase [1].
Nowadays the energy sector in Russia occurs at the stage of
intellectualization, including both technological equipment
(e.g. smart sensors, data transmission networks) and
application of modern information technologies, primarily in
the electrical energy industry. At the same time, the
introduction of information technologies into the energy
industry carries many risks and threats [8].
III. CYBERSECURITY
According to the standard T-REC-X.1205 - ITU-T [9],
cybersecurity is treated as a set of tools, strategies, principles of
security, security guarantees, guidelines, risk management
approaches, actions, training, experience, insurance and
technologies that can be used to protect the cyber environment,
resources, organizations and users.
This work was partially supported by RFBR grants №15-07-01284, №17-
07-01341. The authors are grateful to this organization.
Authorized licensed use limited to: Northcentral University. Downloaded on October 19,2021 at 13:52:31 UTC from IEEE Xplore. Restrictions apply.
Cyber environment is connected with computing devices,
personnel, infrastructure, applications, services,
telecommunications systems, as well as the totality of
transmitted and / or stored information.
Cybersecurity is an attempt to achieve and maintain the
security properties from the resources of the organization or
user against relevant security threats in the cyber environment.
According to ISO 27032: 2012 [10], cybersecurity is based
on: Applications Security, Information Security; Network
Security, Internet Security and Critical Information
Infrastructure Protection, but – isn’t their synonymous.
The protection of key information systems of critical
infrastructures primarily concerns ensuring ES facility.
The main concepts of cybersecurity are the asset, threat,
vulnerability and risk. The main definitions of security and
their relationships, described in foreign and translated
standards [2] share similarities. Security is concerned with the
assets protecting from threats classified based on the potential
of protected assets abuse, and particular attention is paid to the
threats that are associated with malicious or other human
actions [11].
The ontology of cybersecurity in the energy sector [12] and
the methodology for threats analysis and risk assessment of
security violations in energy complexes were developed at the
Melentiev Energy Systems Institute SB RAS. The
methodology including eight stages is based on expert
assessments and methods of qualitative risk analysis [13].
An asset is some entity valuable to a person or organization
[11]. A security threat is possible action that can directly or
indirectly damage the information security. The damage to
security is understood as violation of confidentiality,
accessibility or / and integrity of information.
Threats are classified by the nature of the occurrence,
deliberateness degree, manifestation of direct threat source,
position of threat source, extent of dependence upon activity,
degree of impact on the system, resources access methods,
current location of information stored and processed in the
system. In particular threats are classified by the degree of
deliberateness:
Threats caused by human errors or negligence.
Threats of deliberate action.
Cybernetic attack is the threat of deliberate action, initiated
by a man.
Vulnerability is the weakness in the information system,
security system and internal controls gaps that can be exploited
or caused by a threat source [14].
Risk is an event with negative consequences caused by
external or internal factors [14]. Risk can be defined as a
combination of the accident probability and the scale of the
damage it can cause, or as a combination of the event
probability and impact [2].
Risk management is the process of in-depth study factors
that can lead to realization of possible threats to the assets of
the system. The PDCA (Plan, Do, Check, Act) process model
also known as the Deming-Shewhart cycle is common for risk
assessment [11].
The widespread interest in the industrial systems security
arose not so long ago after a series of specialized computer
virus incidents, such as Flame and Stuxnet. At that time it was
transpired, that international intelligence agencies, competing
corporations or cyber-terrorists can use inadequate attention to
the information security of the automatic process control
system and their components for their own purposes (for
instance, Supervisory Control And Data Acquisition SCADA /
Power-Line Communication PLC) [15].
The development of an effective cybersecurity strategy
requires a holistic approach to risk analysis. This means that
systematic documentation and prioritization of the existing
vulnerabilities (threats) of the management system and their
possible consequences are required. Therefore, the owners of
energy assets can make adequate decisions to anticipate and
respond to the existing and potential threats.
IV. RISK-BASED APPROACH
Risk-based approach considers harm from damage or
demolition of the object using quantitative and qualitative
parameters, as well as further damage or destruction probability
of the object components, based on probability of damage or
destruction of object leading to cascade failure. The formula of
risks consists of three components (1),
R = {T, V, D}, (1)
T – threats, V – vulnerabilities, D – damage by threat
realization.
Threats are defined through the probability of events
occurrence leading to critical situations (for example,
conditional probabilities used in the Bayesian networks). Cyber
threats can call subsequent implementation of the other ES
threats. It was suggested to apply the Bayesian networks to
build cyber threats implementation scenarios using conditional
probability.
Assets vulnerabilities are determined by an expert poll
using production expert system. The knowledge base of the
expert system includes the standards of the five components of
cybersecurity.
The damage is traditionally evaluated in monetary terms;
however, conventional units are applied at this stage.
It is proposed to develop an intelligent system to support
decision-making concerning assurance of energy facility
cybersecurity by a specialist involved in information security.
This system utilizing the risk-based approach should contribute
to identifying critical assets, their vulnerabilities and threats to
security violations, determination scenarios for applying threats
and measures to protect assets from threats. The system will
dwell upon the methodology for analyzing threats and
assessing risk of information technology security violations of
the energy complexes proposed by A. Massel [16].
Authorized licensed use limited to: Northcentral University. Downloaded on October 19,2021 at 13:52:31 UTC from IEEE Xplore. Restrictions apply.
V. THE INTELLIGENT SYSTEM DEVELOPMENT
In current times the structure of intelligent system for risk
identification of cybersecurity violations in energy facilities is
designed, and also scientific-research prototype for system
describe above is implemented. One consists of three
interrelated components: (1) an expert system for recognizing
vulnerability and primary threats, (2) the Bayesian network for
modeling threat scenarios, and (3) the module for assessing risk
of cybersecurity violations, which includes visualization as a
risk map.
The intelligent system structure is shown in Figure 1.
Expert system
Bayesian
network
Risk evaluation
Expert
List of
vulnerabilities
List of threats
Threats
scenarios
Damage Threats
scenarios
Map of risks
Fig. 1. Structure of intelligent system.
Figure 2 shows the ontology of basic concepts of cyber
threats incorporated into an intelligent system.
Fig. 2. The ontology of basic concepts of cyber threats.
Assets are considered in terms of the information
infrastructure of critical facility, e.g. assets of automatic
process control system are considered at the levels of: operator,
automatic control, and executive devices.
Threats and vulnerabilities are first considered at the top
level, including general concepts and their most extensive list,
and then at a detailed level that provides specific names,
technical and software types and species.
The expert system involves three issues: (1) the energy
facility asset, (2) vulnerability of information technology
system and (3) cybersecurity violation threat of the facility.
The expert system is intended for detecting primary
vulnerabilities and threats of the facility. It is based on the user
that is information security specialist answers to the questions
offered by the system in the form of a questionnaire.
The interconnection between assets, vulnerabilities and
threats within the system is established by templates. The
template has a number of main fields. The vulnerability pattern
is exemplified as:
<Vulnerabilities >
< Title >…</ Title >
<Assets >…</Assets >
<Threats>…</Threats> or <List of threats> …</List
of threats>
<Control>…</ Control>
</Vulnerabilities >
The most common vulnerabilities and threats described to
instance energy facility are searched for, and then their list is
formed.
Further the list of threats is delivered to the Bayesian
network to determine conditional probabilities and build threats
realization scenarios.
The scientific prototype of the production expert system has
been recently implemented. Figure 3 illustrates the prototype
structure.
