Sage Journals: Discover world-class research

Abstract

Critical infrastructures are essential for national security, economy, and public safety. As an important part of security protection, response strategy making provides useful countermeasures to reduce the impacts of cyberattacks. However, there have been few researches in this domain that investigate the cyberattack propagation within a station and the incident spreading process in the critical infrastructure network simultaneously, let along analyzing the relationships between security strategy making for a station and scheduling strategy for the critical infrastructure network. To tackle this problem, a hierarchical colored Petri net–based cyberattacks response strategy making approach for critical infrastructures is presented. In this approach, the relationships among cyberattacks, security measures, devices, functions, and station capacity are analyzed and described in a hierarchical way, and the system loss is calculated with the input of abnormal station capacities. Then, based on the above model, the security strategy making for a station and the scheduling strategy making for the critical infrastructure network are investigated in depth. Finally, the effectiveness of the proposed approach is demonstrated on a simulated water supply system.

Keywords

Critical infrastructures hierarchical colored Petri net cyberattack response cybersecurity protection system-of-systems

Introduction

Critical infrastructures (CIs) are viewed as the foundation of crucial economic and social function, whose secure and reliable operation provides essential, continual good, or service to meet the country demand.¹ Nowadays, the wide adoption of developed information and communication technologies (ICT) improves the CIs operation efficiency, but it also makes CIs more vulnerable to cyber threats. In 2003, the worm virus “Slammer” invaded into the “Davies–Besse” nuclear plant and disabled the safety monitoring system in Ohio, USA.² Several relevant departments believed the blackout accident that occurred in northeast America and Canada in 2009 was caused by foreign cyberattacks.³ In 2015, hackers attacked the Ukrainian grid and caused large-scale grid blackout.⁴ Therefore, cybersecurity protection for CIs is important and essential.

CIs require high availability, which means the unexpected shutdown of these systems is not allowed.⁵ Thus, detecting the cyberattacks and responding timely, which can improve the intrusion tolerance ability of CIs on runtime, are of significance.⁶ Specifically, once the cyberattacks are detected by intrusion detection system (IDS), an appropriate response strategy should be made and executed to prevent the cyberattacks propagation. In addition, the cyberattack can propagate from cyber space to physical space, and the incidents due to cyberattacks may propagate in CIs network with the interdependence among stations.⁷ Thus, an appropriate response strategy can prevent the propagation process and mitigate the impacts of cyberattacks.

Many researches on response strategy making have been done in the past decades. Yan et al.⁸ proposed a response strategy based on the phasor measurement unit (PMU) attack graph which analyzed the attack paths in smart grid. Qin et al.⁹ established a multi-model based on Bayesian Network for dynamic decision-making in industrial control systems (ICSs). Zonouz and Haghani¹⁰ analyzed the grid situation and sorted the candidate incidents, which provided valuable information to security strategy makers. Wang et al.¹¹ defined the condition risk and the cost in smart grid and provided the decision-making approach with these definitions. Yan and Haimes¹² calculated the protection strategy cost–benefit in each subsystem and used linear programming model to obtain the optimal system strategy. Li et al.¹³ provided a multi-objective optimization-based decision-making approach which considered the security benefit, system benefit, and state benefit in ICSs. These approaches focus on the attack propagation or the attacker–defender game process, contributing to CIs attack response making. But there exist several special factors in CIs cybersecurity protection, for example, attacks to CIs cannot only propagate from cyber space to physical space, but can also spread from station to stations through the CI network. In addition, security strategy making for the station and scheduling strategy making for CIs need to be cooperated with each other. Therefore, the existing works cannot be applied to CIs protection directly due to the neglect of the characteristics mentioned above.

Motivated by the above analysis, a hierarchical colored Petri net (HCPN)–based cyberattacks response strategy making approach for CIs is proposed in this article. In this approach, an HCPN modeling method which decouples a complex system into different layers and describes the relationship among these layers by colored Petri is proposed. It can be used to model the operation of a CI in a graphic way. Based on this method, the cyber-physical interaction within a station and material dependence among stations are modeled, which are used to analyze the consequences due to cyberattacks and response strategy. Also, a response strategy making approach is introduced to analyze the security strategy making for station and scheduling strategy making for system and then generates the optimize response strategy based on the above two types of strategies.

The rest of this article is organized as follows: section “Background and preliminary” discusses the characteristic of the cyberattacks response in CIs and puts forward the architecture of the proposed approach. Section “System modeling with HCPN” gives the definition and description of HCPN and then uses HCPN to model the attack propagation in CIs. The generation of the attack response is analyzed in section “Optimal response strategy making.” Section “Simulation and result analysis” verifies the effectiveness of proposed approach, and the conclusions and remarks are provided in section “Conclusion.”

Background and preliminary

Analysis of response strategy making in CIs

As a typical system-of-systems,¹⁴ a CI usually consists of a control center and several types of stations, such as generation, transmission, customer. The characteristics of CIs are described as follows:¹⁵ (1) each station is independent and useful in its own right, which can be divided into a cyber space and a physical space; (2) all stations are distributed geographically and form a complex network; (3) the control center manages all stations cooperatively to achieve an intended purpose.

The attackers generally acquire the following goals step by step: (1) compromising the station management authority by launching cyberattacks,¹⁶ (2) reducing the station capacity using the compromised authority, (3) propagating the station incident in the CI network due to interdependences,¹⁷ and (4) causing negative impact on society.^18,19 On the contrary, the CI defenders need to perform the following operations: (1) making security strategy to prevent the authority compromise and capacity reduction within the station, (2) making scheduling strategy to prevent the incident propagating in the CI network, and (3) making policy to mitigate the negative impact on society. According to the above discussion, the station operation and CI states are changed with attacks propagating. Hence, an appropriate model for describing the changing process is important for cyberattacks response.

Demand analysis of system modeling

A Petri net (PN) is a graphical and mathematic modeling tool to describe the structure and behaviors of systems in a visual means. Specifically, the places with its own token can represent the properties of system components, and the transition between different places describes the dynamic process of the component states changing. These characteristics make PNs suitable for modeling the system operation process, such as ICS, telecommunication, and transportation.^20,21

PN also contributes to response strategy making for CIs, the places and transitions in PN describe the behaviors of the attackers in IT system,²² and then the defenders can prevent the propagating process by making appropriate security strategy.²³ However, the station capacity, which is changed with the attack propagation, is multi-variable and it cannot be described by the token property in PN. In addition, a station is a complex system that is decoupled into different types of objects, such as device, function, goal, which makes it difficult for PN to describe the interaction among these objects. To solve this problem, colored Petri net (CPN)²⁴ is combined with “hierarchical” knowledge in ontology to describe the attack behavior, defender behavior, device states, function states, and station capacity, which helps to analyze the incident spreading in the CI network and response strategy making for CIs.

Architecture of response strategy making approach

The architecture of response strategy making approach is shown in Figure 1, where the inputs are the attack evidences and the current system states, and the output is the optimal response strategy for the stations which has suffered cyberattacks.

Figure 1.

Architecture of cyberattack response approach for CIs.

