Sage Journals: Discover world-class research

Abstract

Cybersecurity protection becomes an essential requirement for industrial production systems, while industrial production systems are moving from isolation to interconnection with the development of information and communication technology. Dynamic risk assessment plays an important role in cybersecurity protection, providing the real-time security situation to the industrial production systems managers. Currently, few researches in this domain focus on the physical process of industrial production systems, let alone considering the combination of attack propagation in cyber space and the abnormal events happening in physical space for risk assessment. In this article, an extended multilevel flow model-based dynamic risk assessment approach for industrial production systems is proposed, where the extended multilevel flow model models the production process graphically and describes the relationships among devices, functions, and flows quantitatively. Based on the extended multilevel flow model of industrial production systems, a Bayesian network is built to analyze the attack propagation over time, and the consequences of cyber attack in production process are assessed quantitatively. Some simulations on a chemical process system are carried out to verify the effectiveness of the proposed approach. The results demonstrate that this approach can assess the dynamic cybersecurity risk of industrial production systems in a quantitative way.

Keywords

Cybersecurity extended multilevel flow model dynamic risk assessment industrial production systems Bayesian network

Introduction

Industrial production systems (IPSs) are essential for modern society and the destruction of such systems would cause serious impacts on the national economy, public health, and so on.^1–3 Nowadays, IPSs are moving from isolation to interconnection with the development of information and communication technology, which brings much advantages but also increases cybersecurity vulnerabilities of IPSs. More and more cybersecurity incidents have occurred in recent years, such as the hacking of a water treatment factory in Harrisburg in 2006,⁴ the Stuxnet attack on the Iranian nuclear facility in 2010,⁵ the BlackEnergy case occurring in the Ukrainian grid in 2015,⁶ and so on, which demonstrate the importance of cybersecurity protection for IPSs.

Cybersecurity protection can be classified as static type and dynamic type, and the latter can manage the system risk caused by cyber threats under an acceptable threshold timely.⁷ As discussed by Shameli-Sendi and Dagenais,⁸ intrusion detection, risk assessment, and intrusion response are the main parts of the dynamic cybersecurity protection framework, which forms a closed-loop together with the target system. More specifically, intrusion detection monitors the system for abnormal activity online, and then reports to the collected modules that the cause of abnormal activity are cyber-attacks or faults;⁹ risk assessment uses the attack information to assess the system risk which indicates the current cybersecurity situation of the system; intrusion response’s goal is to keep the system in a secure state when the risk value exceeds the threshold, and its behavior is making and activating cybersecurity strategy timely. Therefore, risk assessment is of great significance to dynamic cybersecurity protection for IPSs.

As special cyber-physical systems (CPSs), IPSs usually have a large number of devices which realize different functions, and these functions interact with each other to ensure the flowing of information and material. In addition, information flows in cyber space help to make control strategy, which manages the production process, and material flows in physical space describe the production process in detail. In most intrusion cases, the goal of cyber-attackers is to disturb the production process by tampering the control strategy; besides, the attack process may lead to abnormal production capacity or serious incidents, which increases the system risk. Based on the risk definition in Kaplan and Garrick,¹⁰ risk assessment for IPSs needs to consider two factors: the probabilities of the compromised control strategies and the loss caused by the compromised control strategy.

Some related works have been done to assess cybersecurity risk in CPSs by exploiting different methods. A network security risk model was provided by Henry and Haimes,¹¹ which analyzed the influence among different components and built-attack scenarios. A multimodel for risk assessment was constructed to describe the relationship among attacks, functions, and incidents in Zhang et al.¹² Ten et al.¹³ proposed a SCADA security framework and gave the approach to calculate the vulnerability indices. An risk assessment approach based on system dynamics was provided in Garbolino et al.,¹⁴ which considers the complexity and changes in the system over time. A novel approach in Genge et al.¹⁵ used the measured values of the observed control variables to evaluated the cyber attack impacts. Li et al.¹⁶ analyzed the asset contents by considering the construction, function, location, and so on, and then quantified the cyber attack impact based on the asset definition. A safety/security risk analysis approach in Abdo et al.¹⁷ combined the attack tree with bowtie analysis, which builds risk scenarios with the cyber-attacks and faults. In addition, Cherdantseva et al.¹⁸ reviewed the cyber risk assessment methods of SCADA system and Teixeira et al.¹⁹ gave a quantitative risk management for control system. The above works analyzed the different aspects of the industrial control system risks, but they cannot be utilized on risk assessment for IPSs directly, for the following reasons: First, many works, such as, Zhang et al.,¹² Ten et al.,¹³ and Genge et al.¹⁵ did not analyze the physical process quantitatively, which are managed by control strategy, let alone the loss calculation due to compromised control strategy in physical space; Second, many works, such as Henry and Haimes,¹¹ Garbolino et al.,¹⁴ Genge et al.,¹⁵ and Li et al.¹⁶ did not consider the attack propagation and infer the probability of compromised control strategy over time. In a word, although considerable works contributed to risk analysis for IPSs, most of them are still limited to assess the cybersecurity risk of IPSs quantitatively.

In this article, we consider and analyze the abnormal event (tampering the control strategy), its probability, and consequence (loss of product reduction and serious incidents) in risk assessment comprehensively. As a result, an extended multilevel flow model (EMFM)-based dynamic risk assessment approach is proposed that covers probability inference and loss calculation. First, traditional multilevel flow model (MFM) is extended to describe the relationships among devices, functions, and flows in IPSs quantitatively, then the EMFM is used to model the production process graphically and forecast the consequence of abnormal event. Second, the cause–effect relationship between cyber-attacks and abnormal control strategy is analyzed using the information flow in EMFM, and on this basis a Bayesian network is built to infer the abnormal event probability over time. Finally, from the probability inference and loss calculation based on EMFM, the dynamic risk of IPSs can be obtained with the input of attack evidence over time, and the effectiveness of our approach is demonstrated through the simulation on a chemical control system.

The rest of this article is organized as follows. Section “Background” discloses the characteristic of the IPSs risk, the advantages and disadvantages of the traditional MFM, and then puts forward the risk assessment architecture for IPSs. Section “System modeling with extended MFM” redefines the function and flow in EMFM, and introduces the modeling process of an IPS using EMFM. Based on the EMFM, section “Extended MFM -based risk assessment” provides the detailed risk assessing process, which includes probabilty inference and loss calculation. Section “Simulations and risk analysis” verifies the effectiveness of this risk assessment approach by some simulations on a chemical process system. The conclusion and remarks are provided in section “Conclusion.”