JAVA CLIPS
JNI
Swing
Listeners
Core of Expert system
Knowledge
base
Inference
engine
Rules Templates
Graphical Users
Interface
Interaction
interface
Fig. 3. Prototype structure.
The graphical user interface (GUI) includes data display,
user interface event service; it is accomplished in the high-level
Java language using the Swing library. The interaction
interface is a Java native interface (JNI) mechanism for running
code controlled by the Java virtual machine, which is employed
for the GUI to C Language Integrated Production System
(CLIPS) interaction. The core of the expert system is produced
using software environment for the expert systems
development CLIPS, and it is a logical inference mechanism
and knowledge base.
Authorized licensed use limited to: Northcentral University. Downloaded on October 19,2021 at 13:52:31 UTC from IEEE Xplore. Restrictions apply.
The Bayesian network will be employed with the same
software tools that were used for the expert system prototype
for their integration. Threats and their partial communication
established in the expert system are transferred to the Bayesian
network for the expert work. It is assumed that the threat
pattern has tag fields containing lists of threats that usually
cause or are the cause of the other threat. An expert checks the
existing links and establishes the missing links between the
threats, resulting in a threat graph, i.e. scenarios of threat
realization. The graph model determines conditional
probabilities sated a priori probability of realizing threats
acting as an initiating event. The use of the Bayesian network
allows analyzing the cyber threats impact on energy security
violation threats. Figure 4 illustrates the “unauthorized access”
threat scenario.
Fig. 4. Realization of threat “unauthorized access” using the Bayesian
network in the Netica program.
For example, let us define the probability of “unauthorized
access” to the automated workstation of the SCADA system
manager threat. Suppose that the result of the experts work
with the expert system is a list of threats, such as the possibility
to steal password, weak password policy and, as a
consequence, the probability of unauthorized access by an
attacker. The easy, average and difficult accessibility of stolen
password are the three states of the “steal a password” threat.
The password policy can also have three states: weak, medium
and strong. Depending on the likelihood of described above
threats implementing the threat of “unauthorized access” can
be either realizable or unrealizable with a certain calculated
probability. The attacker’s obtained access can affect the state
of the energy facility data transmission. With that energy
facility functioning can be disrupted, if information about the
pre-crisis state of the system will be significantly detained or
lost.
The presented example assumes weak password policy, and
that the password on the facility can be easily stolen. Then the
fact of the system pre-crisis state is the case. Most probably, an
attacker will not disclose his unauthorized access and will
delay information on the system state. In this case, the
probability of transiting from the pre-crisis to the crisis state is
high.
Risk will be assessed by graph traversing for each plausible
scenario in the expert view. In order to do that an expert will
fill in “damage” fields for each field of final states in the
scenario. The module will calculate risk, where the risk is a
multiplication of the likelihood of the threat realized for
damage from it, and display a ranked list of scenarios.
In addition, the risk assessment module should provide a
visualization of threat implementation risk card for a certain
asset. A risk map is needed to display risks following threat
types and the risk acceptance boundary. Figure 5 displays a
risk map. The ranked list of critical assets of the facility is also
supposed to be displayed. In these instances, critical assets are
the assets, which accounted for the greatest number of threats
in the scenarios, and the likelihoods of the threat
implementation are over than the limit likelihood assigned by
an expert.
Type of threats1
Ty
pe
of
th
re
ats
2
Type of threats3
Ty
pe
of
th
re
ats
2
Ty
pe
of
th
re
ats
2
Critical threats
Type of threats1
Type of threats1
Type of threats3
Type of threats3
Risk acceptability
line
Fig. 5. Example of risk map.
VI. CONCLUSION
The article reports the energy sector as a critical
infrastructure and important part of national security.
Considering, there is a tendency to introduce new information
and telecommunication technologies into the energy sector, it
is vital to ensure high-quality provision of cybersecurity. A
risk-based approach is proposed to allow linking cybersecurity
violations vulnerabilities, threats and damages. It is proposed to
develop an intelligent system for risk assessment of
cybersecurity violations from most feasible cyber threats with
risk-based approach and the methodology of threat analysis and
risk assessment applied.
REFERENCES
[1] A. Kondratev, “The current trends in research of Critical Infrastructure
in foreign countries,” Foreign Military Review, no. 1, 2012, pp. 19-30.
[2] L.V. Massel, N.I. Voropai, S.M. Senderov, A.G. Massel, “Cybersecurity
as one of the strategic threats to energy security,” Cybersecurity issues,
no. 4 (17), 2016, pp. 2-10.
[3] B.G. Saneev, S.P. Filipov et al, “System researches of energy problems”,
Novosibirsk: Nauka, p. 588, 2000.
[4] N.I. Pyatkova, V.I. Rabchuk, S.M. Senderov, M.B. Cheltsov, “Energy
security of Russia: problems and solutions,” SB RAS Publishing House
Novosibirsk, p. 211, 2011.
Unauthorized access
Realizable
Unrealizable
99.0
1.0
System state
Normal
Precrisis
Crisis
0
100
0
Steal password
Easy
Average
Difficult
100
0
0
Password policy
Weak
Medium
Strong
100
0
0
Violation of energy facility function
Normal function
Precrisis function
Crisis
14.5
31.5
54.0
Pre-emergency information transfer
Successful transfer
Information loss
Information delay
15.1
29.9
55.0
Authorized licensed use limited to: Northcentral University. Downloaded on October 19,2021 at 13:52:31 UTC from IEEE Xplore. Restrictions apply.
[5] L.V. Massel, A.G. Massel, “Cyber security of Russia’s energy
infrastructure as a component of national security,” 6th International
Conference on Liberalization and Modernization of Power Systems,
2015, pp. 66-72.
[6] Requirements to ensure the information protection in automatic process
control system of production and technological processes in critical
facilities, potentially hazardous facilities, and also objects that present an
increased danger to human life and the environment, [Online].
Available: http://fstec.ru/prikazy/864-prikaz-fstek-rossii-ot-14-marta-
2014-g-n-31
[7] The Security of the Critical Information Infrastructure of the Russian
Federation, [Online]. Available:
https://www.consultant.ru/law/hotdocs/48095.html
[8] L.V. Massel, “Modern information technologies in the Smart Grid as a
threat to the cybersecurity of Russias energy systems,” Information
technology and security Kiev, no. 1 (3), 2013, pp. 56-65.
[9] T-REC-X.1205 – ITU-T: Overview of cybersecurity, [Online].
Available: https://www.itu.int/rec/T-REC-X.1205-200804-I
[10] ISO standard of Information technology. Security techniques. Guidelines
for cybersecurity, ISO/IEC 27032:2012.
[11] V.V. Mohor, A.M. Bogdanov, A.S. Kilevoj, “Information Technology.
Methods of security. Сybersecurity manual (ISO/IES 27032:2012),”
Three-K Kiev, p. 129, 2013.
[12] T.N. Vorozhtsova, “Development of the ontology of cybersecurity in the
energy sector,” International Conference “Cybersecurity-2013” Kiev,
2013, pp. 19-25.
[13] L.V. Massel, A.G. Massel, “The current state of cyber security in
Russias energy systems and the proposed activities for situation
improving,” 6th International Conference on Liberalization and
Modernization of Power Systems, 2015, pp. 165-170.
[14] V.F. Shanguin, “Protection of information in computer systems and
networks,” DMK Moscow, p. 593, 2012.