The approach consists of three main steps: (1) generating the candidate response strategies for the station which has suffered cyberattacks, then obtaining each strategy properties, such as theirs benefit and mapped station capacities; (2) making the optimal scheduling strategy for the CI, which uses the candidate security strategies of the stations and then distributes the control tasks to all stations; (3) selecting the optimal security strategy for the stations, which considers both the control task and the candidate response strategies. Note that the cyberattacks response strategy for CIs is constructed by the appropriate strategy for each station.

System modeling with HCPN

Description of HCPN

HCPN adopts the “Hierarchical” knowledge²⁵ to decouple a complex system into several related objects, such as goals, functions, and devices and then utilizes CPN to describe the state changing of each object and the relationships among them. As shown in Figure 2, each object can be viewed as a “part of” another object situated at a higher level, and the states changing of this object contribute to the property of higher object; on this basis, the above objects characteristics are modeled by CPN. The definition and description of these objects are introduced in the following.

Figure 2.

HCPN derived from a “goal–function–device” framework.

“Goal” represents the purpose of system, that is, what the operators want the system to reach. “Function” is a role played in the achievement of a goal, which is realized by related devices. “Device” denotes the component that constructs the system.²⁶ A five-tuple $〈 P, C, T, λ, O 〉$ is defined to describe the HCPN:

Places set $P$ : each object, such as goal, function, and device, can be represented by a place $P_{i}$ .

Color set $C$ : each place has a token at a certain time, and the color of this token denotes the state of the corresponding object, such as function failed or normal.

Transition set $T$ : a transition represents the relationship of a place with others. In addition, each transition has a pre-condition and a post-condition. A transition $T_{i}$ is defined in equation (1)

Pre {(P_{1}, c_{1}), \dots, (P_{m}, c_{m})} \Rightarrow Post {(P_{k}, c_{k})}

(1)

where $c_{i}$ represents a colored token, $P_{i}$ is the ith place in $P$ . Equation (1) represents when the pre-condition is satisfied, the color of the token in $P_{k}$ is changed to $c_{k}$ .

Input $λ$ : it consists of a distribution of colored tokens of the places at the start time.

Output $O$ : it consists of a distribution of colored tokens of the places at the end time.

In general, $P$ represents the goal, functions, and devices in a system, $C$ denotes their property; $T$ indicates the relationships between these objects; $λ$ and $O$ are the input and output

Modeling cyberattacks propagation within a station

As mentioned in section “Background and preliminary,” the cyberattacks to a station can propagate from cyber space to physical space, whose goal is to reduce the station capacity. In order to describe the process, HCPN is used to build the cyberattacks propagation model. Referring to the “goal–function–device” framework, a station can be decoupled into many types of objects, as shown in Table 1. In addition, a type of object called “behavior” which indicates the attacks and security measures is added into this table.

Table 1.

“Goal–function–device–behavior” for station.

Object	Name	Description
Goal	Station goal	Station capacity can reach the managers expectation
Function	Cyber function	Role in station management (i.e. monitoring, control, data storage)
Function	Physical function	A process in charge of special material handling
Device	Cyber device	The components (i.e. HMI, engineer station, router, PLC)
Behavior	Atomic attack	(i.e. buffer overflow, data tampering, privilege escalation)
Behavior	Security measure	(i.e. turn on firewall, shutdown device, disconnect, use standby)

HMI: human–machine interface; PLC: programmable logic controller.

Based on Table 1, cyberattacks propagation within a station can be modeled by an HCPN

N^{sta} \overset{def}{=} 〈 P^{sta}, C^{sta}, T^{sta}, λ^{sta}, O^{sta} 〉

(2)

where the place set $P^{sta}$ includes five types of places, and the color set $C^{sta}$ in different types of places has a different number of values, as shown in Table 2.

Table 2.

Description of places properties in HCPN.

Object	Place	Colored	Description
Goal	$P^{g}$	$c_{1} - c_{\lg}$	Each colored token represents a special station capacity value
Function	$P^{f}$	${c_{0}, c_{1}}$	$c_{0}$ means the function is normal; $c_{1}$ means the function failed
Cyber device	$P^{d}$	${c_{0}, c_{1}}$	$c_{0}$ means the device is normal; $c_{1}$ means the device is compromised
Atomic attack	$P^{a}$	${c_{0}, c_{1}}$	$c_{0}$ means the attack is not launched; $c_{1}$ means the attack is launched
Security measure	$P^{s}$	${c_{0}, c_{1}}$	$c_{0}$ and $c_{1}$ mean the measure is not activated and activated, respectively

HCPN: hierarchical colored Petri net.

The transition $T_{i}^{sta} \in T^{sta}$ means the relationship between the property of the objects mentioned in Table 1, and these transitions can be divided into two types: (1) the transition shown in equation (1), where the $c_{i}$ only has two values, $i \in {1, \dots, m, k}$ ; (2) the transition shown in equation (1), the $c_{i}$ in pre-condition has two values, and the $c_{k}$ has multi-value, $1 \leq i \leq m$ . Appendix 1 provides how to obtain these two types of transitions. The input $λ^{sta}$ is given by defenders who allocate the special colored token to the corresponding places. The output $O^{sta}$ is inferred by $λ^{sta}$ and $N^{sta}$ .

Optimal response strategy making

Generation of candidate security strategies for stations

Cyberattacks are always launched to compromise the devices, disable the functions, and reduce the station capacity. In order to secure the operation safety, the security strategy is made to protect the devices, which maps to certain station capacity value. Considering the interaction between station and control center, candidate security strategies for the station are generated in this subsection.

A security strategy maps to certain station capacity, but certain station capacity may be caused by several security strategies. The candidate security strategies $C^{cnd}$ for a station consist of $\lg$ security strategies and are represented by equation (3)

C^{cnd} = {ζ_{1}^{apt}, \dots, ζ_{\lg}^{apt}}

(3)

where $ζ_{i}^{apt}$ is an acceptable security strategy which satisfies certain conditions, such as it makes the station capacity to locate on certain value $g_{i}$ and gains expected benefit.

A security strategy $ζ$ for a station consists of the security measures which are activated, and it can be represented by a vector $M^{s}$ , where $M^{s} (i) = 1$ means the ith security measure is activated. Based on Table 2, four vectors $M^{a}$ , $M^{s}$ , $M^{d}$ , and $M^{f}$ are used to map the colored token in $P^{a}$ , $P^{s}$ , $P^{d}$ , and $P^{f}$ , respectively, and their elements are defined by equation (4)

M^{j} (i) = {\begin{matrix} 0, & the colored token is (P_{i}^{j}, c_{0}) \\ 1, & the colored token is (P_{i}^{j}, c_{1}) \end{matrix}

(4)

where $M^{j} (i)$ is the value of the ith element in $M^{j}$ , $j \in {a, s, d, f}$ . In addition, we define the variable $M^{g}$ to represent the colored token in station goal place, which is shown in equation (5)

M^{g} = {\begin{matrix} 1 & the colored token is (P^{g}, c_{1}) \\ ⋮ & ⋮ \\ \lg & the colored token is (P^{g}, c_{\lg}) \end{matrix}

(5)

Based on the above definition, the candidate security strategies $C^{cnd}$ can be represented by the vector $M^{s}$ and is shown in equation (6)

C^{cnd} = {M_{1}^{s, apt}, \dots, M_{\lg}^{s, apt}}

(6)

where $M_{i}^{s, apt} = {H (s_{1}), \dots, H (s_{m})}$ , $m$ is the number of the security measures in this station, and $H (s_{k})$ indicates the measure $s_{k}$ is activated or not and its value is equal to 0 or 1.