Background

Cybersecurity risk in IPS

The structure of typical IPSs is shown in Figure 1, where the control center connects the subprocess control systems via communication link, collecting information for data analysis and coordinating all the subprocess control systems. Each subprocess control system controls a production subprocess, which is one stage of the entire production process and realizes a special transformation of materials.^20,21 The outputs of the subprocess control systems, which act on production subprocess directly, constitute the control strategy.

Figure 1.

Structure of typical IPSs.

Due to the IPS characteristics mentioned above, the cybersecurity risk of IPSs is different from other systems. Cyber attackers exploit system vulnerabilities to obtain device authorities in cyber space so as to disturb the information flowing in subprocess control systems to tamper the control strategy. The abnormal strategy might cause hazardous events in the production subprocess, such as abnormal material output or serious incidents. Due to the interdependence of different production subprocesses, the hazardous events in one production subprocess may spread to its neighbors, which causes the system production capacity deviating from the managers expectation. Therefore, risk analysis in IPSs needs to consider two aspects: the relationships between cyber attacks and compromised control strategies; the spreading process of hazardous states caused by compromised control strategies among different production subprocesses in physical space.

MFM

MFM^22–24 is an explicit means-end model, and it can describe the structure and goal of industrial systems in a graphical way. As shown in Figure 2, MFM includes two basic types of concepts: function and flow, where function is a role that a system has in the achievement of a goal and consists of many devices, and flow is a structure that describes the flowing process of information or material. Besides, functions are classified into information type and material type, and each flow is constructed by connecting related functions.

Figure 2.

Graphic symbols of MFM.

MFM contributes to risk assessment for IPSs, where the definition and the causal relationship of functions disclose the relationship between device and function in IPSs, and the description of flow in MFM helps to model the IPSs structure from functions perspectives. However, MFM defines the functions qualitatively such that it cannot describe the transformation of material in production process quantitatively, let alone forecasting the production capacity when the system is under abnormal control strategy. In addition, MFM is a static model and the flows do not have the ability to model the production process dynamically. In order to address the above shortcoming, we redefine the function and flow quantitatively, which can describe the operation process of IPSs dynamically.

Dynamic risk assessment architecture

The proposed dynamic risk assessment architecture for IPSs is shown in Figure 3, where the architecture has attack evidence and control strategies as input, and the system dynamic cybersecurity risk as output.

Figure 3.

Architecture of dynamic risk assessment.

The dynamic risk assessment includes two main processes: probability inference and loss calculation. In the former process, a multilayer Bayesian network based on the EMFM is built to describe the attacks propagation in cyber space and infers the probabilities of control strategies. In the loss calculation process, EMFM describes the entire production process quantitatively, which is used to forecast the product reduction and serious incidents caused by the abnormal control strategies, and calculate the loss of these consequences in terms of money. Finally, the system risk is obtained by multiplying the probability and loss of each abnormal control strategy and adding up all the products.

System modeling with extended MFM

Extended MFM

The EMFM adopts the same graphic symbols as MFM shown in Figure 2 and redefines these symbols in a quantitative way. The extended contents of function and flow are introduced as follows.

Function

A function is a role played in the achievement of a goal, which is realized by many related devices.²² $R$ represents a function, and is defined by a 2-tuple $〈 ρ, B 〉$ .

Parameters set $ρ$ describes the property of a function. As shown in Figure 4, in material function, ${\bar{ρ}}^{τ}$ is the parameters of input material; ${\bar{ρ}}^{o}$ is the parameters of output material, ${\bar{ρ}}^{c}$ represents the controlled parameter; and ${\bar{ρ}}^{s}$ represents the states of the function itself. In information function, ${\tilde{ρ}}^{τ}$ and ${\tilde{ρ}}^{o}$ represents the input and output information, respectively.

Behaviors $B$ describe the operation process of a function. In material function, the handling process of material and the changing process of function states are represented by ${\bar{ρ}}^{o} = {\bar{B}}^{f} ({\bar{ρ}}^{τ}, {\bar{ρ}}^{c})$ and ${\bar{ρ}}^{s} = {\bar{B}}^{s} ({\bar{ρ}}^{τ}, ρ^{c})$ , respectively. In information flow, the handling process of information is represented by ${\tilde{ρ}}^{o} = {\tilde{B}}^{f} ({\tilde{ρ}}^{τ})$ .

Figure 4.

Parameters set of function.

Flow

A flow is constructed by connecting functions according to the input/output relationship and describes the flowing process of material or information. $F$ is used to represent a flow and is defined by a 3-tuple $〈 R, A, f 〉$ . In order to elaborate the 3-tuple clearly, a typical information flow ${\tilde{F}}_{i}$ and material flow ${\bar{F}}_{i}$ is shown in Figure 5.

Figure 5.

Structure of information flow and material flow.

Supported functions set $R$ denotes the functions which constitute flow $F$ . As shown in Figure 5, ${\bar{R}}_{i} = {{\bar{R}}_{i, 1}, {\bar{R}}_{i, 2}, \dots, {\bar{R}}_{i, n}}$ represents the supported functions set of material flow ${\bar{F}}_{i}$ and ${\tilde{R}}_{i} = {{\tilde{R}}_{i, 1}, {\tilde{R}}_{i, 2}, {\tilde{R}}_{i, 3}}$ represents the supported functions set of information flow ${\tilde{F}}_{1}$ .

Structure matrix $A$ describes the structure feature of flow $F$ , whose elements show the the relationships between two supported functions. For example, the element ${\bar{A}}_{i} (k, j)$ equals 1 when ${\bar{ρ}}_{j}^{τ}$ depends on ${\bar{ρ}}_{k}^{o}$ , otherwise ${\bar{A}}_{i} (k, j)$ equals 0, where ${\bar{A}}_{i} (k, j)$ is the $j th$ column in the kth row of ${\bar{A}}_{i}$ .

Flow parameters $f$ include the input $f^{τ}$ and the output $f^{o}$ . As shown in Figure 5, the output of the information flow ${\tilde{F}}_{i}$ is defined by equation (1) as

{\tilde{f}}_{i}^{o} = {{\tilde{f}}_{i, 1}^{o}, \dots, {\tilde{f}}_{i, n}^{o}}

(1)

${\tilde{f}}_{i, j}^{o}$ represents a control on ${\bar{R}}_{i, j}$ of ${\bar{F}}_{i}$ , which assigns values to the ${\bar{ρ}}_{i, j}^{c}$ . Besides, the input of the information flow ${\tilde{F}}_{i}$ is defined by equation (2) as

{\tilde{f}}_{i}^{τ} = {{\bar{ρ}}_{i, 1}^{ν} \cup {\bar{ρ}}_{i, 1}^{τ} \cup {\bar{ρ}}_{i, 1}^{o}, \dots, {\bar{ρ}}_{i, n}^{ν} \cup {\bar{ρ}}_{i, n}^{τ} \cup {\bar{ρ}}_{i, n}^{o}}

(2)

Flow parameters of material flow also has two types of subset: flow input ${\bar{f}}_{i}^{τ}$ and flow output ${\bar{f}}_{i}^{o}$ , which represent the attributes of material that flows through ${\bar{F}}_{i}$ , such as liquid velocity, composition ratio, and so on.