[15] G.V. Grytsay, A.G. Timorin, “Safety of industrial systems in figures,”
Positive Technologies, 2012, [Online]. Available:
http://www.ptsecurity.ru/download/SCADA_analytics_russian.pdf
[16] A.G. Massel, “Methodology for threat analysis and risk assessment of
information technology security violation of energy complexes,” 20th
Baikal Russian Conference, vol. 3, 2015, pp. 186-195.
Authorized licensed use limited to: Northcentral University. Downloaded on October 19,2021 at 13:52:31 UTC from IEEE Xplore. Restrictions apply.
<<
/ASCII85EncodePages false
/AllowTransparency false
/AutoPositionEPSFiles false
/AutoRotatePages /None
/Binding /Left
/CalGrayProfile (Gray Gamma 2.2)
/CalRGBProfile (sRGB IEC61966-2.1)
/CalCMYKProfile (U.S. Web Coated \050SWOP\051 v2)
/sRGBProfile (sRGB IEC61966-2.1)
/CannotEmbedFontPolicy /Warning
/CompatibilityLevel 1.4
/CompressObjects /Off
/CompressPages true
/ConvertImagesToIndexed true
/PassThroughJPEGImages true
/CreateJobTicket false
/DefaultRenderingIntent /Default
/DetectBlends true
/DetectCurves 0.0000
/ColorConversionStrategy /LeaveColorUnchanged
/DoThumbnails false
/EmbedAllFonts true
/EmbedOpenType false
/ParseICCProfilesInComments true
/EmbedJobOptions true
/DSCReportingLevel 0
/EmitDSCWarnings false
/EndPage -1
/ImageMemory 1048576
/LockDistillerParams true
/MaxSubsetPct 100
/Optimize false
/OPM 0
/ParseDSCComments false
/ParseDSCCommentsForDocInfo false
/PreserveCopyPage true
/PreserveDICMYKValues true
/PreserveEPSInfo false
/PreserveFlatness true
/PreserveHalftoneInfo true
/PreserveOPIComments false
/PreserveOverprintSettings true
/StartPage 1
/SubsetFonts false
/TransferFunctionInfo /Remove
/UCRandBGInfo /Preserve
/UsePrologue false
/ColorSettingsFile ()
/AlwaysEmbed [ true
/Arial-Black
/Arial-BoldItalicMT
/Arial-BoldMT
/Arial-ItalicMT
/ArialMT
/ArialNarrow
/ArialNarrow-Bold
/ArialNarrow-BoldItalic
/ArialNarrow-Italic
/ArialUnicodeMS
/BookAntiqua
/BookAntiqua-Bold
/BookAntiqua-BoldItalic
/BookAntiqua-Italic
/BookmanOldStyle
/BookmanOldStyle-Bold
/BookmanOldStyle-BoldItalic
/BookmanOldStyle-Italic
/BookshelfSymbolSeven
/Century
/CenturyGothic
/CenturyGothic-Bold
/CenturyGothic-BoldItalic
/CenturyGothic-Italic
/CenturySchoolbook
/CenturySchoolbook-Bold
/CenturySchoolbook-BoldItalic
/CenturySchoolbook-Italic
/ComicSansMS
/ComicSansMS-Bold
/CourierNewPS-BoldItalicMT
/CourierNewPS-BoldMT
/CourierNewPS-ItalicMT
/CourierNewPSMT
/EstrangeloEdessa
/FranklinGothic-Medium
/FranklinGothic-MediumItalic
/Garamond
/Garamond-Bold
/Garamond-Italic
/Gautami
/Georgia
/Georgia-Bold
/Georgia-BoldItalic
/Georgia-Italic
/Haettenschweiler
/Impact
/Kartika
/Latha
/LetterGothicMT
/LetterGothicMT-Bold
/LetterGothicMT-BoldOblique
/LetterGothicMT-Oblique
/LucidaConsole
/LucidaSans
/LucidaSans-Demi
/LucidaSans-DemiItalic
/LucidaSans-Italic
/LucidaSansUnicode
/Mangal-Regular
/MicrosoftSansSerif
/MonotypeCorsiva
/MSReferenceSansSerif
/MSReferenceSpecialty
/MVBoli
/PalatinoLinotype-Bold
/PalatinoLinotype-BoldItalic
/PalatinoLinotype-Italic
/PalatinoLinotype-Roman
/Raavi
/Shruti
/Sylfaen
/SymbolMT
/Tahoma
/Tahoma-Bold
/TimesNewRomanMT-ExtraBold
/TimesNewRomanPS-BoldItalicMT
/TimesNewRomanPS-BoldMT
/TimesNewRomanPS-ItalicMT
/TimesNewRomanPSMT
/Trebuchet-BoldItalic
/TrebuchetMS
/TrebuchetMS-Bold
/TrebuchetMS-Italic
/Tunga-Regular
/Verdana
/Verdana-Bold
/Verdana-BoldItalic
/Verdana-Italic
/Vrinda
/Webdings
/Wingdings2
/Wingdings3
/Wingdings-Regular
/ZWAdobeF
]
/NeverEmbed [ true
]
/AntiAliasColorImages false
/CropColorImages true
/ColorImageMinResolution 200
/ColorImageMinResolutionPolicy /OK
/DownsampleColorImages true
/ColorImageDownsampleType /Bicubic
/ColorImageResolution 300
/ColorImageDepth -1
/ColorImageMinDownsampleDepth 1
/ColorImageDownsampleThreshold 1.50000
/EncodeColorImages true
/ColorImageFilter /DCTEncode
/AutoFilterColorImages false
/ColorImageAutoFilterStrategy /JPEG
/ColorACSImageDict <<
/QFactor 0.76
/HSamples [2 1 1 2] /VSamples [2 1 1 2]
>>
/ColorImageDict <<
/QFactor 0.76
/HSamples [2 1 1 2] /VSamples [2 1 1 2]
>>
/JPEG2000ColorACSImageDict <<
/TileWidth 256
/TileHeight 256
/Quality 15
>>
/JPEG2000ColorImageDict <<
/TileWidth 256
/TileHeight 256
/Quality 15
>>
/AntiAliasGrayImages false
/CropGrayImages true
/GrayImageMinResolution 200
/GrayImageMinResolutionPolicy /OK
/DownsampleGrayImages true
/GrayImageDownsampleType /Bicubic
/GrayImageResolution 300
/GrayImageDepth -1
/GrayImageMinDownsampleDepth 2
/GrayImageDownsampleThreshold 1.50000
/EncodeGrayImages true
/GrayImageFilter /DCTEncode
/AutoFilterGrayImages false
/GrayImageAutoFilterStrategy /JPEG
/GrayACSImageDict <<
/QFactor 0.76
/HSamples [2 1 1 2] /VSamples [2 1 1 2]
>>
/GrayImageDict <<
/QFactor 0.76
/HSamples [2 1 1 2] /VSamples [2 1 1 2]
>>
/JPEG2000GrayACSImageDict <<
/TileWidth 256
/TileHeight 256
/Quality 15
>>
/JPEG2000GrayImageDict <<
/TileWidth 256
/TileHeight 256
/Quality 15
>>
/AntiAliasMonoImages false
/CropMonoImages true
/MonoImageMinResolution 400
/MonoImageMinResolutionPolicy /OK
/DownsampleMonoImages true
/MonoImageDownsampleType /Bicubic
/MonoImageResolution 600
/MonoImageDepth -1
/MonoImageDownsampleThreshold 1.50000
/EncodeMonoImages true
/MonoImageFilter /CCITTFaxEncode
/MonoImageDict <<
/K -1
>>
/AllowPSXObjects false
/CheckCompliance [
/None
]
/PDFX1aCheck false
/PDFX3Check false
/PDFXCompliantPDFOnly false
/PDFXNoTrimBoxError true
/PDFXTrimBoxToMediaBoxOffset [
0.00000
0.00000
0.00000
0.00000
]
/PDFXSetBleedBoxToMediaBox true
/PDFXBleedBoxToTrimBoxOffset [
0.00000
0.00000
0.00000
0.00000
]
/PDFXOutputIntentProfile (None)
/PDFXOutputConditionIdentifier ()
/PDFXOutputCondition ()
/PDFXRegistryName ()
/PDFXTrapped /False
/CreateJDFFile false
/Description <<
/CHS <FEFF4f7f75288fd94e9b8bbe5b9a521b5efa7684002000410064006f006200650020005000440046002065876863900275284e8e55464e1a65876863768467e5770b548c62535370300260a853ef4ee54f7f75280020004100630072006f0062006100740020548c002000410064006f00620065002000520065006100640065007200200035002e003000204ee553ca66f49ad87248672c676562535f00521b5efa768400200050004400460020658768633002>
/CHT …
IEEE TRANSACTIONS ON SYSTEMS, MAN, AND CYBERNETICS: SYSTEMS, VOL. 46, NO. 10, OCTOBER 2016 1429
Multimodel-Based Incident Prediction and
Risk Assessment in Dynamic Cybersecurity
Protection for Industrial Control Systems
Qi Zhang, Chunjie Zhou, Naixue Xiong, Senior Member, IEEE,
Yuanqing Qin, Xuan Li, and Shuang Huang
Abstract—Currently, an increasing number of informa-
tion/communication technologies are adopted into the industrial
control systems (ICSs). While these IT technologies offer high
flexibility, interoperability, and convenient administration of
ICSs, they also introduce cybersecurity risks. Dynamic cybersecu-
rity risk assessment is a key foundational component of security
protection. However, due to the characteristics of ICSs, the risk
assessment for IT systems is not completely applicable for ICSs.