A security strategy $ζ$ is represented by the vector $M^{s}$ , and its impact on station is described by attack path $AP = {M^{a}, M^{s}, M^{d}, M^{f}, M^{g}}$ . Algorithm 1 shows how to get the attack path.

Algorithm 1. $AP = GetAttackPath (E, M^{s}, N^{sta})$ .
Input: Attacks $E$ , security strategy $M^{s}$ , HCPN $N^{sta}$
Output: Attack path $AP$
1. $M^{a} \leftarrow E$ \* refer to Table 2*\
2. $AP \leftarrow {M^{a}, M^{s}}$
3. Renew $P^{a}$ and $P^{s}$ \* refer to equation (4)*\
4. for each $P_{i}^{d} \in P^{d}$ do
5. Renew $P_{i}^{d}$ \* Based on transition mechanism *\
6. end for
7. for each $P_{i}^{f} \in P^{f}$ do
8: Renew $P_{i}^{f}$ \* Based on transition mechanism *\
9: Renew $M_{i}^{f}$ \equation (4)\
10: end for
11: Renew $P^{g}$ \* Based on transition mechanism *\
12: Renew $M^{g}$ \* refer to equation (4)*\
13: $AP \leftarrow AP \cup {M^{d}, M^{f}, M^{g}}$
14: return $AP$

$CB (M^{s})$ is used to calculate the net benefit of security strategy $M^{s}$ , which is shown in equation (7)

CB (M^{s}) = BftCal (M^{s}) - CostCal (M^{s})

(7)

where the description of all the elements in equation (7) is listed as follows:

1. Benefit of executing security strategy $Bft (M^{s})$ : $A P_{E}$ and $A P_{E, M}$ are the attack paths which are obtained from $GetAttackPath (E, \emptyset, N^{sta})$ and $GetAttackPath (E, M^{s}, N^{sta})$ , respectively. Then the benefit of the security strategy is calculated by equation (8)

\begin{matrix} BftCal (M^{s}) = \\ \sum_{i \in {d, f, g}} \sum_{1 \leq j \leq l (i)} (M_{E}^{i} (j) - M_{E, M}^{i} (j)) \times μ_{j}^{i} \end{matrix}

(8)

where $M_{E}^{i} (j)$ is the jth element in $M_{E}^{i}$ and $M_{E}^{i}$ is vector in $A P_{E}$ . Similarly, $M_{E, M}^{i} (j)$ is the element in $A P_{E, M}$ . Besides, $μ_{j}^{i}$ is the asset value of the specific object (device, function, and goal) which is given by experts, and $l (i)$ is the number of elements in $M_{E}^{i}$ or $M_{E, M}^{i}$ , $i \in {d, f, g}$ .

2. Cost of executing security strategy $CostCal (M^{s})$ : the execution of security strategy consumes resources, such as hardware configuration, computing resource, communication resource, and so on.²⁷ Thus, the consumed resources of $M^{s}$ are quantified as follows

CostCal (M^{s}) = \sum_{1 \leq i \leq ls} M_{E, M}^{s} (i) \times φ_{i}

(9)

where the value $φ_{i}$ is the cost of executing the ith security measure and is provided by security experts; $ls$ is the number of elements in $M_{E, M}^{s}$ .

$M_{i}^{s, apt}$ in equation (6) needs to meet the following conditions: (1) $CM (M_{i}^{s, apt}, E) = g_{i}$ represents that $M_{i}^{s, apt}$ maps to station capacity $g_{i}$ when the station $st a_{i}$ has suffered the attack $E$ ; (2) $CB (M_{i}^{s, apt}) \geq R$ is satisfied; it means $M_{i}^{s, apt}$ needs to gain enough net benefit. Algorithm 2 describes how to generate the acceptable security strategy $M_{i}^{s, apt}$ , which combines the HCPN and genetic algorithm.

Algorithm 2. Get a acceptable security strategy.
Input: HCPN $N^{sta}$ , attack evidence $E$
Output: Acceptable security strategy $M_{i}^{s, apt}$
1: Iterations $t_{\max}$ , population $G_{0}$
2: $G_{0} \leftarrow \emptyset$ , $G \leftarrow \emptyset$ , $M^{cnd} \leftarrow \emptyset$
3: $G_{0} \leftarrow Rand (M^{s})$
4: for $t \leftarrow 1$ to $t_{\max}$ do
5: for each $G_{0, k} \in G_{0}$ do
6: $M_{k}^{g} \leftarrow GetAttackPath (E, G_{0, k}, N^{sta})$
7: end for
8: $G \leftarrow Rank (G_{0}, M^{g})$
9: if $t = t_{\max}$ \| $CB (G (1)) \geq R$ then
10: $G_{0} \leftarrow G$
11: break;
12: end if
13: $G_{n} \leftarrow G_{n} \cup Select (G, ns)$
14: $G_{n} \leftarrow G_{n} \cup CroMut (G, nc)$
15: $G_{n} \leftarrow G_{n} \cup AddInd (G, na)$
16: $G_{0} \leftarrow G_{n}$
17: end for
18: $M_{i}^{s, apt} \leftarrow G_{0} (1)$
19: return $M_{i}^{s, apt}$

In Algorithm 2, the population $G_{0}$ has $n$ individuals, $G_{0, k}$ is the kth individual in $G_{0}$ and is used to store a security strategy. $Rand (M^{s})$ represents generating $n$ vectors by assigning all the elements in $M^{s}$ with 0 or 1 randomly and then each vector is a security strategy and represented by an individual. $Rank (G_{0}, M^{g})$ means all the individuals in $G_{0}$ are ranked; specifically, the individuals, which map to $M^{g} = i$ , are ranked in descending order according to the net benefit. $Select (G, ns)$ means that selecting the $1 th - ns th$ individuals in $G$ . $CroMut (G)$ means that the $(ns + 1) th - (ns + nc) th$ individuals in $G$ are crossed and mutated. $AddInd (G, na)$ generates $na$ individuals in a random way.

The candidate security strategies for station are constructed by $M_{i}^{s, apt}$ $(1 \leq i \leq \lg)$ , and it can be obtained by executing Algorithm 2 for $\lg$ times.

Construction of optimal scheduling strategy for CIs

Assume that there exists $ν$ stations in a CI network, and the ith station is named as $st a_{i}$ , the candidate station capacities of $st a_{i}$ have $\lg$ elements and are defined by equation (10)

g_{i} (t) = {g_{i, 1}, \dots, g_{i, \lg}}

(10)

where $g_{i} (t)$ represents the reception capacity of material at time $t$ , $g_{i, j}$ is a special value which is decided by the operation of $st a_{i}$ , and it maps to $M_{i}^{g} = j$ .