At the end of this section, a simple example is given to explain function and flow. Assume that water is pumped from a pool to a tank, and flows to a customer through a pipeline with a valve; besides, the water level of the tank is monitored by a sensor and impacted by the pump and the valve. The whole control process is controlled by a programmable logic controller (PLC). In this process, there exists one material flow and one information flow. Specifically, the material flow consists of five functions: a source (pool), a transport (pipeline and pump), a storage (tank), another transport (pipeline and valve), and a sink (customer). The information flow consists of an observer (sensor), a decision (PLC) and an actor (PLC). Besides, the output flow parameter of material flow is the velocity of water received by customer (the input flow parameter is infinite), the flow parameter of information flow includes the collected information (water velocity, level in tank, valve opening, and pump power), and control command (opening setting of the valve, power setting of the pump).

Modeling process of the extended MFM

In order to describe the production process and its control process quantitatively, an EMFM for IPSs is built, and the modeling process is divided into three steps.

Step 1. Divide the target IPS into several subsystems according to the structure as shown in Figure 1. The detailed processes are listed as follows.

The production process is divided into several interdependent subprocesses in physical space, where each subprocess manages a special transformation of material.

The control system of each production subprocess is analyzed, where the boundary and the devices in each control system are determined.

Step 2. The devices in IPSs can be modeled into several functions such as source, storage, conversion, and observer. The processes are listed as follows.

The devices that belong to a production subprocess and its control system are grouped into many corresponding functions shown in Figure 2, which is based on the definition of functions in Larsson.²²

The input, output, and states of each function, which are related to the material process, information process, and incidents, are determined and viewed as the parameters set of that function.

The behaviors of material function are derived from the laws of physical,^25,26 or from fitting historical samples.^27,28 The behavior of information function can be derived from the laws of control process.

Step 3. Each production subprocess is modeled as a material flow while its control system is modeled as an information flow. The process is explained as follows.

Connect material/information functions into material/information flow according to the causal relationship among the functions.

Based on the above steps, the supported functions set and structure matrix of each flows are provided, and the flow parameters are obtained by the input and output of production subprocess or its control system.

Extended MFM-based risk assessment

Probability inference for control strategies

In this article, Bayesian network is adopted to infer the probability of compromised control strategies. Bayesian network is a probabilistic graphical model^29–31 and is defined by a 3-tuple $〈 x, g, ϕ 〉$ , where $x$ represents the variables in the inference process, $g$ is a matrix describing the acyclic graph structure, and $ϕ$ is a conditional probability table set for all variables. Based on the analysis in section “Cybersecurity risk in industrial production system,” a multilayer Bayesian network is built in the following.

Attack strategy layer: the attack strategy on IPSs is complex because of the system characteristic and technology development, which consists of multiple-steps atomic attacks. By the way, an atomic attack represents a special attack process which is launched from resource device to target devices. In additional, the goal of an atomic attack is to gain the authorities of target device, and the precondition of launching such an atomic attack is that the authorities of resource device have been gained. Therefore, the purpose of launching an atomic attack is to prepare for the following atomic attacks. Based on this analysis, the attack strategy can be modeled as a directed acyclic graph whose nodes are the coresponding atomic attacks. This process can be modeled by $B_{a}$ as

B_{a} = 〈 a, g^{a}, ϕ^{a} 〉

(3)

where $a$ is the set of atomic attacks in cyber space. Matrix $g^{a}$ represents the relationships among these atomic attacks. $ϕ^{a}$ represents the atomic attack conditional probabilities when its parents already happened. The detailed modeling process of $B_{a}$ has been provided by many works.^12,32,33

2. Information flow layer: as discussed in section “Extended MFM,” each flow is constructed by many connecting functions and each function is a combination of many related devices, so the compromission of cyber devices will cause the abnormal output of information flow. This process is described by equation (4) as

B_{f} = 〈 {a, φ}, g^{a, φ}, ϕ^{a, φ} 〉

(4)

where the set $φ = ⋃_{φ_{i, j}}$ and $φ_{i, j}$ represents an operation on ${\tilde{f}}_{i, j}^{o}$ . $g^{a, φ}$ is a matrix which represents the relationship between $a$ and $φ$ . $ϕ^{a, φ}$ is the conditional probability of all $φ_{i, j}$ whose parents are in set $a$ , which can be obtained by training a great amount data³⁴ or from historical statistic data.³⁵

$g^{a, φ}$ is an augmented matrix and equals to $[g_{1}^{a, φ} : \dots : g_{m}^{a, φ}]$ , where $g_{i}^{a, φ}$ describes the relationship between the atomic attacks and ${\tilde{f}}_{i}^{o}$ . Figure 6 shows the structure of ${\tilde{F}}_{i}$ , and it is obvious that attacks on devices will impact on ${\tilde{f}}_{i, j}^{o}$ . In order to obtain $g_{i}^{a, φ}$ , three matrixes $A^{1}$ , $A^{2}$ , and $A^{3}$ are built first, where $A^{1}$ describes the relationship between the attacks on actuator and the ${\tilde{f}}_{i}^{o}$ , $A^{1} (k, j)$ equals to 1 when the output of the $k th$ actuator is a part of the $j th$ element of ${\tilde{f}}_{i}^{o}$ , otherwise $A^{1} (k, j)$ equals 0.

Figure 6.

Relationships among devices, functions, and flow in ${\tilde{F}}_{i}$ .

In the same way, $A^{2}$ describes the relationships between the attacks on controllers and the input data of actuators, and $A^{3}$ describes the relationships between the attack on sensor and the input data of controllers. Then a matrix $A$ represents the relationships between the attack on devices and ${\bar{f}}_{i}^{o}$ , which is described in equation (5) as

A = [A^{1} : A^{1} \times A^{2} : A^{1} \times A^{2} \times A^{3}] .

