A Method for Assessing the Security Risk in Cyber-Physical Systems with Incomplete Information Using Bayesian Game Theory

Document Type : Original Article

Author

Assistant Professor, Department of Computer Engineering, Technical and Vocational University (TVU), Tehran, Iran.

Abstract

In recent years, with the development and advancement of various aspects of information, we have witnessed the introduction of new technologies in various sectors of life and industry. The industrial sector has been most impacted with many critical infrastructures based on new technologies. On the other hand, the increasing complexity of these sectors has made the task of managing and maintaining safety much more difficult than before, so that in recent years the issue of security in industrial systems, particularly in critical and complex infrastructure, has become one of the major challenges. An attack on these systems can have adverse physical effects and consequences on equipment, products, service outages, and even human health. In this paper, a method for modeling and assessing the security risk in cyber-physical systems is presented. In this method, the interaction between the system and the attacker was modeled as a Bayesian game with incomplete information. The considered security parameters were divided into two categories of attack and defensive parameters and the attacker and the system behavior predicted using the proposed model. The inputs of this model were control components, process model, system and attack parameters, and its outputs were quantitative values for security risk metric.

Keywords

Main Subjects

References

[1] Hu, F., Lu, Y., Vasilakos, A. V., Hao, Q., Ma, R., Patil, Y., Zhang, T., Lu, J., Li, X., & Xiong, N. N. (2016). Robust Cyber–Physical Systems: Concept, models, and implementation. Future Generation Computer Systems, 56(1), 449-475. https://doi .org/10.1016/j.future.2015.06.006
[2] Krotofil, M., & Larsen, J. (2014). Are You Threatening My Hazards? In Advances in Information and Computer Security: 9th International Workshop on Security, IWSEC 2014, Hirosaki, Japan, August 27-29, 2014. Proceedings. Springer, Cham. https://doi.org/10.1007/978-3-319-09843-2_2
[3] Kopetz, H., & Sytems, R-T. (2011). Real-Time Systems: Design Principles for Distributed Embedded Applications (2 ed.). Springer New York. https://doi.org/10.1007/978-1-4419-8237-7
[4] Li, H., Lai, L., & Poor, H. V. (2012). Multicast Routing for Decentralized Control of Cyber Physical Systems with an Application in Smart Grid. IEEE Journal on Selected Areas in Communications, 30(6), 1097-1107. https://doi.org/10.1109/JSA C.2012.120708
[5] Jagtap, S. S., VS, S. S., & Subramaniyaswamy, V. (2021). A hypergraph based Kohonen map for detecting intrusions over cyber–physical systems traffic. Future Generation Computer Systems, 119, 84-109. https://doi.org/10.1016/j.future.2021.02.001
[6] Orojloo, H., & Abdollahi Azgomi, M. (2019). Modelling and evaluation of the security of cyber-physical systems using stochastic Petri nets. The Institution of Engineering and Technology Cyber-Physical Systems: Theory & Applications, 4(1), 50-57. https://doi.org/ 10.1049/iet-cps.2018.0008
[7] Orojloo, H., & Abdollahi Azgomi, M. (2017). A method for evaluating the consequence propagation of security attacks in cyber–physical systems. Future Generation Computer Systems, 67, 57-71. https://doi.org/10.1016/j.future.2016.07.016
[8] Cui, Y., Quddus, N., & Mashuga, C. V. (2020). Bayesian network and game theory risk assessment model for third-party damage to oil and gas pipelines. Process Safety and Environmental Protection, 134, 178-188. https://doi.org/10.1016/j.psep.2019. 11.038
[9] Liang, X., & Xiao, Y. (2013). Game Theory for Network Security. IEEE Communications Surveys & Tutorials, 15(1), 472-486. https://doi.org/10.1109/SURV.2012.062612.00056
[10] Abapour, S., Mohammadi-Ivatloo, B., & Tarafdar Hagh, M. (2020). A Bayesian game theoretic based bidding strategy for demand response aggregators in electricity markets. Sustainable Cities and Society, 54, 101787. https://doi.org/10.1016/j.scs.2019.101787
[11] Dahiya, A., & Gupta, B. B. (2021). A reputation score policy and Bayesian game theory based incentivized mechanism for DDoS attacks mitigation and cyber defense. Future Generation Computer Systems, 117, 193-204. https://doi.org/10.10 16/j.future.2020.11.027
[12] Ashok, A., Hahn, A., & Govindarasu, M. (2014). Cyber-physical security of Wide-Area Monitoring, Protection and Control in a smart grid environment. Journal of Advanced Research, 5(4), 481-489. https://doi.org/10.1016/j.jare.2013.12.005
[13] Ma, C. Y. T., Rao, N. S. V., & Yau, D. K. Y. (2011, April 10-15). A game theoretic study of attack and defense in cyber-physical systems. 2011 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS), Shanghai, China https://doi.org/10.1109/INFCOMW.2011.5928904