Because of the internal dependence and topology characteristic of CIs network,²⁸ the changing of a station capacity may impact on other stations. Hence, the scheduling strategy which consists of all station capacity setting can manage the CI network states.²⁹ In order to quantify the effect of scheduling strategy, we calculate the system loss when the scheduling strategy is executed. The system loss $L (t)$ at time $t$ is obtained by equation (11)

L (t) = LossCal (S (t), δ (t))

(11)

where $S (t)$ denotes the scheduling strategy which is defined by $S (t) = {g_{1} (t), \dots, g_{ν} (t)}$ ; $δ_{i} (t)$ is the overload of $st a_{i}$ at time $t$ . Obviously, $S_{i} (t)$ is a specific value which is decided by the value of $g_{i} (t)$ . The inference of equation (11) is elaborated in Appendix 1.

If $st a_{i}$ has suffered cyberattacks, and the jth element in candidate security strategies leads the $st a_{i}$ capacity to locate at a specific value $g_{i, j}$ at time $t$ , the optimal scheduling strategy making for the network is setting the capacities of the other stations, whose goal is to make the system loss at the minimum value. Therefore, the optimal scheduling strategy is defined as follows

S_{j}^{opt} (t) = {g_{1}^{opt} (t), \dots, g_{i - 1}^{opt} (t), g_{i, j}, g_{i + 1}^{opt} (t), \dots, g_{ν}^{opt} (t)}

(12)

where $g_{k}^{opt} (t)$ equals to a specific element which is selected from equation (10), $1 \leq k \leq ν$ and $k \neq i$ . In order to obtain $S_{j}^{opt} (t)$ , Algorithm 3 is provided.

Algorithm 3. Get the optimal scheduling strategy.
Input: Station capacity $g_{i, j} (t)$ , $LossCal ()$ , states $δ (t)$
Output: Scheduling strategy $S_{j}^{opt} (t)$
1: $G (t) \leftarrow Construct (g_{1} (t), \dots, g_{i, j}, \dots, g_{ν} (t))$
2: $S_{j}^{opt} (t) \leftarrow G_{1} (t)$
3: $L_{1} \leftarrow LossCal (G_{1} (t), δ (t))$
4: for $i \leftarrow 2$ to $u$ do
5: $L_{i} \leftarrow LossCal (G_{i} (t), δ (t))$
6: if $L_{i} \leq L_{i - 1}$ then
7: $S_{j}^{opt} (t) \leftarrow G_{i} (t)$
8: end if
9: end for
10: return $S_{j}^{opt} (t)$

In Algorithm 3, (1) $G (t) \leftarrow Construct ()$ means constructing the scheduling strategies set $G$ . Specifically, select an element from $g_{k} (t)$ randomly, which forms a scheduling strategy with $g_{i, j}$ , where $1 \leq k \leq ν$ and $k \neq i$ . (2) $u$ is the number of element in $G$ , if the capacity of each station has $\lg$ values, then $u$ is equal to $l g^{ν - 1}$ .

Algorithm 3 can generate the optimal scheduling strategy when a station has suffered cyberattacks, which can also be used to make optimal scheduling strategy when two or more stations have suffered cyberattacks simultaneously.

Making the optimal response strategy for CIs

The candidate security strategies set $M_{i}^{cnd}$ for $st a_{i}$ has $\lg$ elements and the jth element is one-to-one mapped to the station capacity value $g_{i, j}$ . In addition, $g_{i, j}$ is related with an optimal scheduling strategy $S_{j}^{opt} (t)$ , $1 \leq j \leq \lg$ . Then the optimal response strategy is obtained by following steps:

Renewing the station capacities set $g_{i} (t)$ : several security strategies may not be suitable for $st a_{i}$ because of resource constraint, which reduces the number of values of candidate station capacity.

Selecting appropriate station capacity $g_{i}^{opt} (t)$ : the value $g_{i, j}$ in $g_{i} (t)$ is mapped to an optimal scheduling $S_{j}^{opt} (t)$ , and the system loss of $S_{j}^{opt} (t)$ can be calculated from Appendix 2, then select the minimum value from the set of system loss. Therefore, we get the optimal station capacity $g_{i}^{opt} (t)$ .

Obtaining the appropriate security strategy for $st a_{i}$ : each element in the candidate security strategies set $M^{cnd}$ is one-to-one mapped to a fixed station capacity value, compare $g_{i}^{opt} (t)$ with all the station capacities and find the corresponding security strategy from $M^{cnd}$ , at last, obtain the combination of security measures through equation (4) and Table 2.

Simulation and result analysis

Simulation platform and modeling process

Simulations are conducted on a simple water supply system which consists of six stations and a control center. As shown in Figure 3, the stations ( $st a_{1} - st a_{5}$ ) form a network which is managed by the control center. In $st a_{2}$ , tower T1 is in charge of seven-tenths of the workload, programmable logic controller (PLC)4 controls the valves V1 and V2 to manage the operation of T1, PLC5 collects the liquid levels of T1 and T2 through the sensors, PLC6 controls the valves V3 and V4 to manage the operation of T2, and all the PLCs are controlled by the process management (PM2). Similarly, the control structures of other stations are shown in Figure 3.

Figure 3.

The structure of a water supply system.

The attackers scan the devices vulnerabilities in $st a_{2}$ and then launch authentication bypass attack to acquire the authority of PM2; based on these operations, the attackers can control the physical process of $st a_{2}$ by impacting the PLCs which manage the water flowing directly. In order to model the above cyberattacks propagation, we decouple the $st a_{2}$ into goal, functions, and devices; besides, we also give the attack behaviors and the security measures; all of these objects are listed in Table 3.

Table 3.

Goal–function–device in $ST A_{2}$ .

Type	Symbol	Description
Function	$f_{2, 1}$	Monitoring the T1 states
	$f_{2, 2}$	Monitoring the T2 states
	$f_{2, 3}$	Controlling the T1 operation
	$f_{2, 4}$	Controlling the T2 operation
	$f_{2, 5}$	Transmitting water based on T1
	$f_{2, 6}$	Transmitting water based on T2
Device	$d_{2, 1}$	Communication devices
	$d_{2, 2}$	Production management
	$d_{2, 3}$	PLC4
	$d_{2, 4}$	PLC5
	$d_{2, 5}$	PLC6
	$d_{2, 6}$	Valve 1
	$d_{2, 7}$	Valve 2
	$d_{2, 8}$	Valve 3
	$d_{2, 9}$	Valve 4
	$d_{2, 10}$	Liquid level sensor 1 in T1
	$d_{2, 11}$	Liquid level sensor 2 in T2
Attack	$a_{2, 1}$	Device vulnerability scanning on ETH2
	$a_{2, 2}$	Authentication bypass attack on PM2
	$a_{2, 3}$	Integrity attack on PLC4
	$a_{2, 4}$	Integrity attack on PLC5
	$a_{2, 5}$	Integrity attack on PLC6
	$a_{2, 6}$	Control logic changing attack on PLC4
	$a_{2, 7}$	Control logic changing attack on PLC5
	$a_{2, 8}$	Control logic changing attack on PLC6
Measure	$s_{2, 1}$	Install patches onto devices
	$s_{2, 2}$	Limit the password attempts of PM2
	$s_{2, 3}$	Close the PM2
	$s_{2, 4}$	Encryption between PM2 and PLC4
	$s_{2, 5}$	Encryption between PM2 and PLC5
	$s_{2, 6}$	Encryption between PM2 and PLC6

PLC: programmable logic controller; PM: process management.