(5)

Finally, $g_{i}^{a, φ}$ can be obtained by the augmented matrix $A$ and is shown in equation (6) as

g_{i, j}^{a, φ} = {\begin{matrix} 1, & A_{i, j} \neq 0 \\ 0, & A_{i, j} = 0 \end{matrix}

(6)

3. Control strategy layer: control strategy is the bridge between cyber space and physical space, which is generated by the whole control process. In EMFM of IPSs, each subcontrol process is modeled as a information flow, so that the control strategy consists of the output of all information flows. $φ_{i, j}$ describes the operation on ${\tilde{f}}_{i, j}^{o}$ , which includes several values, then the compromised control strategy is defined as $s \underline{\underline{def}} ⋃_{i, j} φ_{i, j}$ . For the example mentioned in section “Extended MFM,” compromised control strategy is the control command, and it has some values that indicate different impacts on control command caused by different attacks (such as Dos and man-in-the middle). On this basis, control strategy layer $B_{s}$ is built to describe the relationships between $φ$ and $s$ , as shown in equation (7)

B_{s} = 〈 {φ, s}, g^{φ, s}, ϕ^{φ, s} 〉

(7)

where $g^{φ, s}$ is a vector and each element equals to 1. $ϕ^{φ, s}$ is a table which describes the condition probability of $s$ and its value is given by security experts.

The Bayesian network for probability inference of control strategies called $B$ consists of three layers: $B_{a}$ , $B_{f}$ , and $B_{s}$ , which uses attack evidence provided by IDSs to infer the probability of $s$ in real time. The attack evidence $E$ at $t$ is defined in equation (8) as

E = {H (a_{1}), \dots, H (a_{m})}

(8)

where $H (a_{i})$ has two values and is defined by equation (9) as

H (a_{i}) = {\begin{matrix} T, & a_{i} has been detected \\ F, & otherwise \end{matrix}

(9)

Loss calculation of control strategies

Assume that an IPS has $q$ feedback systems, where each feedback system consists of a production subprocess and a subprocess control system. Each feedback system is modeled as a combination of an information flow and a material flow shown in Figure 5. Based on these assumptions, the loss calculation of a special control strategy is introduced in the following.

Information flow ${\tilde{F}}_{i}$ is defined by $〈 {\tilde{R}}_{i}, {\tilde{A}}_{i}, {\tilde{f}}_{i} 〉$ . In Figure 6, the behavior of observer ${\tilde{R}}_{i, 1}$ and actor ${\tilde{R}}_{i, 3}$ is to collect and distribute the data, respectively, and the behavior of decision ${\tilde{R}}_{1, 2}$ is to process the data according to the control algorithm. Based on this knowledge, an algorithm for forecasting ${\tilde{f}}_{i}^{o}$ is provided in Algorithm 1, where ${\tilde{f}}_{i}^{o}$ is defined in equation (1) and ${\tilde{f}}_{i}^{τ}$ is defined in equation (2).

Algorithm 1 Information flow output forecast algorithm ${\tilde{f}}_{i}^{o} = {\tilde{F}}_{i} ({\tilde{f}}_{i}^{τ})$
Input: ${\tilde{F}}_{i}$ input ${\tilde{f}}_{i}^{τ}$	5: if $j < 3$ then
Output: ${\tilde{F}}_{i}$ output ${\tilde{f}}_{i}^{o}$	6: ${\tilde{ρ}}_{i, j + 1}^{τ} \leftarrow {\tilde{ρ}}_{i, j}^{o}$
1: ${\tilde{f}}_{i}^{o} \leftarrow \emptyset$	7: else
2: ${\tilde{ρ}}_{i, 1}^{τ} \leftarrow {\tilde{f}}_{i}^{τ}$	8: ${\tilde{f}}_{i}^{o} \leftarrow {\tilde{ρ}}_{i, j}^{o}$
3: for $j = 1$ to $3$ do	9: end if
4: ${\tilde{ρ}}_{i, j}^{o} \leftarrow {\tilde{B}}_{i, j}^{f} ({\tilde{ρ}}_{i, j}^{τ})$	10: end for
	11: return ${\tilde{f}}_{i}^{o}$

${\bar{F}}_{i}$ is controlled by ${\tilde{F}}_{i}$ directly and is represented by $〈 {\bar{R}}_{i}, {\bar{A}}_{i}, {\bar{f}}_{i} 〉$ . Assume that ${\bar{F}}_{i}$ has a series structure, which means that $n$ functions in the material flow are connected one by one, then the algorithm for material output ${\bar{f}}^{o}_{i}$ and serious incidents $e_{i}$ of ${\bar{F}}_{i}$ is shown as Algorithm 2.

Algorithm 2 Material flow output forecast algorithm ${e_{i}, {\bar{f}}_{i}^{o}} = {\bar{F}}_{i} ({\bar{f}}_{i}^{τ}, {\tilde{f}}_{i}^{o})$
Input: ${\bar{F}}_{i}$ input ${\bar{f}}_{i}^{τ}$ , ${\tilde{F}}_{i}$ output ${\tilde{f}}_{i}^{o}$	8: $e_{i, j} \leftarrow 1$
Output: ${\bar{F}}_{i}$ output ${\bar{f}}_{i}^{o}$ , serious incidents $e_{i}$	9: end if
1: ${\bar{f}}_{i}^{o} \leftarrow \emptyset$	10: if $j = n$ then
2: $e_{i} \leftarrow 0$	11: ${\bar{f}}_{i}^{o} \leftarrow {\bar{ρ}}_{i, j}^{o}$
3: ${\bar{ρ}}_{i, 1}^{τ} \leftarrow {\bar{f}}_{i}^{τ}$	12: else
4: for $j = 1$ to $n$ do	13: ${\bar{ρ}}_{i, j}^{o} \leftarrow {\bar{B}}_{i, j}^{f} ({\bar{ρ}}_{i, j}^{τ}, {\bar{ρ}}_{i, j}^{c})$
5: ${\bar{ρ}}_{i, j}^{c} \leftarrow {\tilde{f}}_{i}^{o}$	14: ${\bar{ρ}}_{i, j + 1}^{τ} \leftarrow {\bar{ρ}}_{i, j}^{o}$
6: ${\bar{ρ}}_{i, j}^{s} \leftarrow {\bar{B}}_{i, j}^{s} ({\bar{ρ}}_{i, j}^{τ}, {\bar{ρ}}_{i, j}^{c})$	15: end if
7: if ${\bar{ρ}}_{i, j}^{s} \subseteq {\bar{ρ}}_{i, j}^{safe}$ then	16: end for
	17: return $e_{i}$ and ${\bar{f}}_{i}^{o}$

The hazard states in one material flow caused by compromised control strategy may spread to its neighbor. Assume that the output of ${\bar{F}}_{i}$ is the input of ${\bar{F}}_{i + 1}$ , then an algorithm shown as Algorithm 3 is provided to analyze the IPSs production capacity ${\bar{f}}_{s}$ and serious incidents $e_{s}$ when the IPS is under a control strategy $s_{ν}$ , where $s_{ν}$ is a value of $s$ and represents a control strategy tampered by attackers. $t_{0} + Δ t$ is the time when the hazard states of first production subprocess happen, $t_{0} + λ Δ t$ means the time when the system is repaired by engineers.

