This article details a framework and methodology to risk-inform the decisions of an unsupervised cyber controller. A risk assessment methodology within this framework uses a combination of fault trees, event trees, and attack graphs to trace and map cyber elements with business processes. The methodology attempts to prevent and mitigate cyberattacks by using adaptive controllers that proactively reconfigure a network based on actionable risk estimates. The estimates are based on vulnerabilities and potential business consequences. A generic enterprise-control system is used to demonstrate the wide applicability of the methodology. In addition, data needs, implementation, and potential pitfalls are discussed.

References

1.
Utne
,
I. B.
,
Sørensen
,
A. J.
, and
Schjølberg
,
I.
,
2017
, “
Risk Management of Autonomous Marine Systems and Operations
,”
ASME 2017 36th International Conference on Ocean, Offshore and Arctic Engineering
,
American Society of Mechanical Engineers
,
New York
.
2.
Hassani
,
V.
,
Crasta
,
N.
, and
Pascoal
,
A. M.
,
2017
, “
Cyber Security Issues in Navigation Systems of Marine Vessels From a Control Perspective
,”
ASME 2017 36th International Conference on Ocean, Offshore and Arctic Engineering
.
American Society of Mechanical Engineers
,
New York
.
3.
Radisavljevic-Gajic
,
V.
,
Park
,
S.
, and
Chasaki
,
D.
,
2017
, “
Vulnerabilities of Cyber-Physical Linear Control Systems to Sophisticated Attacks
,”
ASME 2017 Dynamic Systems and Control Conference
.
American Society of Mechanical Engineers
,
New York
.
4.
Zelinko
,
I.
,
Kharchenko
,
V.
, and
Leontiev
,
K.
,
2017
,
Cyber Security Assessment of Component Off-the-Shelf Based NPP I&C System Using IMECA Technique
,”
2017 25th International Conference on Nuclear Engineering
.
American Society of Mechanical Engineers
,
New York
.
5.
Minoli
,
D.
, and
Occhiogrosso
,
B.
,
2017
, “
Internet of Things (IoT)-Based Apparatus and Method for Rail Crossing Alerting of Static or Dynamic Rail Track Intrusions
,”
2017 Joint Rail Conference
.
American Society of Mechanical Engineers
,
New York
.
6.
Cybenko
,
G.
,
Jajodia
,
S.
,
Wellman
,
M. P.
, and
Liu
,
P.
,
2014
, “
Adversarial and Uncertain Reasoning for Adaptive Cyber Defense: Building the Scientific Foundation
,”
International Conference on Information Systems Security
,
Springer
,
New York
, pp.
1
8
.
7.
Sarkar
,
S.
,
2011
,
Autonomous Perception and Decision Making in Cyber-Physical Systems
, Doctoral dissertation,
The Pennsylvania State University
,
PA
.
8.
Ezell
,
B. C.
,
1998
,
Risks of Cyber Attack to Supervisory Control and Data Acquisition for Water Supply
, M.S. thesis,
University of Virginia
,
Charlottesville, VA
.
9.
Boyer
,
S. A.
,
1993
,
SCADA: Supervisory Control and Data Acquisition, Instrumentation Society of America
,
Research Triangle Park
,
Research Triangle, NC
.
10.
Oveisi
,
S.
, and
Ravanmehr
,
R.
,
2017
, “
SFTA-Based Approach for Safety/Reliability Analysis of Operational Use-Cases in Cyber-Physical Systems
,”
ASME J. Comput. Inf. Sci. Eng.
,
17
(
3
), p.
031018
.
11.
Ralston
,
P. A.
,
Graham
,
J. H.
, and
Hieb
,
J. L.
,
2007
, “
Cyber Security Risk Assessment for SCADA and DCS Networks
,”
ISA Trans.
,
46
(
4
), pp.
583
594
.
12.
Kaplan
,
S.
, and
Garrick
,
B. J.
,
1981
, “
On the Quantitative Definition of Risk
,”
Risk Anal.
,
1
(
1
), pp.
11
27
.
13.
Cherdantseva
,
Y.
,
Burnap
,
P.
,
Blyth
,
A.
,
Eden
,
P.
,
Jones
,
K.
,
Soulsby
,
H.
, and
Stoddart
,
K.
,
2016
, “
A Review of Cyber Security Risk Assessment Methods for SCADA Systems
,”
Comput. Secur.
,
56
, pp.
1
27
.
14.
Verma
,
A. K.
,
Ajit
,
S.
, and
Karanki
,
D. R.
,
2010
,
Reliability and Safety Engineering
, Vol.
43
,
Springer
,
New York
.
15.
Wu
,
W.
,
Kang
,
R.
, and
Li
,
Z.