In this paper, through the consideration of the characteristics of
ICSs, a targeted multilevel Bayesian network containing attack,
function, and incident models is proposed. Following this pro-
posal, a novel multimodel-based hazardous incident prediction
approach is designed. On this basis, a dynamic cybersecurity
risk assessment approach, which has the ability to assess the
risk caused by unknown attacks, is also devised. Furthermore,
to improve the accuracy of the risk assessment, which may be
reduced by the redundant accumulation of overlaps amongst dif-
ferent consequences, a unified consequence quantification method
is presented. Finally, to verify the effectiveness of the proposed
approach, a simulation of a simplified chemical reactor control
system is conducted in MATLAB. The simulation results can
clearly demonstrate that the proposed approach has the abil-
ity to dynamically calculate the cybersecurity risk of ICSs in a
timely manner. Additionally, the result of a different comparative
simulation shows that our approach has the ability to assess the
risk caused by unknown attacks.
Index Terms—Bayesian network, cybersecurity, incident pre-
diction, industrial control system (ICS), multiple models, risk
assessment.
Manuscript received May 26, 2015; revised August 13, 2015; accepted
August 20, 2015. Date of publication December 18, 2015; date of cur-
rent version September 14, 2016. This work was supported in part by the
National Natural Science Foundation of China under Grant 61272204 and
Grant 61433006, and in part by the Fundamental Research Funds for the
Central Universities of China (HUST) under Grant 2013ZZGH006. This paper
was recommended by Associate Editor T.-M. Choi. (Corresponding authors:
Chunjie Zhou and Yuanqing Qin.)
Q. Zhang, C. Zhou, Y. Qin, X. Li, and S. Huang are with the
Key Laboratory of Ministry of Education for Image Processing and
Intelligent Control, School of Automation, Huazhong University of
Science and Technology, Wuhan 430074, China (e-mail: [email protected];
[email protected]; [email protected]; [email protected];
[email protected]).
N. Xiong is with the Department of Business and Computer Science,
Southwestern Oklahoma State University, Weatherford, OK 73096, USA
(e-mail: [email protected]).
Color versions of one or more of the figures in this paper are available
online at http://ieeexplore.ieee.org.
Digital Object Identifier 10.1109/TSMC.2015.2503399
NOMENCLATURE
List of Notation
T A boolean, means that condition is satisfied.
F A boolean, means that condition is not satisfied.
R Cybersecurity risk of the system.
ai ith malicious atom attack (node).
ri ith system resource (node).
fi ith system function (node).
ei ith hazardous incident (node).
xi ith auxiliary incident (node).
ci ith consequence.
p(ei) Occurrence probability of ei.
q(ei) Consequence quantification ei.
O(ri) Event that attacker has obtained ri.
O(ri) Event that attacker has not obtained ri.
ori,j Conditional probability that O(ri) happens in the jth
condition.
C(ai) Event that the condition of launching ai has been
satisfied.
C(ai) Event that the condition of launching ai has not been
satisfied.
cai,j Conditional probability that C(ai) happens in the jth
condition.
L(ai) Event that ai has been launched.
L(ai) Event that ai has not been launched.
�ai Probability that L(ai) happens in the condition that
C(ai) has happened.
lai,j Conditional probability that L(ai) happens in the jth
condition.
F( fi) Event that fi has been invalidated.
F( fi) Event that fi has not been invalidated.
bfi,j Conditional probability that F( fi) happens in the jth
condition.
H(ei) Event that ei has occurred.
H(ei) Event that ei has not occurred.
hei,j Conditional probability that H(ei) happens in the jth
condition.
H(xi) Event that xi has occurred.
H(xi) Event that xi has not occurred.
hxi,j Conditional probability that H(xi) happens in the jth
condition.
Ea Set of attack evidence.
Eb Set of anomaly evidence.
2168-2216 c© 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: Northcentral University. Downloaded on October 19,2021 at 14:01:47 UTC from IEEE Xplore. Restrictions apply.
mailto:[email protected]
mailto:[email protected]
mailto:[email protected]
mailto:[email protected]
mailto:[email protected]
mailto:[email protected]
http://ieeexplore.ieee.org
http://www.ieee.org/publications_standards/publications/rights/index.html
1430 IEEE TRANSACTIONS ON SYSTEMS, MAN, AND CYBERNETICS: SYSTEMS, VOL. 46, NO. 10, OCTOBER 2016
E Set of evidence.
ci Set of consequence of ei.
C Set of ci.
c′i Set of consequence of xi.
C′ Set of c′i.
ei Set of hazardous incidents.
Tmax Maximum time interval of adjacent continuous atom
attacks.
QH Quantification of harm to people.
QE Quantification of environmental pollution.
QP Quantification of property loss.
I. INTRODUCTION
W ITH the rapid development of industrial control sys-tems (ICSs), ICSs are susceptible to the attacks and
threats of typical IT systems [1]–[4]. Even worse, the number
of vulnerabilities and cyber incidents of ICSs are increasing
rapidly every year [5]. In the year 2000, a former employee
attacked the supervisory control and data acquisition system
of a sewage treatment plant in Queensland. This malicious
attack caused 800 000 L of raw sewage to spill out into
local parks and rivers [6], [7]. Stuxnet, which was discov-
ered in June 2010, reportedly ruined almost one-fifth of
Iran’s nuclear centrifuges. As a result, it led to the repeated
postponement of Iran’s nuclear power plant and grid devel-
opment [3], [8]. Unlike traditional IT systems, the security
incidents of ICSs can cause irreparable harm to the physical
systems they control and to the people dependent on them.