Algorithm 3 Production capacity and serious incidents forecast algorithm
Input: control strategy $s_{ν}$ , raw material ${\bar{f}}_{γ}$	10: ${\tilde{f}}_{i}^{o} \leftarrow φ ({\tilde{f}}_{i}^{o})$
Output: production capacity ${\bar{f}}_{s}$ serious incidents $e_{s}$	11: ${e_{i}, {\bar{f}}_{i}^{o}} \leftarrow {\bar{F}}_{i} ({\bar{f}}_{i}^{τ}, {\tilde{f}}_{i}^{o})$
1: ${\bar{f}}_{s} \leftarrow \emptyset$	12: $e_{s} \leftarrow e_{s} \cup e_{i}$
2: $e_{s} \leftarrow \emptyset$	13: if $i = q$ then
3: $t \leftarrow t_{0}$	14: $\bar{f} (t) \leftarrow {\bar{f}}_{i}^{o}$
4: $\bar{f} (t) \leftarrow \emptyset$	15: ${\bar{f}}_{s} \leftarrow {\bar{f}}_{s} \cup f (t)$
5: ${\bar{f}}_{1}^{τ} \leftarrow {\bar{f}}_{γ}$	16: else
6: while $t \leq t_{0} + λ Δ t$ do	17: ${\bar{f}}_{i + 1}^{τ} \leftarrow {\bar{f}}_{i}^{o}$
7: for $i = 1$ to $q$ do	18: end if
8: ${\tilde{f}}_{i}^{τ} \leftarrow ⋃_{j} ({\bar{ρ}}_{i, j}^{τ} \cup {\bar{ρ}}_{i, j}^{o} \cup {\bar{ρ}}_{i, j}^{ν})$	19: end for
9: ${\tilde{f}}_{i}^{o} \leftarrow {\tilde{F}}_{i} ({\tilde{f}}_{i}^{τ})$	20: $t \leftarrow t + Δ t$
	21: end while
	22: return ${\bar{f}}_{s}$ and $e_{s}$

Based on Algorithm 3, the consequences of $s_{ν}$ can be obtained and is listed as follows: the production capacity is ${\bar{f}}_{s} = {\bar{f} (t_{0}), \bar{f} (t_{0} + Δ t), \dots, \bar{f} (t_{0} + λ Δ t)}$ , the serious incident is $e_{s} = ⋃_{i, j} e_{i, j}$ where $e_{i, j} = 1$ means an incident happens on function ${\bar{R}}_{i, j}$ , and $e_{i, j} = 0$ represents no incident.

Abnormal production capacity deviates from the IPS owner’s expectation and causes sales reduction, while serious incidents have negative impacts on the environment, personal safety, system devices, and so on.¹² Assume the expected production capacity is a fixed value $\bar{f}$ , and $ϑ$ is the price of per unit products, then the loss of ${\bar{f}}_{s}$ is obtained by equation (10) as

l^{f} = \sum_{i = 1}^{λ} | \bar{f} (t_{0} + i Δ t) - \bar{f} | \cdot ϑ \cdot Δ t

(10)

The loss caused by serious incidents is calculated by equation (11) as

l^{s} = \sum_{i = 1}^{q} \sum_{j = 1}^{n} (l_{i, j}^{e} + l_{i, j}^{p} + l_{i, j}^{d})

(11)

where $l_{i, j}^{e}$ represents the loss of pollution and the imbalance of ecology, $l_{i, j}^{p}$ means the compensations for the people who are injured in the incidents $e_{i, j}$ , and $l_{i, j}^{d}$ is cost to replace the damaged devices.³⁶ These values are provided by experts based on related laws and regulations. Then the loss of the control strategy $s_{ν}$ is shown in equation (12) as

l (s_{ν}) = l^{f} + l^{s}

(12)

Obtainment of the dynamic risk

As discussed in Kaplan and Garrick,¹⁰ the notion of risk involves both uncertainty and damage under different scenarios, which can be defined by a 3-tuple $〈 s_{i}, p_{i}, l_{i} 〉, i = 1, 2, \dots, n$ , where $s_{i}$ is the $i th$ scenario, $p_{i}$ is the probability of the $i th$ scenario, and $l_{i}$ is the loss of the $i th$ scenario. In this article, the scenario is the compromised control strategy $s$ , the probability of $s_{v}$ is inferred in section “Probability inference for control strategies,” and the loss of $s_{v}$ are calculated in section “Loss calculation of control strategies,” then the dynamic risk is obtained by equation (13) as

R = \sum_{v = 1}^{n} p (s_{v}) \cdot l (s_{v})

(13)

where $s_{v}$ is the vth compromised control strategy, $n$ is the number of all control strategies, $p (s_{v})$ and $l (s_{v})$ represent the probability and the loss of $s_{v}$ , respectively. It is noted that normal control strategy has no contribution to the risk, because the loss caused by normal control strategy equals 0.

Simulations and risk analysis

Simulation platform and models

A chemical system is shown in Figure 7, and the production process is divided into three subprocesses. Specifically, in the reaction process, two types of raw materials are transported through pipelines to the reactor, where product and byproduct are generated. The separation process uses a condenser and a separator to separate the product from the byproduct. In the extraction process, a stripper removes the impurities from the product. Each subprocess is controlled and supervised by a human–machine interface (HMI), respectively, and the three subprocesses are coordinated by an engineer station (ES).

Figure 7.

Structure of a chemical process system.

Each subprocess can be modeled as a material flow, and its control system can be modeled as an information flow. Table 1 provides the relationships among devices, functions, and flows of the reaction process and its control system. Note that there are two types of functions, the sources and the sinks, which are defined by ${\bar{R}}_{1, 1}$ , ${\bar{R}}_{1, 2}$ , and ${\bar{R}}_{1, 7}$ , and are not given in Table 1 because these functions are only used to describe the input and the output of material flow but do not exist in reality.

Table 1.

Description of the reaction process and its control system.