[14] Vigo, R., Bruni, A., & Yüksel, E. (2013). Security Games for Cyber-Physical Systems. In Secure IT Systems: 18th Nordic Conference, NordSec 2013, Ilulissat, Greenland, October 18-21, 2013, Proceedings. Springer Berlin Heidelberg. https://doi.org/10.1007/9 78-3-642-41488-6_2
[15] He, F., Zhuang, J., & Rao, N. S. (2012, May 19-23). Game-theoretic analysis of attack and defense in cyber-physical network infrastructures. IIE Annual Conference. Proceedings, Hilton Bonnet Creek, Orlando, Florida United States. http://citeseerx. ist.psu.edu/viewdoc/download?doi=10.1.1.719.2652&rep=rep1&type=pdf
[16] Krotofil, M., Cárdenas, A., Larsen, J., & Gollmann, D. (2014). Vulnerabilities of cyber-physical systems to stale data—Determining the optimal time to launch attacks. International Journal of Critical Infrastructure Protection, 7(4), 213-232. https://doi.org/10.1016/j.ijcip.2014.10.003
[17] Yampolskiy, M., Horváth, P., Koutsoukos, X. D., Xue, Y., & Sztipanovits, J. (2015). A language for describing attacks on cyber-physical systems. International Journal of Critical Infrastructure Protection, 8, 40-52. https://doi.org/10.1016/j.ijcip.2014.09.003
[18] Mitchell, R., & Chen, I. (2016). Modeling and Analysis of Attacks and Counter Defense Mechanisms for Cyber Physical Systems. IEEE Transactions on Reliability, 65(1), 350-358. https://doi.org/10.1109/TR.2015.2406860
[19] Tantawy, A., Abdelwahed, S., Erradi, A., & Shaban, K. (2020). Model-based risk assessment for cyber physical systems security. Computers & Security, 96, 101864. https://doi.org/10 .1016/j.cose.2020.101864
[20] Alguliyev, R., Imamverdiyev, Y., & Sukhostat, L. (2018). Cyber-physical systems and their security issues. Computers in Industry, 100(1), 212-223. https://doi.org/10.10 16/j.compind.2018.04.017
[21] Orojloo, H., & Abdollahi Azgomi, M. (2016). Predicting the behavior of attackers and the consequences of attacks against cyber-physical systems. Security and Communication Networks, 9(18), 6111-6136. https://doi.org/10.1002/sec.1761
[22] Orojloo, H., & Abdollahi Azgomi, M. (2018). A Stochastic Game Model for Evaluating the Impacts of Security Attacks Against Cyber-Physical Systems. Journal of Network and Systems Management, 26(4), 929-965. https://doi.org/10.1007/s10922-018-9449-0
[23] Orojloo, H., & Abdollahi Azgomi, M. (2017). A game-theoretic approach to model and quantify the security of cyber-physical systems. Computers in Industry, 88, 44-57. https://doi.org/10.1016/j.compind.2017.03.007
[24] Tripathi, D., Singh, L. K., Tripathi, A. K., & Chaturvedi, A. (2021). Model based security verification of Cyber-Physical System based on Petrinet: A case study of Nuclear power plant. Annals of Nuclear Energy, 159, 108306. https://doi.org/10.1016/j.anucene.2021.10 8306
[25] Kholidy, H. A. (2021). Autonomous mitigation of cyber risks in the Cyber–Physical Systems. Future Generation Computer Systems, 115(10), 171-187. https://doi.org/ 10.1016/j.future.2020.09.002
[26] Sánchez Rodríguez, M. Á., Bermejo Higuera, J., Bermejo Higuera, J. R., Sicilia Montalvo, J. A., & González Crespo, R. (2021). A systematic approach to analysis for assessing the security level of cyber-physical systems in the electricity sector. Microprocessors and Microsystems, 87(1), 104352. https://doi.org/10.1016/j.micpr o.2021.104352
[27] Ahmed Jamal, A., Mustafa Majid, A-A., Konev, A., Kosachenko, T., & Shelupanov, A. (2021). A review on security analysis of cyber physical systems using Machine learning. Materials Today: Proceedings, -(-), -. https://doi.org/10.1016/j.matpr.202 1.06.320
[28] Dong, L., Xu, H., Wei, X., & Hu, X. (2022). Security correction control of stochastic cyber–physical systems subject to false data injection attacks with heterogeneous effects. International Society of Automation Transactions, 123, 1-13. https://doi.or g/10.1016/j.isatra.2021.05.015
[29] Bernardi, S., Gentile, U., Marrone, S., Merseguer, J., & Nardone, R. (2020). Security modelling and formal verification of survivability properties: Application to cyber-physical systems. Journal of Systems and Software, 171, 110746. https://doi.org/1 0.1016/j.jss.2020.110746
[30] Liu, X., Zhang, J., Zhu, P., Tan, Q., & Yin, W. (2021). Quantitative cyber-physical security analysis methodology for industrial control systems based on incomplete information Bayesian game. Computers & Security, 102, 102138. https://doi.org/1 0.1016/j.cose.2020.102138
[31] Kowalewski, S., Stursberg, O., Fritz, M., Graf, H., Hoffmann, I., Preußig, J., Remelhe, M., Simon, S., & Treseler, H. (1999). A Case Study in Tool-Aided Analysis of Discretely Controlled Continuous Systems: The Two Tanks Problem. In Hybrid Systems V. Springer Berlin Heidelberg. https://doi.org/10.1007/3-540-49163-5_9
Karafan Quarterly Scientific Journal
Volume 19, Issue 1 - Serial Number 57
Technical & Engineering
July 2022
Pages 495-521

Files

History

  • Receive Date: 20 December 2021
  • Revise Date: 19 January 2022
  • Accept Date: 08 February 2022

Share

How to cite

Statistics