,
2015
, “
Risk Assessment Method for Cybersecurity of Cyber-Physical Systems Based on Inter-Dependency of Vulnerabilities
,”
2015 IEEE International Conference on Industrial Engineering and Engineering Management (IEEM)
,
IEEE
,
New York
.
16.
Mosleh
,
A.
,
2014
, “
PRA: A Perspective on Strengths, Current Limitations, and Possible Improvements
,”
Nucl. Eng. Technol.
,
46
(
1
), pp.
1
10
.
17.
Wood
,
R. T.
,
Upadhyaya
,
B. R.
, and
Floyd
,
D. C.
,
2017
, “
An Autonomous Control Framework for Advanced Reactors
,”
Nucl. Eng. Technol.
,
49
(
5
), pp.
896
904
.
18.
Cahn
,
A.
,
Hoyos
,
J.
,
Hulse
,
M.
, and
Keller
,
E.
,
2013
, “
Software-Defined Energy Communication Networks: From Substation Automation to Future Smart Grids
,”
2013 IEEE International Conference on Smart Grid Communications (SmartGridComm)
,
IEEE
,
New York
.
19.
Moreira
,
N.
,
Molina
,
E.
,
Lázaro
,
J.
,
Jacob
,
E.
, and
Astarloa
,
A.
,
2016
, “
Cyber-Security in Substation Automation Systems
,”
Renew. Sustainable Energy Rev.
,
54
, pp.
1552
1562
.
20.
Helgoson
,
M.
,
Westlin
,
P.
, and
Kalhori
,
V.
,
2017
, “
Cyber Integrated Metrology, Learning and Evaluation System: An Approach Towards Smart Factories
,”
ASME 2017 International Mechanical Engineering Congress and Exposition
,
American Society of Mechanical Engineers
,
New York
.
21.
Jeschke
,
S.
,
Brecher
,
C.
,
Meisen
,
T.
,
Özdemir
,
D.
, and
Eschert
,
T.
,
2017
, “
Industrial Internet of Things and Cyber Manufacturing Systems
,”
Industrial Internet of Things
,
Springer
,
New York
, pp.
3
19
.
22.
Wells
,
L. J.
,
Camelio
,
J. A.
,
Williams
,
C. B.
, and
White
,
J.
,
2014
, “
Cyber-Physical Security Challenges in Manufacturing Systems
,”
Manuf. Lett.
,
2
(
2
), pp.
74
77
.
23.
Odonkor
,
P.
,
Ball
,
Z.
, and
Chowdhury
,
S.
,
2017
, “
A Distributed Intelligence Approach to Using Collaborating Unmanned Aerial Vehicles for Oil Spill Mapping
,”
ASME 2017 International Design Engineering Technical Conferences and Computers and Information in Engineering Conference
,
American Society of Mechanical Engineers
,
New York
.
24.
Ueland
,
E. S.
,
Skjetne
,
R.
, and
Dahl
,
A. R.
,
2017
, “
Marine Autonomous Exploration Using a Lidar and SLAM
,”
ASME 2017 36th International Conference on Ocean, Offshore and Arctic Engineering
,
American Society of Mechanical Engineers
,
New York
.
25.
Church
,
P.
,
Mueller
,
H.
,
Ryan
,
C.
,
Gogouvitis
,
S. V.
,
Goscinski
,
A.
,
Haitof
,
H.
, and
Tari
,
Z.
,
2017
, “SCADA Systems in the Cloud,”
Handbook of Big Data Technologies
,
Springer
,
New York
, pp.
691
718
.
26.
Sajid
,
A.
,
Abbas
,
H.
, and
Saleem
,
K.
,
2016
, “
Cloud-Assisted IoT-Based SCADA Systems Security: A review of the State of the Art and Future Challenges
,”
IEEE Access
,
4
, pp.
1375
1384
.
27.
Williams
,
T.
,
1998
, “The Purdue Enterprise Reference Architecture and Methodology (PERA),”
Handbook of Life Cycle Engineering: Concepts, Models, and Technologies
,
Purdue University
,
West Lafayette, IN
.
28.
Wang
,
L.
,
Islam
,
T.
,
Long
,
T.
,
Singhal
,
A.
, and
Jajodia
,
S.
,
2008
, “
An Attack Graph-Based Probabilistic Security Metric
,”
Lect. Notes Comput. Sci.
,
5094
, pp.
283
296
.
29.
Byres
,
E. J.
,
Franz
,
M.
, and
Miller
,
D.
,
2004
, “
The Use of Attack Trees in Assessing Vulnerabilities in SCADA Systems
,”
Proceedings of the International Infrastructure Survivability Workshop (IISW'04)
,
Lisbon, Portugal
,
Dec. 5–8
.
30.
Karnouskos
,
S.