Flows	Functions		Devices
	Symbols	Parameters
${\tilde{F}}_{1}$	${\tilde{R}}_{1, 1}$	${\tilde{ρ}}_{1, 1}^{τ}$ (All parameters of reaction, V1–V4)	PLC1, PLC2, PLC3
		${\tilde{ρ}}_{1, 1}^{o}$ (Pressure of reaction, opening value of V1–V4)
	${\tilde{R}}_{1, 2}$	${\tilde{ρ}}_{1, 2}^{τ}$ (Pressure of reaction, opening value of V1–V4)	HMI1
		${\tilde{ρ}}_{1, 2}^{o}$ (Set point of the V1–V4 opening value)
	${\tilde{R}}_{1, 3}$	${\tilde{ρ}}_{1, 3}^{τ}$ (Set point of the V1–V4 opening value)	PLC1, PLC2, PLC3
		${\tilde{ρ}}_{1, 3}^{o}$ (Control signal for V1–V4)
${\bar{F}}_{1}$	${\bar{R}}_{1, 3}$	${\bar{ρ}}_{1, 3}^{τ}$ (Transportation velocity of material A)	PIP1
		${\bar{ρ}}_{1, 3}^{o}$ (Velocity of material A which are supplied to reaction)
	${\bar{R}}_{1, 4}$	${\bar{ρ}}_{1, 4}^{τ}$ (Transportation velocity of material B)	PIP2
		${\bar{ρ}}_{1, 4}^{o}$ (Velocity of material B which is supplied to reaction)
	${\bar{R}}_{1, 5}$	${\bar{ρ}}_{1, 5}^{τ}$ (Velocity of A and B which are accepted by reaction)	V1–V4, Reactor, PIP4
		${\tilde{ρ}}_{1, 5}^{o}$ (Velocity of the product and byproduct)
		${\tilde{ρ}}_{1, 5}^{c}$ (Opening value of V1–V4)
		${\tilde{ρ}}_{1, 5}^{s}$ (Pressure of reaction)
	${\bar{R}}_{1, 6}$	${\tilde{ρ}}_{1, 6}^{τ}$ (Velocity of the product and byproduct flowed from reaction)	PIP3
		${\tilde{ρ}}_{1, 6}^{o}$ (Velocity of the product and byproduct supplied to separation process)

As shown in Figure 8, for the chemical system, the chemical process system is viewed as an integration of three information flows and three material flows, and each flow consists of several functions. Besides, ${\bar{F}}_{i}$ and ${\tilde{F}}_{i}$ form a feedback system, and ${\bar{F}}_{i}$ interacts with other material flows. In this case, only ${\bar{R}}_{1, 5}$ , ${\bar{R}}_{2, 3}$ , ${\bar{R}}_{2, 5}$ , and ${\bar{R}}_{3, 3}$ have control parameters through which the production process is managed. Therefore, the control strategies are defined as $s = {φ_{1, 5}, φ_{2, 3}, φ_{2, 5}, φ_{3, 3}}$ , where $φ_{i, j}$ is an operation on ${\tilde{f}}_{i, j}^{o}$ . Assume that $φ_{1, 5}$ has four values and others have two values, and each value represents a special operation, then this chemical system has 32 compromised control strategies.

Figure 8.

EMFM of the chemical process system.

Figure 9.

Bayesian network for probability inference.

Based on the above works, a three-layer Bayesian network is built to infer the probabilities of the compromised control strategies, where the attack layer describes the relationships among different atomic attacks $a$ and this model can be obtained through;¹² the information layer and control strategy layer are modeled based on the Figure 8, which are discussed in section “Probability inference for control strategies.”

Result analysis

Probability inference

The attack evidence $E$ provided by IDS is listed in Table 2, where each row shows the time when the corresponding atomic attack is detected by the IDS.

Table 2.

List of attack evidence.

Time (min)	Attack	Description
6	$H (a_{2}) = T$	Vulnerability scanning on HDS
11	$H (a_{7}) = T$	Dos attack on HDS
16	$H (a_{5}) = T$	Vulnerability scanning on HMI2
21	$H (a_{11}) = T$	Privilege escalation attack on ES
26	$H (a_{8}) = T$	Buffer overflow attack on HDS
31	$H (a_{14}) = T$	Buffer overflow attack on HMI1
36	$H (a_{15}) = T$	Buffer overflow attack on HMI2
41	$H (a_{17}) = T$	Data tampering attack on PLC1

The result of the probability inference with $E$ as input is shown in Figure 10, where $s_{i}$ represents the $i th$ control strategy and $s_{1}$ is the normal one, which are not tampered by the attacker. In the first subfigure, the probability of $s_{1}$ equals 1 between 1 and 5 min, because there exist no cyber attacks in this period. And the probability becomes smaller when more and more attacks are detected. The second subfigure shows the probabilities of all control strategies at the 41st min. In general, all $p (s_{i})$ at different times can be obtained with the Bayesian network with the attack evidence input.

Figure 10.

Probabilities of control strategies.

Loss calculation

Table 3 provides three compromised control strategies which consist of different operations, and each operation represents a combination of several alterations on ${\tilde{ρ}}_{i, j}^{c}$ , $v_{i} \overset{t = t_{k}}{\leftarrow} value$ means that the $v_{i}$ is assigned with $value$ at $t_{k}$ hour, where $v_{i}$ represents the ith valve opening.

Table 3.

Three typical control strategies.

Control strategy	Operation	Implementation
$s_{1}$	No operation	$\emptyset$
$s_{2}$	$φ_{1, 5}$	${v_{3} \overset{t = 2}{\leftarrow} 1, v_{3} \overset{t = 3.6}{\leftarrow} 0.75}$
	$φ_{2, 3}$	${v_{5} \overset{t = 3.6}{\leftarrow} 0.3}$
	$φ_{2, 5}$	$\emptyset$
	$φ_{3, 3}$	$\emptyset$
$s_{3}$	$φ_{1, 5}$	${v_{3} \overset{t = 3.2}{\leftarrow} 0.65}$
	$φ_{2, 3}$	$\emptyset$
	$φ_{2, 5}$	${v_{6} \overset{t = 2.8}{\leftarrow} 0.45}$
	$φ_{3, 3}$	${v_{8} \overset{t = 2}{\leftarrow} 0.5, v_{8} \overset{t = 4}{\leftarrow} 0.2}$

The result of the production capacity ${\bar{f}}_{s}$ is shown in Figure 11, where the normal ${\bar{f}}_{s}$ is a constant value shown by line $c_{1}$ . Line $c_{2}$ shows the real-time production capacity under control strategy $s_{2}$ , where the attacker launches three operations to reduce the production capacity at 2 and 3.6 h. In this case, no serious incident happens. In the third case, the attacker alters the valve opening of $V 8$ at 2 and 4 h, which directly affects ${\bar{f}}_{s}$ , while the other two operations which alter the valve opening of $V 5$ and $V 6$ at $3.2$ and $2.8$ h have no influences on ${\bar{f}}_{s}$ , because the reactor and the separator have the storage capability that buffers the effect of the attacks. The liquid overflow on ${\bar{R}}_{3, 3}$ occurs at $4.4$ h, making the production capacity ${\bar{f}}_{s}$ equal to 0. The result is shown as line $c_{3}$ in Figure 11.