The relationships between these objects can be modeled by tree structure, and the modeling process is discussed in “ goal–function–devices” framework.²⁶ The tree structure is shown in Figure 4, where the attack and security measure are activated to change devices states.

Figure 4.

Relationships between “goal–function–device–behavior.”

Each object in Table 3 can be mapped to a certain place, and the states of these objects can be represented by the colored token in places. Table 4 provides the definition of the colored token in each place, where $v_{2}^{ept} (t)$ represents the expected reception capacity of $st a_{2}$ at time $t$ , which is decided by the station managers.

Table 4.

Description of colored token in $ST A_{2}$ .

Token	Object state	Token	Object state
$(p_{i}^{a}, c_{0})$	$a_{i}$ does not happen	$(p_{i}^{f}, c_{0})$	$f_{i}$ is normal
$(p_{i}^{a}, c_{1})$	$a_{i}$ happens	$(p_{i}^{f}, c_{1})$	$f_{i}$ is failed
$(p_{i}^{s}, c_{0})$	$s_{i}$ is not activated	$(p_{2}^{g}, c_{0})$	$g_{2} = v_{2}^{ept} (t)$
$(p_{i}^{s}, c_{1})$	$s_{i}$ is activated	$(p_{2}^{g}, c_{1})$	$g_{2} = 0.7 \times v_{2}^{ept} (t)$
$(p_{i}^{d}, c_{0})$	$d_{i}$ is normal	$(p_{2}^{g}, c_{2})$	$g_{2} = 0.3 \times v_{2}^{ept} (t)$
$(p_{i}^{d}, c_{1})$	$d_{i}$ is compromised	$(p_{2}^{g}, c_{3})$	$g_{2} = 0$

The places and their properties are provided in Table 4, and the transitions between these place can be obtained from Appendix 1; hence, attack propagation model for $st a_{2}$ is built based on HCPN and is shown in Figure 5.

Figure 5.

The attack propagation model for $st a_{2}$ .

Result analysis

In order to verify the effectiveness of our approach, several simulations are carried out to analyze the security strategy making process when $st a_{2}$ has suffered cyberattacks. As shown in Table 5, the security measures, which are executed to prevent specific attacks, have their own properties, such as implementation cost and benefit.

Table 5.

Properties of security measures.

Security measure	Prevented attack	Implementation cost (USD)	Benefit (USD)
$s_{2, 1}$	$a_{2, 1}$	150	500
$s_{2, 2}$	$a_{2, 2}$	80	400
$s_{2, 3}$	$a_{2, 2}$	300	400
$s_{2, 4}$	$a_{2, 3}, a_{2, 6}$	200	600
$s_{2, 5}$	$a_{2, 4}, a_{2, 7}$	200	400
$s_{2, 6}$	$a_{2, 5}, a_{2, 8}$	100	800

As discussed in section “System modeling with HCPN,” the response strategies making process is divided into three sub-processes. The first is generating the candidate strategies for the station which has suffered cyberattacks. Table 6 shows the attack evidence $E$ on $st a_{2}$ , where the rows show the times and the happened atomic attacks.

Table 6.

Description of attack evidences.

Time	Attack	Description
4	$H (a_{2, 1}) = T$	Vulnerability scanning attack happens
6	$H (a_{2, 2}) = T$	Authentication bypass attack on PM2
8	$H (a_{2, 3}) = T$	Integrity attack on PLC4 happens
11	$H (a_{2, 5}) = T$	Integrity attack on PLC6 happens
13	$H (a_{2, 7}) = T$	Control logic changing attack on PLC5

PLC: programmable logic controller; PM: process management.

Then the response strategy for $st a_{2}$ at each time can be expressed by the combination of security measures, which is shown in equation (13)

R_{i} = {H (s_{2, 1}), \dots, H (s_{2, 6})}

(13)

$H (s_{2, i}) = T$ or $H (s_{2, i}) = F$ represents the security measure $s_{2, i}$ is executed or not, which can map to $M_{i}^{s} = 1$ or $M_{i}^{s} = 0$ . From Algorithm 2, the individual in genetic algorithm is represented by $M^{s}$ and then we get the acceptable security strategy for each station capacity value. As shown in Table 7, $M^{g}$ is the capacity value of $st a_{2}$ , and the net benefit of each strategy is calculated based on Table 5. Note that the cyberattack or security strategy has no impact on station capacity at some time, such as at hours 4 and 6.

Table 7.

Candidate security strategy for $ST A_{2}$ .

Time	Response strategy	Capacity	Cost (USD)	Net benefit (USD)
4	$M^{s} = [1, 0, 0, 0, 0, 0]$	$M^{g} = 0$	150	$0.35 \times 10^{3}$
6	$M^{s} = [1, 1, 0, 0, 0, 0]$	$M^{g} = 0$	230	$0.67 \times 10^{3}$
8	$M^{s} = [1, 1, 0, 1, 0, 0]$	$M^{g} = 0$	430	$1.07 \times 10^{3}$
8	$M^{s} = \emptyset$	$M^{g} = 1$	0	0
11	$M^{s} = [1, 1, 0, 1, 0, 1]$	$M^{g} = 0$	530	$1.17 \times 10^{3}$
	$M^{s} = [1, 1, 0, 0, 0, 1]$	$M^{g} = 1$	330	$1.37 \times 10^{3}$
	$M^{s} = [1, 1, 0, 1, 0, 0]$	$M^{g} = 2$	430	$1.07 \times 10^{3}$
	$M^{s} = \emptyset$	$M^{g} = 3$	0	0
13	$M^{s} = [1, 1, 0, 1, 1, 1]$	$M^{g} = 0$	730	$1.97 \times 10^{3}$
	$M^{s} = [1, 1, 0, 0, 1, 1]$	$M^{g} = 1$	530	$1.57 \times 10^{3}$
	$M^{s} = [1, 1, 0, 1, 1, 0]$	$M^{g} = 2$	630	$1.27 \times 10^{3}$
	$M^{s} = \emptyset$	$M^{g} = 3$	0	0

Table 7 provides the candidate security strategies for $st a_{2}$ at different times. Assume that the capacity of $st a_{1}$ , $st a_{4}$ , and $st a_{5}$ is not changed, and the $st a_{3}$ has three values $(v_{3}^{ept} (t), 0.5 \times v_{3}^{ept} (t), 0)$ , then the scheduling strategy is equivalent to the combination of the capacity setting value of $st a_{2}$ and $st a_{3}$ . Table 8 shows the optimal scheduling strategy which is mapped to the candidate capacity of $st a_{2}$ at different times.

Table 8.

Optimal scheduling strategies.

