Attack Path Analysis and Cost-Efficient Selection of Cybersecurity Controls for Complex Cyberphysical Systems

Abstract: The increasing integration of information technology with operational technology leads to the formation of Cyber-Physical Systems (CPSs) that intertwine physical and cyber components and connect to each other. This interconnection enables the offering of functionality beyond the combined offering of each individual component, but at the same time increases the cyber risk of the overall system, as such risk propagates between and aggregates at component systems. The complexity of the resulting systems in many c… Show more

“…• We extend our previous works described in [11,12] towards a comprehensive risk management framework for CPS. Our main goal is to identify and assess the risk derived from the combined cyber and physical interactions, as well as producing the optimal set of security controls to effectively minimize the derived risk.…”

“…By leveraging a genetic algorithm approach, the most effective and efficient security controls per CPS component are identified. Building upon the results of the aforementioned work, we extend the methodology to analyze attack paths between CPSs and improve the security control selection process to identify a set of security controls that minimizes both the residual risk and the cost [12] . Overall, the phases of the aforementioned works are the stepping stones for the methodology proposed herein.…”

“…The proposed methodology analyzes all the controls identified for all systems, to produce an effective set of security control for the overall infrastructure. The process that enables the elicitation of controls that are effective for more than threats is proposed in [12] . Namely, the process takes for granted that the controls identified in the previous steps are implemented for each threat by leveraging a cascading application of the genetic algorithm approach.…”

“…Particularly, we propose a methodology to analyze security risks considering system vulnerabilities and threats and the aggregate risks between the systems, as well as identifying the optimal security controls to minimize the risks posed by the aforementioned security issues. The proposed methodology leverages the novel risk assessment methodology for assessing IoT-enabled cyber-physical attack paths proposed in [11] and the risk assessment and treatment methodology proposed in [12] . Namely, a comprehensive risk management framework for CPS is proposed combining the steps and phases from the aforementioned approaches.…”

“…Further details about the method used and the aforementioned equations are omitted in the interest of saving space and can be found in [12,13] .…”

Risk assessment and control selection for cyber-physical systems: a case study on supply chain tracking systems

“…• We extend our previous works described in [11,12] towards a comprehensive risk management framework for CPS. Our main goal is to identify and assess the risk derived from the combined cyber and physical interactions, as well as producing the optimal set of security controls to effectively minimize the derived risk.…”

“…By leveraging a genetic algorithm approach, the most effective and efficient security controls per CPS component are identified. Building upon the results of the aforementioned work, we extend the methodology to analyze attack paths between CPSs and improve the security control selection process to identify a set of security controls that minimizes both the residual risk and the cost [12] . Overall, the phases of the aforementioned works are the stepping stones for the methodology proposed herein.…”

“…The proposed methodology analyzes all the controls identified for all systems, to produce an effective set of security control for the overall infrastructure. The process that enables the elicitation of controls that are effective for more than threats is proposed in [12] . Namely, the process takes for granted that the controls identified in the previous steps are implemented for each threat by leveraging a cascading application of the genetic algorithm approach.…”

“…Particularly, we propose a methodology to analyze security risks considering system vulnerabilities and threats and the aggregate risks between the systems, as well as identifying the optimal security controls to minimize the risks posed by the aforementioned security issues. The proposed methodology leverages the novel risk assessment methodology for assessing IoT-enabled cyber-physical attack paths proposed in [11] and the risk assessment and treatment methodology proposed in [12] . Namely, a comprehensive risk management framework for CPS is proposed combining the steps and phases from the aforementioned approaches.…”

“…Further details about the method used and the aforementioned equations are omitted in the interest of saving space and can be found in [12,13] .…”

Risk assessment and control selection for cyber-physical systems: a case study on supply chain tracking systems