Figure 11.

Production capacities of $s_{2}$ and $s_{3}$ .

In Figure 12, solid lines and dotted lines represent the states parameters when system is under control strategy $s_{2}$ and $s_{3}$ , respectively. In the first subfigure, the opening of $V 8$ is altered to $0.5$ at 2 h, which makes ${\bar{ρ}}_{3.3}^{s}$ become large through the ${\bar{R}}_{3, 3}$ behaviors. The opening of $V 3$ is changed at 3.2 h, and its value influences ${\bar{ρ}}_{3.3}^{s}$ by the interdependence between ${\bar{F}}_{1}$ and ${\bar{F}}_{3}$ . At 4.4 and 5.5 h, ${\bar{ρ}}_{2.5}^{s}$ and ${\bar{ρ}}_{3.3}^{s}$ are larger than safety threshold ${\bar{ρ}}^{safe}$ , respectively, which cause incidents $e_{2, 5}$ and $e_{3, 3}$ . In the same way, the operation includes altering on $v_{3}$ and $v_{5}$ , which makes ${\bar{ρ}}_{2.5}^{s}$ smaller through decreasing the input of ${\bar{R}}_{2, 5}$ . ${\bar{ρ}}_{3.3}^{s}$ does not change because of the feedback control ability of ${\tilde{F}}_{3}$ . In the second subfigure, the operations on ${\bar{R}}_{1, 5}$ , such as altering $v_{3}$ and $v_{5}$ , can impact on ${\bar{ρ}}_{1, 5}^{s}$ . At 5.7 h, ${\bar{ρ}}_{1.5}^{s}$ is larger than the threshold $3000 Pa$ , which causes the incident $e_{1, 5}$ .

Figure 12.

State parameters of $s_{2}$ and $s_{3}$ .

From the above simulations, production capacity ${\bar{f}}_{s}$ and serious incidents $e_{s}$ are estimated when the production process is controlled by $s_{1}, s_{2}, s_{3}$ . The loss of ${\bar{f}}_{s}$ caused by $s_{2}$ and $s_{3}$ are obtained by equation (10) from 0–8 h, where $Δ t$ is set to 0.2 h. The loss of $e_{s}$ caused by $s_{2}$ and $s_{3}$ are obtained through equation (11). In the same way, the loss of $s_{i}, i = 4, 5, \dots, 32$ can be obtained.

Risk assessment

Based on the above simulations, the cyber risk of the IPS is shown in Figure 13. In this figure, the risk becomes larger greatly when the attacks $a_{2}$ , $a_{5}$ , $a_{14}$ , and $a_{17}$ are detected, and the reasons are listed as follows: $a_{2}$ is the first attack detected by the IDS, which means the system is in insecure state; $a_{5}$ , $a_{14}$ , and $a_{17}$ are the attacks whose objects are the devices of the subprocess control systems, and the distribution on subprocess control systems have a negative impact on the production process directly, which increases the system risk greatly. In general, the curve in Figure 13 indicates the risk is increasing with more and more attacks detected.

Figure 13.

System risk at different time.

Execution time

To demonstrate the execution time of our approach, several simulations are designed. Because the loss calculation is simulated offline while the probability inference is simulated online, the whole execution time equals to the time cost of probability inference. The simulation of the Bayesian network shown in Figure 9 is run on a computer with Intel processor(2.20 GHZ) and 4 GB RAM 1000 times, the average execution time is 0.086 s, the minimum execution time is 0.075 s, and the maximum execution time is 0.131 s. In order to get the execution time of other types of Bayesian networks, several simulations are conducted and the results are shown in Figure 14.

Figure 14.

Execution time of different Bayesian networks.

Several five-layer Bayesian networks with 100, 200, 300, 400, and 500 nodes are executed in MATLAB, and the result is shown in Figure 14. In this figure, the average execution time increases linearly with the node number of the Bayesian networks, which means that the complexity of the inference algorithm is $O (n)$ , where $n$ is the number of nodes. The max execution time is 1.135 s with 500 nodes, and this special Bayesian network can still meet the real-time requirement of IPS risk assessment. In general, these simulations demonstrate that our approach can be adopted in most soft real-time IPSs.

Approaches comparison

It is clear that this risk assessment approach has the ability to assess the IPSs risk quantitatively, and it can provide the evaluation indexes of cybersecurity situation for the subsequent intrusion response. Risk assessment approaches of section “Introduction” employed different perspectives and scenarios, it is difficult to compare our work with others. But Table 4 presents some different input information, assessing process and other items between other approaches with our approach.

Table 4.

Risk assessment comparisons.

Risk assessment approach		¹¹	¹²	¹³	¹⁴	¹⁵	¹⁶	¹⁷	Ours
Input	Real-time information		√		√	√	√		√
	Structure characteristic	√	√	√	√		√	√	√
Assessing process	Probability inference		√	√				√	√
	Loss calculation	√	√		√	√	√	√	√
Risk contents	Product reduction						√		√
	Serious incidents		√	√	√			√	√
Risk characteristic	Static	√		√				√
	Dynamic		√		√	√	√		√

Conclusion

Dynamic risk assessment is of great significance to cybersecurity protection for IPSs, and is necessary to consider the system structure, the production process, and the corresponding control process. An extended MFM-based dynamic risk assessment approach is presented to tackle this problem. Traditional MFM is extended to describe the structure and operation process of IPSs from the perspective of functions and flows, which help to abstract a complex IPSs into a combination of several flows. Besides, this dynamic risk assessment provides a detailed loss calculation for the serious incidents and product reduction quantitatively, which is different from other approaches. And this approach also gives a probability inference for the propagation of cyber attacks, which considers the generation of control strategy. Finally, several simulations are carried out to verify the effectiveness of this approach.

This research only focuses on real-time attacks in cyber space, which is represented by the probability inference process in Bayesian network. But, the faults in system physical space are not considered in our approach online. A comprehensive dynamic risk assessment approach intergraded with real-time attack and fault will be investigated for IPSs in the future work.

Footnotes

Appendix 1

Handling Editor: José Camacho

Declaration of conflicting interests

The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

Funding

The author(s) disclosed receipt of the following financial support for the research, authorship, and/or publication of this article: This work is supported by National Science Foundation of China (NSFC) under grant numbers 61433006, 61272204 to author C. Zhou.

References

Pederson

Dudenhoeffer

Hartley

et al . Critical infrastructure interdependency modeling: a survey of US and international research. Idaho National Lab 2006; 25: 27.

Benali

Hammache

Aub

et al . Dynamic multiobjective optimization of large-scale industrial production systems: an emerging strategy. Int J Energ Res 2007; 31(12): 1202–1225.