Time (h)	Candidate $st a_{2}$ capacity	$st a_{3}$ capacity setting	System cost (USD)
4	$g_{2} = v_{2}^{ept} (t)$	$g_{3} = v_{3}^{ept} (t)$	0
6	$g_{2} = v_{2}^{ept} (t)$	$g_{3} = v_{3}^{ept} (t)$	0
8	$g_{2} = v_{2}^{ept} (t)$	$g_{3} = v_{3}^{ept} (t)$	0
8	$g_{2} = 0.7 \times v_{2}^{ept} (t)$	$g_{3} = 0.5 \times v_{3}^{ept} (t)$	$5.3 \times 10^{4}$
11	$g_{2} = v_{2}^{ept} (t)$	$g_{3} = v_{3}^{ept} (t)$	0
	$g_{2} = 0.7 \times v_{2}^{ept} (t)$	$g_{3} = 0.5 \times v_{3}^{ept} (t)$	$3.4 \times 10^{4}$
	$g_{2} = 0.3 \times v_{2}^{ept} (t)$	$g_{3} = v_{3}^{ept} (t)$	$2.6 \times 10^{4}$
	$g_{2} = 0$	$g_{3} = 0$	$4.8 \times 10^{4}$
13	$g_{2} = v_{2}^{ept} (t)$	$g_{3} = v_{3}^{ept} (t)$	0
	$g_{2} = 0.7 \times v_{2}^{ept} (t)$	$g_{3} = 0.5 \times v_{3}^{ept} (t)$	$2.4 \times 10^{4}$
	$g_{2} = 0.3 \times v_{2}^{ept} (t)$	$g_{3} = v_{3}^{ept} (t)$	$1.1 \times 10^{4}$
	$g_{2} = 0$	$g_{3} = 0$	$3.4 \times 10^{4}$

The optimal response strategy making for cyberattacks is depended on the cost constraint of $st a_{2}$ . Based on Table 8, several scenarios are introduced for making the optimal response strategy: (1) the implementation cost of strategy is not constrained, (2) the implementation cost of strategy is constrained, such as the cost constraint is 500 USD at hour 11 and 700 USD at hour 13, (3) the implementation cost of strategy is constrained, such as the cost constraint is 400 USD at hour 11 and 600 USD at hour 13. The optimal response strategy is shown in Table 9.

Table 9.

The optimal strategy for system.

Scenario	Time	Response strategy
		$st a_{2}$	$st a_{3}$
I	4	${s_{2, 1}}$	$g_{3} = v_{3}^{ept} (t)$
	6	${s_{2, 1}, s_{2, 2}}$	$g_{3} = v_{3}^{ept} (t)$
	8	${s_{2, 1}, s_{2, 2}, s_{2, 4}}$	$g_{3} = v_{3}^{ept} (t)$
	11	${s_{2, 1}, s_{2, 2}, s_{2, 4}, s_{2, 6}}$	$g_{3} = v_{3}^{ept} (t)$
	13	${s_{2, 1}, s_{2, 2}, s_{2, 4}, s_{2, 5}, s_{2, 6}}$	$g_{3} = v_{3}^{ept} (t)$
II	4	${s_{2, 1}}$	$g_{3} = v_{3}^{ept} (t)$
	6	${s_{2, 1}, s_{2, 2}}$	$g_{3} = v_{3}^{ept} (t)$
	8	${s_{2, 1}, s_{2, 2}, s_{2, 4}}$	$g_{3} = v_{3}^{ept} (t)$
	11	${s_{2, 1}, s_{2, 2}, s_{2, 4}}$	$g_{3} = v_{3}^{ept} (t)$
	13	${s_{2, 1}, s_{2, 2}, s_{2, 4}, s_{2, 5}}$	$g_{3} = v_{3}^{ept} (t)$
III	4	${s_{2, 1}}$	$g_{3} = v_{3}^{ept} (t)$
	6	${s_{2, 1}, s_{2, 2}}$	$g_{3} = v_{3}^{ept} (t)$
	8	${s_{2, 1}, s_{2, 2}, s_{2, 4}}$	$g_{3} = v_{3}^{ept} (t)$
	11	${s_{2, 1}, s_{2, 2}, s_{2, 6}}$	$g_{3} = 0.5 \times v_{3}^{ept} (t)$
	13	${s_{2, 1}, s_{2, 2}, s_{2, 5}, s_{2, 6}}$	$g_{3} = 0.5 \times v_{3}^{ept} (t)$

Figure 6 shows the water output of $st a_{2}$ and $st a_{3}$ when they are under different scenarios, where lines 1–3 in each sub-figure represent the output of $st a_{2}$ or $st a_{3}$ when $st a_{2}$ is running normally, has suffered cyberattacks, and is protected by security strategy, as shown in Table 9. Specifically, in the three sub-figures in the first column, line 1 is the same because they indicated the same states of $st a_{2}$ . Line 2 in above sub-figures reaches the minimum value at hour 13 because the operation of T1 and T2 is disturbed. Line 3 shows the consequence due to the security strategy for $st a_{2}$ , as shown in Table 9, the security strategy $H (S^{opt})$ in different scenarios is different, which lead the PLCs and functions to reach different states, and then impacts the output of $st a_{2}$ . In the three sub-figures of the second column, the output of $st a_{3}$ is related with the output of $st a_{2}$ due to the material interdependence between $st a_{2}$ and $st a_{3}$ ; line 3 in those three sub-figures indicates the impact of $st a_{2}$ output, $st a_{3}$ capacity setting shown in Table 9, and the time delay between $st a_{2}$ and $st a_{3}$ simultaneously. Note that Figure 6 only focuses on the consequence of the cyberattacks which occur at hour 13.

Figure 6.

Outputs of $st a_{2}$ and $st a_{3}$ after executing response strategy at hour 13.

Figure 7 shows the net benefit of $st a_{2}$ (gray bar associated with the left Y axes) and the net benefit of the CI (white bar associated with the right Y axes) when the response strategies in different scenarios are executed. The net benefit of $st a_{2}$ is calculated by equation (7) which considers the asset of devices, function, and goal in $st a_{2}$ ; additionally, the net benefit of the CI is calculated by equation (24) which considers the property of all stations. In the first sub-figure, the net benefit of $st a_{2}$ increases because more and more security measures have been activated, which are shown in Tables 5 and 9. The net benefit of the CI is equal to 0 at hours 4 and 6 because the cyberattacks have not yet impacted on the capacity of $st a_{2}$ . Besides, the net benefit of the CI at hour 8 is larger than that at hour 11 or 13 which indicates that the cyberattacks to $st a_{2}$ have more serious impact on system at hour 8. The net benefit of system in the second and the third sub-figures is smaller than that in the first sub-figure due to the cost constraint in $st a_{2}$ .

Figure 7.

Net benefit of $st a_{2}$ and system under different scenarios.

In order to evaluate the real-time performance of our approach, the simulation for response strategy making at hour 13 is performed for 1000 times, where the simulation ran on a computer with Inter Core i3 at 3.90 GHz and 8 GB RAM. The execution time distribution of the simulation is shown in Figure 8. The execution time of our approach consists of three main parts: the time spent on Algorithm 2, Algorithm 3, and the system loss calculation. The complexity of Algorithm 2 is equal to $O (G \times N^{2})$ , which is based on the generation number G and the population size N; the complexity of Algorithm 3 is equal to $O (K^{M})$ , which is based on the station capacity size $K$ and the station number $M$ ; the complexity of system loss calculation is small and can be ignored.