Basically, protecting ICSs against cyberattacks is vital to both
economy and stability of a nation. Therefore, the cybersecurity
issue of ICSs must be taken seriously and solved as soon as
possible.
As production and operation systems, ICSs have a relatively
greater demand on timeliness and availability [9], requiring
the need for dynamic cybersecurity protection. The objec-
tive of cybersecurity protection of the ICSs is to maintain
a normally running system by lowering the dynamic risk
below an acceptable risk threshold [10]. Thus, risk-based
dynamic cybersecurity protection is an effective approach
against cyberattacks [11], [12]. In risk-based dynamic cyber-
security protection, together with the target systems, intru-
sion detection, risk assessment, decision-making, and policy
enforcement [4], [13], [14] form a closed-loop. As a vital role
in the closed-loop, risk assessment is used to collect a wide
variety of information, perceive the functioning state of the
system, and assess the current cybersecurity risk of the sys-
tem [10]. This evaluation or assessment assists decision makers
in achieving benchmark performances and taking necessary
actions to prevent the deterioration of the system [15], [16].
Cybersecurity risk assessment in the IT domain is not
entirely applicable to ICSs because ICSs are relatively dif-
ferent in some aspects from traditional IT systems. First, the
cybersecurity objectives are different. Traditional IT systems
require first an ensuring of confidentiality, then integrity, and
finally availability. In contrast, for ICSs, the priorities of these
three security objectives are first availability, then integrity,
and finally confidentiality [17], because timeliness and avail-
ability are the primary concerns. Malicious attacks introduce
the cybersecurity risk to ICSs by demolishing the timeliness
and availability. Therefore, the risk assessment of ICSs needs
a novel risk propagation analysis approach. On the other hand,
the different weight assignments of these three security objec-
tives create the need for the consequence quantification of ICSs
to be redesigned. Second, most ICSs are real-time systems
whose correctness is based on both correctness and timeless of
the output [9]. This means that a deferred response will lead to
the reduction of control quality. Additionally, ICSs have more
complicated and more tightly coupled physical systems. This
characteristic may lead to a domino effect [18], which often
takes place in process industries. For example, a spoof attack
to a programmable logic controller (PLC) which controls a
reducing valve, will cause excessively high pressure and can
even lead to the explosion of a chemical reactor. Generally,
this kind of chain of events happens simultaneously or in a
rapid subsequent order [19]. Even worse is that most ICSs run
in an embedded system environment with limited computing
capabilities. With consideration of the three points above, the
risk assessment algorithm of ICSs requires low computational
complexity to reduce time consumption. Finally, in a continu-
ous operation system, ICSs cannot tolerate frequent software
patching or updates [4]. This causes the database of attack
signatures to lag far behind the rapid development of attacks.
With this defect, several intrusion detection system (IDS)-
based misuse detections would miss unknown attacks. On the
other hand, without information about unknown attacks, such
as purposes, consequences, and further steps, these unknown
attacks and their consequences cannot be accurately predicted.
As a result, the risk assessment module will generate erroneous
risk values, which may lead to a wrong decision. In conclusion,
although considerable research undertaken in past decades has
made a contribution to risk assessment, research dedicated to
cybersecurity protection of ICSs has remained limited.
In this paper, a multimodel-based incident prediction and
risk assessment approach is designed for ICSs, which can
perceive and understand the situation of ICSs, utilize the
multiple models to predict hazardous incidents caused by mali-
cious attacks, and generate the dynamic cybersecurity risk
value of ICSs. Furthermore, the proposed approach can also
assess the risk caused by unknown attacks. First, by ana-
lyzing the process of malicious attacks that lead to loss in
ICSs, a multilevel Bayesian network, which consists of an
attack model, a function model, and an incident model, is built
to describe the propagation of risk caused by cyberattacks.
Second, a multimodel-based cybersecurity risk assessment
approach for ICSs is designed, which is able to generate the
current cybersecurity risk value by calculating the probabili-
ties and quantifying the consequences of a variety of potential
hazardous incidents caused by malicious attacks. The pro-
posed multimodel-based approach can predict the incidents
caused by unknown attacks, which is impossible for prediction
approaches-based purely on attack knowledge. Then, to elimi-
nate the risk error caused by the repeated accumulation of the
overlaps amongst different consequences, a decouple method
for the consequences of an incident is proposed. Finally, the
Authorized licensed use limited to: Northcentral University. Downloaded on October 19,2021 at 14:01:47 UTC from IEEE Xplore. Restrictions apply.
ZHANG et al.: MULTIMODEL-BASED INCIDENT PREDICTION AND RISK ASSESSMENT 1431
effectiveness of the proposed approach is verified through the
use of a simulation, which is a simplified system of a chemical
reactor control system.
The rest of this paper is organized as follows. Section II
first analyzes the requirement of cybersecurity risk assess-
ment according to the characteristics of ICSs and then presents
the architecture of our approach. Section III builds a novel
multilevel Bayesian network and proposes an approach to pre-
dict hazardous incidents with the multilevel Bayesian network.
Section IV introduces consequence-unified quantification and
proposes an approach of dynamic cybersecurity risk assess-
ment on the foundation of incident prediction. To verify
the effectiveness of the proposed approach, a simulation is
conducted in Section V. The concluding remarks are made
in Section VI.
II. RELATED WORKS
A. Cybersecurity Risk Assessment for ICSs
In recent years, considerable researches have been under-
taken to study cybersecurity risk assessment methods.
Tsai and Huang [20] used the analytic hierarchy process to
qualitatively assess the cybersecurity risk of wireless net-
works. Feng and Li [21] used an information systems security
model in order to cope with the uncertainty in the infor-
mation system. Shi [22] adopted a simulation of attacks to
analyze the impact of each attack, which led to the proposal
for an approach of the risk assessment for enterprise networks.
Poolsappasit et al. [23] proposed a risk assessment approach
using Bayesian networks which enabled a system adminis-
trator to quantify the chances of network compromise. This
literature introduced a model named Bayesian attack graph to
describe the causal relationship between multistep attacks and
to analyze the potential attack. Cárdenas et al. [4] presented
an approach for analyzing the loss of events, and used prob-
abilistic risk assessment to calculate the risk. In conclusion,
the existing researches of risk assessment are mainly divided
into two directions. One direction focuses on the relation-
ship between multistep attacks and the prediction of potential
attacks. The quantification methods of the consequence of
malicious attacks are mainly based on confidentiality, integrity,
and availability. Another direction performs work on the causal
relationship of hazardous incidents, which can be used to
predict the occurrence of these hazardous incidents.
Unlike IT systems, such as the intranet or Internet of
things (IoT), ICSs have rigorous requirements on timeliness
and availability [9]. The cybersecurity risks of ICSs are pri-
marily from the potential loss caused by cyberattacks which
demolish the timeliness and availability of the control system.
Therefore, the cybersecurity risk propagation of ICSs is differ-
ent from that of IT systems, and many risk assessment models
for IT systems are not suitable for ICSs. Thus, cybersecurity
risk assessment in ICSs requires a novel model to analyze the
risk propagation.