,
2011
, “
Stuxnet Worm Impact on Industrial Cyber-Physical System Security
,”
IECON 2011-37th Annual Conference on IEEE Industrial Electronics Society
,
IEEE
,
New York
, pp.
4490
4494
.
31.
Lu
,
W.
,
Miller
,
M.
, and
Xue
,
L.
,
2017
, “
Detecting Command and Control Channel of Botnets in Cloud
,”
International Conference on Intelligent, Secure, and Dependable Systems in Distributed and Cloud Environments
,
Springer
,
New York
.
32.
Atighetchi
,
M.
,
Pal
,
P.
,
Webber
,
F.
, and
Jones
,
C.
,
2003
, “
Adaptive use of Network-Centric Mechanisms in Cyber-Defense
,”
Object-Oriented Real-Time Distributed Computing, 2003. Sixth IEEE International Symposium on
,
IEEE
,
New York
, pp.
183
192
.
33.
Macaulay
,
T.
, and
Singer
,
B. L.
,
2011
,
Cybersecurity for Industrial Control Systems: SCADA, DCS, PLC, HMI, and SIS
,
CRC Press
,
Boca Raton
.
34.
Cebula
,
J. L.
, and
Young
,
L. R.
,
2010
,
A Taxonomy of Operational Cyber Security Risks
,
Carnegie-Mellon Univ, Software Engineering Institute
,
Pittsburgh, PA
.
35.
Garrick
,
B. J.
,
Hall
,
J. E.
,
Kilger
,
M.
,
McDonald
,
J. C.
,
O’Toole
,
T.
,
Probst
,
P. S.
,
Parker
,
E. R.
,
Rosenthal
,
R.
,
Trivelpiece
,
A. W.
, and
Van Arsdale
,
L. A.
,
2004
, “
Confronting the Risks of Terrorism: Making the Right Decisions
,”
Reliab. Eng. Syst. Saf.
,
86
(
2
), pp.
129
176
.
36.
Whyte
,
D. L.
,
2017
,
Using a Systems-Theoretic Approach to Analyze Cyber Attacks on Cyber-Physical Systems
,
Massachusetts Institute of Technology
,
Cambridge, MA
.
37.
Team
,
C.
,
2015
,
Common Vulnerability Scoring System v3.0: Specification Document
. First.org.
38.
FIRST
.
Common Vulnerability Scoring System Version 3.0 Calculator
. [cited 2018 09/02/2018]; CVSSv3 score for Sandworm vulnerability in Windows OLE (CVE-2014-4114) with CVSS vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]. Available from: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C.
39.
Frigault
,
M.
,
Wang
,
L.
,
Singhal
,
A.
, and
Jajodia
,
S.
,
2008
, “
Measuring Network Security Using Dynamic Bayesian Network
,”
Proceedings of the 4th ACM Workshop on Quality of Protection
,
Alexandria, VA
.
40.
Reddy
,
R. K. D.
,
Doddi
,
S. R.
,
Kutare
,
M. K.
, and
Briguet
,
C.
,
2017
,
Security Feature Extraction for a Network
,
Google Patents
15/331,650.
41.
Rosa
,
L.
,
Alves
,
P.
,
Cruz
,
T.
,
Simões
,
P.
, and
Monteiro
,
E.
,
2015
, “
A Comparative Study of Correlation Engines for Security Event Management
,”
ICCWS 2015-The Proceedings of the 10th International Conference on Cyber Warfare and Security: ICCWS2015
,
Academic Conferences Limited
.
42.
Chakrabarti
,
A.
, and
Lindemann
,
U.
,
2016
,
Impact of Design Research on Industrial Practice
,
Springer
,
New York
.
43.
Russell
,
K.
,
Kvarfordt
,
K.
, and
Hoffman
,
C.
1995
,
Systems Analysis Programs for Hands-on Integrated Reliability Evaluations (SAPHIRE), Version 5.0
.
EG and G Idaho, Inc., Idaho Falls, ID (United States); Nuclear Regulatory Commission
,
Washington, DC
. Office of Nuclear Regulatory Research.
44.
EPRI
,
2014
,
Computer Aided Fault Tree Analysis System (CAFTA), Version 6.0b
. Available from: https://www.epri.com/#/pages/product/3002004316/.
45.
Ruijters
,
E.
, and
Stoelinga
,
M.
,
2015
, “
Fault Tree Analysis: A Survey of the State-of-the-Art in Modeling, Analysis and Tools
,”
Comput. Sci. Rev.
,
15
, pp.
29
62
.
46.
Turk
,
R. J.
,
2005
,
Cyber Incidents Involving Control Systems
,
Idaho National Laboratory (INL)
,
Idaho Falls, ID
.
You do not currently have access to this content.