Figure 8.

Execution time of response strategy making at hour 13.

The above simulations verify that our approach has the ability to making response strategy for CIs. In addition, this approach employs different perspectives, which makes it difficult to compare our approach with others. Therefore, we compare the approaches mentioned in section “Introduction” with ours from different aspects. Table 10 provides the approaches comparison.

Table 10.

Comparison of the response making approaches.

Approach	Yan et al.⁸	Qin et al.⁹	Zonouz and Haghani¹⁰	Wang et al.¹¹	Yan and Haimes¹²	Li et al.¹³	This study
Cyber domain	√	√				√	√
Physical domain		√	√	√	√	√	√
Station characteristic	√	√				√	√
Topology characteristic			√	√			√
Attack propagation	√	√	√	√		√	√
System impact	√	√	√	√	√	√	√

Conclusion

In this article, an HCPN-based cyberattacks response strategy making approach for CIs is proposed, which analyzes the relationships among cyberattacks, security measures, devices, functions, and station capacity in a graphical way and then investigates the interaction between response strategy making for station and the scheduling strategy making for CI network. The simulation verifies our approach can make an appropriate response strategy for cyberattacks in real time.

However, this approach needs to prepare the complete knowledge of all the cyberattacks and security measures before building the HCPN model and does not consider the probability attribute of the transition in HCPN. In our future work, the probabilities of attack paths in cyberattacks propagation are investigated, where the propagation process is analyzed with the input of incomplete knowledge of cyberattacks and systems.

Footnotes

Appendix 1

Two types of transitions in HCPN model are analyzed and obtained in this appendix.

In Figure 9, the “AND” and “OR” in the tree whose nodes are the objects can be described by the transitions in Petri net. Then, the detailed transitions are shown in Table 11.

(14)

I (p_{i} | p) = α

Referring to the material flow mechanism, there exist a lemma about the structure of station physical space. If $p_{1}$ and $p_{2}$ are serial structure, then $I (p_{1} | {p_{1}, p_{2}}) = 1$ ; if $p_{1}$ and $p_{2}$ are parallel structure, and $I (p_{1} | {p_{1}, p_{2}}) = α$ , $I (p_{2} | {p_{1}, p_{2}}) = β$ , then $α + β = 1$ .

Based on above contents, the transition between physical process and station goal can be calculated. A simple example is provided to explain the calculation process. As shown in Figure 10, the station consists of five material process $p^{f} = {p_{1}^{f}, p_{2}^{f}, p_{3}^{f}, p_{4}^{f}, p_{5}^{f}}$ , each process is mapped to a function place $P_{i}^{f}$ , and the station capacity is mapped to the goal place, then the transition between them are listed as follows

(15)

Pre {(P_{2}^{f}, c_{i (1)}), \dots, (P_{5}^{f}, c_{i (5)})} \Rightarrow Post (P^{g}, c_{j})

Where the token in $P_{i}^{f}$ has only two colors, and the token in $P^{g}$ is based on the station structure.

In Figure 10, the importance of function in serial structure and parallel structure is given by experts and is shown in Table 12.

With the above analysis, the importance of $p_{2}$ is obtained by the following equations

(16)

\begin{matrix} I (p_{2} | sta) = I (p_{2} | {p_{1}, p_{2}, p_{3}, p_{4}, p_{5}}) \\ = I (p_{2} | {p_{2}, p_{3}}) \times I ({p_{2}, p_{3}} | {p_{2}, p_{3}, p_{4}}) \\ \times I ({p_{2}, p_{3}, p_{4}} | {p_{1}, p_{2}, p_{3}, p_{4}}) \\ \times I ({p_{1}, p_{2}, p_{3}, p_{4}} | {p_{1}, p_{2}, p_{3}, p_{4}, p_{5}}) \\ = 0.3 \times 1 \times 0.6 \times 1 \\ = 0.18 \end{matrix}

Then it means the station capacity is changed from $g^{ept} (t)$ to $0.82 \times g^{ept} (t)$ when $p_{2}$ is failed. According to the mapping relationships between material process and Petri net, we can get a concrete description of the transition which is described by ${(P_{1}^{f}, c_{0}), (P_{2}^{f}, c_{1}), (P_{3}^{f}, c_{0}), (P_{4}^{f}, c_{0}), (P_{5}^{f}, c_{0})} \Rightarrow {(P^{g}, c_{2})}$ , where $(P_{2}^{f}, c_{1})$ means the function $p_{2}$ is failed; $(P^{g}, c_{2})$ represents the station capacity is mapped to $0.82 \times g^{ept} (t)$ .

Appendix 2

In order to analyze the relationship between stations capacities and system loss, several properties of station are listed in Table 13.

Then there exist several equations about the properties in Table 13

(17)

r_{i} (t + 1) = λ (t + 1) - g_{i} (t)

where $λ_{i} (t)$ is the input of $st a_{i}$

(18)

λ_{i} (t + 1) = \sum_{j \in UpNei (st a_{i})} o_{j} (t) \times d_{j, i}

The $UpNei (st a_{i})$ represents the stations which is the upstream neighbor of $st a_{i}$ . Then the output of $st a_{i}$ is obtained by the following equation

(19)

o_{j} (t) = {\begin{matrix} g_{j} (t), & r_{j} (t) \geq 0 \\ g_{j} (t) + r_{j} (t), & r_{j} (t) < 0 \end{matrix}

Then equation (19) can be described as follows

(20)

o_{j} (t) = k_{j} (t) \times g_{j} (t) + μ_{j} (t) \times (g_{j} (t) + r_{j} (t))

where the $k_{j} (t)$ and $μ_{j} (t)$ are defined as follows

(21)

{\begin{matrix} k_{j} (t) = 1, μ_{j} (t) = 0, & j \in UpNei (st a_{i}) r_{j} \geq 0 \\ k_{j} (t) = 0, μ_{j} (t) = 1, & j \in UpNei (st a_{i}) r_{j} < 0 \\ k_{j} (t) = 0, μ_{j} (t) = 0, & else \end{matrix}

Based on equation (21), equation (17) can be represented as follows

(22)

\begin{matrix} r_{i} (t + 1) = \sum_{j = 1}^{n} (k_{j} (t) \times g_{j} (t) + μ_{j} (t) \times (g_{j} (t) + r_{j} (t))) \\ \times d_{j, i} - g_{i} (t) \\ = \sum_{j = 1}^{n} (k_{j} (t) + μ_{j} (t)) \times d_{j, i} \times g_{j} (t) - g_{i} (t) \\ + \sum_{j = 1}^{n} μ_{j} (t) \times r_{j} (t) \\ = A_{i} (t) \times r (t) + B_{i} (t) \times g (t) \end{matrix}

where $r (t) = [r_{1} (t), \dots, r_{n} (t)]^{T}$ , $g (t) = [g_{1} (t), \dots, g_{n} (t)]^{T}$ . Therefore, we can get the estimation equation of all the station states, as shown in equation (23)

(23)

r (t + 1) = A (t) r (t) + B (t) g (t)

Therefore, the cyberattack on a station may cause the overload of other stations in CI network. Thus, we calculate the system loss based on the overloads. As shown in equation (24)

(24)

L (t) = \sum_{i = 1}^{n} \sum_{j = 0}^{m} | r_{i} (t_{0} + j) | \times Δ t \times τ_{i}

where $r_{i} (t_{0} + j)$ is the overload of the ith station at time $t_{0} + j$ , $t_{0}$ is the start time of cyberattacks, $t_{0} + m$ is the time when the station state is normal, $Δ t$ is the period between $t_{0} + j$ and $t_{0} + (j + 1)$ , and $τ_{i}$ is the economic loss of per unit overload of the ith station.