The majority of the existing quantitative risk assess-
ment approaches [4], [11], [24], [25] use the definition
R = ∑i S(ei)P(ei) to calculate the risk R, where S(ei) is the
severity of the incident ei and P(ei) is the probability of the
incident ei. This definition requires that the severity of haz-
ardous incidents should be quantified in the same unit. It is
also worth noting that there is a problem when this definition
is used in ICS risk assessment. This is due to the fact that,
for ICSs, different hazardous incidents may cause the same
consequence; whereby, using this definition to assess risk will
cause the severity of the same consequence to be accumulated
multiple times. As a result, there is an error which cannot
be ignored in the risk assessment. Worst of all, the decision-
making may generate a wrong policy with this inaccurate risk
value.
Many ICSs run constantly [4], [9], and therefore the updates
must be planned and scheduled days or weeks in advance.
After the updates, exhaustive testing is necessary to ensure
the high availability of the ICS [9]. This leads to the inability
of attack knowledge of ICSs to be updated in a timely manner.
Several attack knowledge-based risk assessments cannot work
well on ICSs. Therefore, the risk assessment should have the
ability of assessing the risk caused by unknown attacks without
corresponding attack knowledge.
Based on the above analysis, the requirements of cyberse-
curity risk assessment for ICSs can be summarized as follows.
The risk assessment of ICSs needs the following.
1) A novel and targeted risk model to analyze the risk
propagation.
2) A unified quantification approach to calculate the risk
quantitatively without the error caused by the overlaps
amongst consequences.
3) Finally, the risk assessment of ICSs should have the abil-
ity to assess the risks caused by unknown attacks without
corresponding attack knowledge.
B. Model-Based Risk Assessment
Although the aforementioned characteristics of ICSs bring
more demanding requirements of risk assessment for ICSs,
the characteristics of the function and structure of ICSs make
some approaches which are hard to implement in IT systems
work well. More specifically, the network structure, functions,
and tasks of ICSs are usually relatively fixed [26]. Compared
with IT systems, which are more flexible, building a system
model for ICSs is relatively easy and does not require fre-
quent updates or modifications. Therefore, model-based risk
assessment is suitable for ICSs.
Throughout the history of cyberattacks to ICSs, it is noted
that the main purpose of the attackers is to damage the control
system. To achieve this destructive purpose, attackers gener-
ally need to complete part or all of the following three steps:
1) infiltrate the field network; 2) invalidate system functions;
and/or 3) cause incidents. To assess the risk, it is necessary to
model attacks, functions, and incidents.
One typical modeling approach of attacks that is widely
used is the Bayesian network, which is a significant part of risk
assessment. Poolsappasit et al. [23] and Xie et al. [27] estab-
lished models of attack knowledge with the Bayesian network
and used attack models to predict future attacks and assess the
risk. Wrona and Hallingstad [28] used the Bayesian network
to assess the connectivity risk of protected core networking.
Authorized licensed use limited to: Northcentral University. Downloaded on October 19,2021 at 14:01:47 UTC from IEEE Xplore. Restrictions apply.
1432 IEEE TRANSACTIONS ON SYSTEMS, MAN, AND CYBERNETICS: SYSTEMS, VOL. 46, NO. 10, OCTOBER 2016
Szpyrka et al. [29] proposed a risk assessment approach for
telecommunication networks by using the Bayesian network to
analyze the impact of attacks on the work-flow. However, the
Bayesian network has a defect of not containing the informa-
tion of the unknown attack, such as the zero-day attack. If the
system is compromised by an unknown attack, the Bayesian
network cannot predict its next step or potential impact.
Fault tree is the mainstream approach to model the rela-
tionship of functions. Fault tree analysis (FTA) is a top-down,
deductive failure analysis approach [30]. FTA uses Boolean
logic and anomaly events to analyze the undesired system
state. FTA is mainly used in the fields of safety engineer-
ing and reliability engineering to assess system risk [31]–[35],
but this type of risk refers to the potential loss caused by sys-
tem fault rather than the one caused by a cyberattack. It is
noted that the fault tree model is rarely used in IT systems,
such as the intranet, IoT, etc. This is because the structure
and functions of IT systems often change with the change of
business.
An event tree is an effective way to describe the causal
relationship of incidents. Event tree analysis (ETA) is a for-
ward, bottom-up, and logical modeling technique. In using a
single initiating event, ETA can assess the probabilities of the
outcomes. ETA can be applied to nuclear power plants, space-
craft, chemical plants, etc. Like the FTA, ETA is often used
in risk assessment [36]–[38]. Due to the flexibility of IT sys-
tems, ETA is not adaptable for IT systems. Like the event
tree, a Petri net is also used to model relationship of various
kinds events. Many researches did work on risk assessment
with Petri net. Cho et al. [39] used the generalized stochastic
Petri nets to model intrusion, failure, and repair events, and
then analyzed the security and dependability of a control sys-
tem. Fanti et al. [40] proposed a risk assessment framework
by modeling accidents of high-way networks with a colored
timed Petri net. However, a Petri net may become too large to
generate all states of the system. As a result, it can be difficult
to dynamically analyze.
In recent years, several comprehensive methods for model-
based risk assessment have been designed. Operationally criti-
cal threat asset and vulnerability evaluation (OCTAVE) [41] is
an approach for identifying, assessing, and managing informa-
tion security risks. OCTAVE can identify and assess the risk
to critical assets and set an optimal security policy by ana-
lyzing the multiple domain knowledge. OCTAVE integrates
many approaches, such as the aforementioned FTA and ETA,
to model the threads. CORAS [42]–[44], which is built on
many methods, such as hazard and operability study, FTA,
Markov analysis, etc., is used to deal with complex systems
such as ICSs. However, as these are static approaches of risk
assessment, OCTAVE and CORAS cannot be adopted to assess
the dynamic risk of ICSs.
C. Architecture of Cybersecurity Risk Assessment for ICSs
To meet the requirement of risk assessment for ICSs men-
tioned in Section II-A, a dynamic cybersecurity risk assess-
ment based on the multimodel is proposed, which is shown
in Fig. 1.
Fig. 1. Architecture of the dynamic cybersecurity risk of ICSs.
There are two kinds of inputs for dynamic cybersecurity
risk assessment: 1) attack evidence and 2) anomaly evidence.
Attack evidence, which contains information about the type,
target, and timestamp of the detected attack, is derived from
IDS. Anomaly evidence, containing the information of the
anomaly, such as the invalidation of a function, the occur-
rence of a hazardous incident, etc., can be obtained from the
supervisor system of ICSs.
Dynamic cybersecurity risk assessment is divided into two
phases: 1) hazardous incident prediction and 2) risk assess-
ment. During the hazardous incident prediction phase, attack
evidence and anomaly evidence are collected and marked
in a multilevel Bayesian network. Then, probabilities of all
the potential hazardous incidents can be calculated by ana-
lyzing the collected evidence and the multilevel Bayesian
network. During the risk assessment phase, the consequences
of hazardous incidents are first classified, then each type of
consequence is quantified using the same unit. Second, the
overlaps amongst hazardous incidents must be addressed so
that the error caused by accumulation of overlaps amongst
different consequences can be eliminated. Finally, the proba-
bilities and consequences of hazardous incidents are combined
into the cybersecurity risk.
III. MULTIMODEL-BASED INCIDENT PREDICTION
In this section, the relationship between atom attacks in
multistep attacks, the dependency of system functions, and the
causality of incidents are analyzed first. Then the multidomain
knowledge is modeled into a multilevel Bayesian network.