Zaeh

Reinhart

Ostgathe

et al . A holistic approach for the cognitive control of production systems. Adv Eng Inf 2010; 24(3): 300–307.

Guan

Graham

Hieb

. A digraph model for risk identification and management in scada systems. In: Proceedings of 2011 IEEE International Conference on Intelligence and Security Informatics, Beijing, China, 10–12 July, pp.150–155.

Langner

. Stuxnet: dissecting a cyberwarfare weapon. IEEE Secur Priv 2011; 9(3): 49–51.

Piggin

. Cyber security trends: what should keep CEOs awake at night. Int J Crit Infr Prot 2016; 13: 36–38.

NIST. Framework for Improving Critical Infrastructure Cybersecurity, 2014, https://www.nist.gov/sites/default/files/documents////draft-cybersecurity-framework-v1.11.pdf

Shameli-Sendi

Dagenais

. Arito: cyber-attack response system using accurate risk impact tolerance. Int J Inf Secur 2014; 13(4): 367–390.

Zhou

Huang

Xiong

et al . Design and analysis of multimodel-based anomaly intrusion detection systems in industrial process automation. IEEE T Syst Man Cyb 2015; 45(10): 1345–1360.

10.

Kaplan

Garrick

. On the quantitative definition of risk. Risk Anal 1981; 1(1): 11–27.

11.

Henry

Haimes

. A comprehensive network security risk model for process control networks. Risk Anal 2009; 29(2): 223–248.

12.

Zhang

Zhou

Xiong

et al . Multimodel-based incident prediction and risk assessment in dynamic cybersecurity protection for industrial control systems. IEEE T Syst Man Cyb 2016; 46(10): 1429–1444.

13.

Ten

Manimaran

Liu

. Cybersecurity for critical infrastructures: attack and defense modeling. IEEE T Syst Man Cy A 2010; 40(4): 853–865.

14.

Garbolino

Chery

Guarnieri

. A simplified approach to risk assessment based on system dynamics: an industrial case study. Risk Anal 2016; 36(1): 16–29.

15.

Genge

Kiss

Haller

. A system dynamics approach for assessing the impact of cyber attacks on critical infrastructures. Int J Crit Infr Prot 2015; 10: 3–17.

16.

Zhou

Tian

et al . Asset-based dynamic impact assessment of cyberattacks for risk analysis in industrial control systems. IEEE T Ind Inform 2018; 14(2): 608–618.

17.

Abdo

Kaouk

Flaus

et al . A safety/security risk analysis approach of industrial control systems: a cyber bowtie-combining new version of attack tree with bowtie analysis. Comput Secur 2018; 72: 175–195.

18.

Cherdantseva

Burnap

Blyth

et al . A review of cyber security risk assessment methods for scada systems. Comput Secur 2016; 56: 1–27.

19.

Teixeira

Sou

Sandberg

et al . Secure control systems: a quantitative risk management approach. IEEE Contr Syst 2015; 35(1): 24–45.

20.

Sridhar

Hahn

Govindarasu

. Cyber-physical system security for the electric power grid. Proc IEEE 2012; 100(1): 210–224.

21.

Tan

Lam

Kasivisvanathan

et al . An algebraic approach to identifying bottlenecks in linear process models of multifunctional energy systems. Theor Found Chem Eng 2012; 46(6): 642–650.

22.

Larsson

. Diagnosis based on explicit means-end models. Artif Intell 1996; 80(1): 29–93.

23.

Zang

Liang

et al . A novel failure mode analysis model for gathering system based on multilevel ﬂow modeling and hazop. Process Saf Environ 2013; 91(1): 54–60.

24.

Wang

Yang

. Implementation of an integrated real-time process surveillance and diagnostic system for nuclear power plants. Ann Nucl Energy 2016; 97: 7–26.

25.

Smith

. Chemical process: design and integration. Hoboken, NJ: John Wiley & Sons, 2005.

26.

C’ardenas

Amin

Lin

et al . Attacks against process control systems: risk assessment, detection, and response. In: Proceedings of the 6th ACM symposium on information, computer and communications security (ASIACCS ’11), Hong Kong, China, 22–24 March 2011, pp.355–366. New York: ACM.

27.

Hakan

Aysegul

Gokcay

. Modeling of the activated sludge process by using artificial neural networks with automated architecture screening. Comput Chem Eng 2008; 32(10): 2471–2478.

28.

Morad

Zin

Yusof

et al . Process modelling of combined degumming and bleaching in palm oil refining using artificial neural network. J Am Oil Chem Soc 2010; 87(11): 1381–1388.

29.

Esmaeil

Ali

Nima

et al . Dynamic safety assessment of natural gas stations using Bayesian network. J Hazard Mater 2017; 321(Supplement C): 830–840.

30.

Nima

Faisal

Paul

. Safety analysis in process facilities: comparison of fault tree and Bayesian network approaches. Reliab Eng Syst Safe 2011; 96(8): 925–932.

31.

Dejaeger

Verbraken

Baesens

. Toward comprehensible software fault prediction models using Bayesian network classifiers. IEEE T Software Eng 2013; 39(2): 237–257.

32.

Poolsappasit

Dewri

Ray

. Dynamic security risk management using Bayesian attack graphs. IEEE T Depend Secure 2012; 9(1): 61–74.

33.

Frigault

Wang

Singhal

et al . Measuring network security using dynamic Bayesian network. In: Proceedings of the 4th ACM workshop on quality of protection, Alexandria, VA, 27 October 2008, pp.23–30. New York: ACM.

34.

Dan Foresee

Hagan

. Gauss-Newton approximation to Bayesian learning. In: International conference on neural networks, Houston, TX, 12 June 1997, pp.1930–1935. New York: IEEE.

35.

Hogg

Craig

. Introduction to mathematical statistics. 5th ed.Upper Saddle River, NJ: Prentice Hall, 1995.

36.

Rausand

. Risk assessment: theory, methods, and applications, vol. 115. Hoboken, NJ: John Wiley & Sons, 2013.

Extended multilevel flow model-based dynamic risk assessment for cybersecurity protection in industrial production systems

Abstract

Keywords

Introduction

Background

Cybersecurity risk in IPS

MFM

Dynamic risk assessment architecture

System modeling with extended MFM

Extended MFM

Function

Flow

Modeling process of the extended MFM

Extended MFM-based risk assessment

Probability inference for control strategies

Loss calculation of control strategies

Obtainment of the dynamic risk

Simulations and risk analysis

Simulation platform and models

Result analysis

Probability inference

Loss calculation

Risk assessment

Execution time

Approaches comparison

Conclusion

Footnotes

Appendix 1

Declaration of conflicting interests

Funding

References