Handling Editor: Michele Amoretti

Declaration of conflicting interests

The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

Funding

The author(s) disclosed receipt of the following financial support for the research, authorship, and/or publication of this article: This work was supported by the National Science Foundation of China (NSFC) under grant numbers 61433006, 61873103, and 61272204.

ORCID iD

Yuanqing Qin

References

National Institute of Standards and Technology (NIST). Framework for improving critical infrastructure cybersecurity, 2014, https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf

Cherdantseva

Burnap

Blyth

, et al. A review of cyber security risk assessment methods for SCADA systems. Comput Secur 2016; 56: 1–27.

Gorman

Electricity grid in U.S. penetrated by spies. The Wall Street Journal, 2009, p.8.

Piggin

Cyber security trends: what should keep CEOs awake at night. Int J Crit Infrastruct Protect 2016; 13(C): 36–38.

Lewis

TG.

Critical infrastructure protection in homeland security: defending a networked nation. Hoboken, NJ: John Wiley & Sons, 2014.

Shameli-Sendi

Dagenais

ARITO: cyber-attack response system using accurate risk impact tolerance. Int J Inform Secur 2014; 13(4): 367–390.

Banerjee

Venkatasubramanian

Mukherjee

, et al. Ensuring safety, security, and sustainability of mission-critical cyber–physical systems. Proc IEEE 2012; 100(1): 283–299.

Yan

Govindarasu

Liu

C-C

, et al. Risk assessment framework for power control systems with PMU-based intrusion response system. J Mod Power Syst Clean Ener 2015; 3(3): 321–331.

Qin

Zhang

Zhou

, et al. A risk-based dynamic decision-making approach for cybersecurity protection in industrial control systems. IEEE Trans Syst Man Cybernet Syst 2018; 1–8. DOI: 10.1109/TSMC.2018.2861715.

10.

Zonouz

Haghani

Cyber-physical security metric inference in smart grid critical infrastructures based on system administrators’ responsive behavior. Comput Secur 2013; 39: 190–200.

11.

Wang

Xie

Wang

, et al. Decision-making model based on conditional risks and conditional costs in power system probabilistic planning. IEEE Trans Power Syst 2013; 28(4): 4080–4088.

12.

Yan

Haimes

YY.

Risk-based multiobjective resource allocation in hierarchical systems with multiple decisionmakers. Part I: theory and methodology. Syst Eng 2011; 14(1): 1–16.

13.

Zhou

Tian

, et al. A dynamic decision-making approach for intrusion response in industrial control systems. IEEE Trans Indus Inform 2019; 15: 2544–2554.

14.

Thacker

Pant

Hall

JW.

System-of-systems formulation and disruption analysis for multi-scale critical national infrastructures. Reliab Eng Syst Saf 2017; 167: 30–41.

15.

Sage

Cuppan

CD.

On the systems engineering and management of systems of systems and federations of systems. Inform Knowled Syst Manage 2001; 2(4): 325–345.

16.

Zhang

Zhou

Xiong

, et al. Multimodel-based incident prediction and risk assessment in dynamic cybersecurity protection for industrial control systems. IEEE Trans Syst Man Cybernet Syst 2016; 46(10): 1429–1444.

17.

Rinaldi

Peerenboom

Kelly

TK.

Identifying, understanding, and analyzing critical infrastructure interdependencies. IEEE Control Syst Mag 2001; 21(6): 11–25.

18.

Papa

Casper

Moore

Securing wastewater facilities from accidental and intentional harm: a cost-benefit analysis. Int J Crit Infrastruct Protect 2013; 6(2): 96–106.

19.

Restrepo

Simonoff

Zimmerman

Causes, cost consequences, and risk implications of accidents in US hazardous liquid pipeline infrastructure. Int J Crit Infrastruct Protect 2009; 2(1): 38–50.

20.

Sayda

Taylor

. An implementation plan for integrated control and asset management of petroleum production facilities. In: Proceedings of the 2006 IEEE conference on computer-aided control system design, 2006 IEEE international conference on control applications, 2006 IEEE international symposium on intelligent control, Munich, 4–6 October 2006, pp.1212–1219. New York: IEEE.

21.

Herrero-Perez

Martinez-Barbera

Modeling distributed transportation systems composed of flexible automated guided vehicles in flexible manufacturing systems. IEEE Trans Indus Inform 2010; 6(2): 166–180.

22.

Jasiul

Szpyrka

Śliwa

Detection and modeling of cyber attacks with Petri nets. Entropy 2014; 16(12): 6602–6623.

23.

Beccuti

Chiaradonna

Giandomenico

FD.

Quantification of dependencies between electrical and information infrastructures. Int J Crit Infrastruct Protect 2012; 5(1): 14–27.

24.

Peterson

, et al. A note on colored Petri nets. Inf Process Lett 1980; 11(1): 40–43.

25.

Modarres

Cheon

SW.

Function-centered modeling of engineering systems using the goal tree–success tree technique and functional primitives. Reliab Eng Syst Saf 1999; 64(2): 181–200.

26.

Larsson

JE.

Diagnosis based on explicit means-end models. Artif Intell 1996; 80(1): 29–93.

27.

Celli

Pilo

Pisano

, et al. Cost–benefit analysis for energy storage exploitation in distribution systems. CIRED 2017; 2017(1): 2197–2200.

28.

Wang

Hong

Ouyang

, et al. Vulnerability analysis of interdependent infrastructure systems under edge attack strategies. Saf Sci 2013; 51(1): 328–337.

29.

Ten

Manimaran

Liu

Cybersecurity for critical infrastructures: attack and defense modeling. IEEE Trans Syst Man Cybernet Pt A Syst Hum 2010; 40(4): 853–865.

30.

de Gusmão

APH

Silva

Poleto

, et al. Cybersecurity risk analysis model using fault tree analysis and fuzzy decision theory. Int J Inform Manage 2018; 43: 248–260.

A hierarchical colored Petri net–based cyberattacks response strategy making approach for critical infrastructures

Abstract

Keywords

Introduction

Background and preliminary

Analysis of response strategy making in CIs

Demand analysis of system modeling

Architecture of response strategy making approach

System modeling with HCPN

Description of HCPN

Modeling cyberattacks propagation within a station

Optimal response strategy making

Generation of candidate security strategies for stations

Construction of optimal scheduling strategy for CIs

Making the optimal response strategy for CIs

Simulation and result analysis

Simulation platform and modeling process

Result analysis

Conclusion

Footnotes

Appendix 1

Appendix 2

Declaration of conflicting interests

Funding

ORCID iD

References