Finally, a multimodel-based hazardous incident prediction
approach will be introduced.
A. Bayesian Network-Based Knowledge Modeling
As mentioned in Section II-B, in order to achieve the
destructive purpose, attackers generally need to follow part or
all of these three steps: 1) infiltrate the field network; 2) inval-
idate system functions; and/or 3) cause incidents. Therefore,
multidomain knowledge of malicious attacks, invalidation of
functions, and occurrence of incidents should be considered,
Authorized licensed use limited to: Northcentral University. Downloaded on October 19,2021 at 14:01:47 UTC from IEEE Xplore. Restrictions apply.
ZHANG et al.: MULTIMODEL-BASED INCIDENT PREDICTION AND RISK ASSESSMENT 1433
making it necessary to establish multiple models of attacks,
system functions, and hazardous incidents.
Theoretically, probabilistic inference requires a joint prob-
ability distribution, but it suffers from exponential complexity
with the number of variables. There are various potential
attacks, many system functions, and a great number of unan-
ticipated incidents, making the joint probability distribution
too large to be available. The Bayesian network is devel-
oped to solve this problem, as it can split the complicated
joint probability distribution into a series of simple nodes,
which reduces the difficulty of knowledge acquisition and
the complexity of probabilistic inference. The Bayesian net-
work is widely used in fault diagnosis [45], decision-theoretic
troubleshooting [46], etc.
As mentioned previously, in order to be used to predict the
occurrences of incidents, attack, function, and incident knowl-
edge should be modeled. In this paper, to help facilitate the
inferences, these three types of knowledge are converted into
a multilevel Bayesian network, which consists of four parts:
1) attack level; 2) function level; 3) incident level; and 4) infor-
mation transfer between levels. The modeling procedures of
these four parts are described in detail as follows.
1) Attack Level: Cyberattacks are becoming increasingly
complex, especially when the target is an ICS characterized
by a layered architecture that integrates several security tech-
nologies. These contexts can be violated by a multistep attack,
which is a complex attack strategy comprised of multiple cor-
related atom attacks. To launch an atom attack, all conditions
of this attack must be satisfied. If an atom attack works, the
attacker will obtain some resources which may be the condi-
tions of other atom attacks. The purpose of launching any atom
attack is to prepare for subsequent atom attacks. To describe
the atom attacks of a multistep attack with the Bayesian net-
work, two sorts of nodes are proposed: 1) an atom attack node
and 2) a resource node.
In this paper, the Bayesian network is used to describe the
relationships between attack nodes and resource nodes. There
are two steps to generate a Bayesian network: 1) generating a
directed acyclic graph (DAG) and 2) generating a conditional
probability table for each node in DAG.
Through vulnerability scanning, vulnerabilities of ICSs can
be obtained. Then all possible attack scenarios are enumerated
with the information of system vulnerabilities. Next, the condi-
tions and results of each atom attack in the attack scenarios are
analyzed. Assuming there are m atom attacks and n resources,
an (m+n)×(m+n) incidence matrix [Ai,j] can be established.
If the conditions of an atom attack aj are ri1, ri2, . . . , rix, then
let Aik,j = 1, where k = 1, 2, . . . , x. If the attacker can obtain
the resources rj1, rj2, . . . , rjy by launching an atom attack ai,
then let Ai,jk = 1, where k = 1, 2, . . . , y. Finally, a DAG that
is described by the incidence matrix [Ai,j] can be generated.
Assuming there are n resource nodes, r1, r2, . . . , rn, point-
ing to the attack node ai. In other words, attack node ai has
n parent nodes. The Bayesian network adopts a conditional
probability table to depict the condition of attack ai, which is
shown in Table I.
In general, satisfying the condition of an attack does
not mean that the attacker must launch the attack, so the
TABLE I
CONDITION OF ATTACK ai
TABLE II
PROBABILITIES OF LAUNCHING ATTACK ai
TABLE III
CONDITIONAL PROBABILITY OF ai
TABLE IV
PROBABILITIES OF OBTAINING RESOURCE rj
Bayesian network uses the �ai to describe the probability of
launching an attack ai. The probability of launching an attack
ai is shown in Table II.
To simplify the Bayesian network, Tables I and II can be
merged into one table, as shown in Table III, where lai,x =
�ai cai,x, x = 1, 2, . . . , 2n.
Assuming that the resource node rj has m parent nodes
a1, a2, . . . , am, and the attacker has launched several attacks
in a1, a2, . . . , am, he will have a chance to obtain the
resource rj. The probabilities of obtaining resource rj are
shown in Table IV.
The aforementioned parameters, such as ori,j, cai,j, and �ai ,
can be obtained from the statistical analysis of historical data
or from experts in the cybersecurity field.
2) Function Level: ICSs usually have tight coupled phys-
ical systems. If a function becomes invalid due to malicious
attacks, it may cause other functions to become invalid, too.
This phenomenon is called cascading failure. FTA is used
Authorized licensed use limited to: Northcentral University. Downloaded on October 19,2021 at 14:01:47 UTC from IEEE Xplore. Restrictions apply.
1434 IEEE TRANSACTIONS ON SYSTEMS, MAN, AND CYBERNETICS: SYSTEMS, VOL. 46, NO. 10, OCTOBER 2016
extensively to analyze the cascading failure of a control
system [47]–[49]. The main objectives of FTA are as follows.
1) To identify all possible combinations of basic events that
may result in a critical event in the system.
2) To find the probability that the critical event will occur
during a specified time interval or the frequency of the
critical event.
3) To identify aspects of the system which need to be
improved in order to reduce the probability of the critical
event.
There are many methods involved in establishing a fault
tree; therefore, the …
CATEGORIES
Economics
Nursing
Applied Sciences
Psychology
Science
Management
Computer Science
Human Resource Management
Accounting
Information Systems
English
Anatomy
Operations Management
Sociology
Literature
Education
Business & Finance
Marketing
Engineering
Statistics
Biology
Political Science
Reading
History
Financial markets
Philosophy
Mathematics
Law
Criminal
Architecture and Design
Government
Social Science
World history
Chemistry
Humanities
Business Finance
Writing
Programming
Telecommunications Engineering
Geography
Physics
Spanish
ach
e. Embedded Entrepreneurship
f. Three Social Entrepreneurship Models
g. Social-Founder Identity
h. Micros-enterprise Development
Outcomes
Subset 2. Indigenous Entrepreneurship Approaches (Outside of Canada)
a. Indigenous Australian Entrepreneurs Exami
Calculus
(people influence of
others) processes that you perceived occurs in this specific Institution Select one of the forms of stratification highlighted (focus on inter the intersectionalities
of these three) to reflect and analyze the potential ways these (
American history
Pharmacology
Ancient history
. Also
Numerical analysis
Environmental science
Electrical Engineering
Precalculus
Physiology
Civil Engineering
Electronic Engineering
ness Horizons
Algebra
Geology
Physical chemistry
nt
When considering both O
lassrooms
Civil
Probability
ions
Identify a specific consumer product that you or your family have used for quite some time. This might be a branded smartphone (if you have used several versions over the years)
or the court to consider in its deliberations. Locard’s exchange principle argues that during the commission of a crime
Chemical Engineering
Ecology
aragraphs (meaning 25 sentences or more). Your assignment may be more than 5 paragraphs but not less.
INSTRUCTIONS:
To access the FNU Online Library for journals and articles you can go the FNU library link here:
https://www.fnu.edu/library/
In order to
n that draws upon the theoretical reading to explain and contextualize the design choices. Be sure to directly quote or paraphrase the reading
ce to the vaccine. Your campaign must educate and inform the audience on the benefits but also create for safe and open dialogue. A key metric of your campaign will be the direct increase in numbers.
Key outcomes: The approach that you take must be clear
Mechanical Engineering
Organic chemistry
Geometry
nment
Topic
You will need to pick one topic for your project (5 pts)
Literature search
You will need to perform a literature search for your topic
Geophysics
you been involved with a company doing a redesign of business processes
Communication on Customer Relations. Discuss how two-way communication on social media channels impacts businesses both positively and negatively. Provide any personal examples from your experience
od pressure and hypertension via a community-wide intervention that targets the problem across the lifespan (i.e. includes all ages).
Develop a community-wide intervention to reduce elevated blood pressure and hypertension in the State of Alabama that in
in body of the report
Conclusions
References (8 References Minimum)
*** Words count = 2000 words.
*** In-Text Citations and References using Harvard style.
*** In Task section I’ve chose (Economic issues in overseas contracting)"
Electromagnetism
w or quality improvement; it was just all part of good nursing care. The goal for quality improvement is to monitor patient outcomes using statistics for comparison to standards of care for different diseases
e a 1 to 2 slide Microsoft PowerPoint presentation on the different models of case management. Include speaker notes... .....Describe three different models of case management.
visual representations of information. They can include numbers
SSAY
ame workbook for all 3 milestones. You do not need to download a new copy for Milestones 2 or 3. When you submit Milestone 3
pages):
Provide a description of an existing intervention in Canada
making the appropriate buying decisions in an ethical and professional manner.
Topic: Purchasing and Technology
You read about blockchain ledger technology. Now do some additional research out on the Internet and share your URL with the rest of the class
be aware of which features their competitors are opting to include so the product development teams can design similar or enhanced features to attract more of the market. The more unique
low (The Top Health Industry Trends to Watch in 2015) to assist you with this discussion.
https://youtu.be/fRym_jyuBc0
Next year the $2.8 trillion U.S. healthcare industry will finally begin to look and feel more like the rest of the business wo
evidence-based primary care curriculum. Throughout your nurse practitioner program
Vignette
Understanding Gender Fluidity
Providing Inclusive Quality Care
Affirming Clinical Encounters
Conclusion
References
Nurse Practitioner Knowledge
Mechanics
and word limit is unit as a guide only.
The assessment may be re-attempted on two further occasions (maximum three attempts in total). All assessments must be resubmitted 3 days within receiving your unsatisfactory grade. You must clearly indicate “Re-su
Trigonometry
Article writing
Other
5. June 29
After the components sending to the manufacturing house
1. In 1972 the Furman v. Georgia case resulted in a decision that would put action into motion. Furman was originally sentenced to death because of a murder he committed in Georgia but the court debated whether or not this was a violation of his 8th amend
One of the first conflicts that would need to be investigated would be whether the human service professional followed the responsibility to client ethical standard. While developing a relationship with client it is important to clarify that if danger or
Ethical behavior is a critical topic in the workplace because the impact of it can make or break a business
No matter which type of health care organization
With a direct sale
During the pandemic
Computers are being used to monitor the spread of outbreaks in different areas of the world and with this record
3. Furman v. Georgia is a U.S Supreme Court case that resolves around the Eighth Amendments ban on cruel and unsual punishment in death penalty cases. The Furman v. Georgia case was based on Furman being convicted of murder in Georgia. Furman was caught i
One major ethical conflict that may arise in my investigation is the Responsibility to Client in both Standard 3 and Standard 4 of the Ethical Standards for Human Service Professionals (2015). Making sure we do not disclose information without consent ev
4. Identify two examples of real world problems that you have observed in your personal
Summary & Evaluation: Reference & 188. Academic Search Ultimate
Ethics
We can mention at least one example of how the violation of ethical standards can be prevented. Many organizations promote ethical self-regulation by creating moral codes to help direct their business activities
*DDB is used for the first three years
For example
The inbound logistics for William Instrument refer to purchase components from various electronic firms. During the purchase process William need to consider the quality and price of the components. In this case
4. A U.S. Supreme Court case known as Furman v. Georgia (1972) is a landmark case that involved Eighth Amendment’s ban of unusual and cruel punishment in death penalty cases (Furman v. Georgia (1972)
With covid coming into place
In my opinion
with
Not necessarily all home buyers are the same! When you choose to work with we buy ugly houses Baltimore & nationwide USA
The ability to view ourselves from an unbiased perspective allows us to critically assess our personal strengths and weaknesses. This is an important step in the process of finding the right resources for our personal learning style. Ego and pride can be
· By Day 1 of this week
While you must form your answers to the questions below from our assigned reading material
CliftonLarsonAllen LLP (2013)
5 The family dynamic is awkward at first since the most outgoing and straight forward person in the family in Linda
Urien
The most important benefit of my statistical analysis would be the accuracy with which I interpret the data. The greatest obstacle
From a similar but larger point of view
4 In order to get the entire family to come back for another session I would suggest coming in on a day the restaurant is not open
When seeking to identify a patient’s health condition
After viewing the you tube videos on prayer
Your paper must be at least two pages in length (not counting the title and reference pages)
The word assimilate is negative to me. I believe everyone should learn about a country that they are going to live in. It doesnt mean that they have to believe that everything in America is better than where they came from. It means that they care enough
Data collection
Single Subject Chris is a social worker in a geriatric case management program located in a midsize Northeastern town. She has an MSW and is part of a team of case managers that likes to continuously improve on its practice. The team is currently using an
I would start off with Linda on repeating her options for the child and going over what she is feeling with each option. I would want to find out what she is afraid of. I would avoid asking her any “why” questions because I want her to be in the here an
Summarize the advantages and disadvantages of using an Internet site as means of collecting data for psychological research (Comp 2.1) 25.0\% Summarization of the advantages and disadvantages of using an Internet site as means of collecting data for psych
Identify the type of research used in a chosen study
Compose a 1
Optics
effect relationship becomes more difficult—as the researcher cannot enact total control of another person even in an experimental environment. Social workers serve clients in highly complex real-world environments. Clients often implement recommended inte
I think knowing more about you will allow you to be able to choose the right resources
Be 4 pages in length
soft MB-920 dumps review and documentation and high-quality listing pdf MB-920 braindumps also recommended and approved by Microsoft experts. The practical test
g
One thing you will need to do in college is learn how to find and use references. References support your ideas. College-level work must be supported by research. You are expected to do that for this paper. You will research
Elaborate on any potential confounds or ethical concerns while participating in the psychological study 20.0\% Elaboration on any potential confounds or ethical concerns while participating in the psychological study is missing. Elaboration on any potenti
3 The first thing I would do in the family’s first session is develop a genogram of the family to get an idea of all the individuals who play a major role in Linda’s life. After establishing where each member is in relation to the family
A Health in All Policies approach
Note: The requirements outlined below correspond to the grading criteria in the scoring guide. At a minimum
Chen
Read Connecting Communities and Complexity: A Case Study in Creating the Conditions for Transformational Change
Read Reflections on Cultural Humility
Read A Basic Guide to ABCD Community Organizing
Use the bolded black section and sub-section titles below to organize your paper. For each section
Losinski forwarded the article on a priority basis to Mary Scott
Losinksi wanted details on use of the ED at CGH. He asked the administrative resident