In recent years, the increase in cyber-attacks on Industrial Control Systems (ICS) due to open industrial protocols has highlighted the vulnerability of critical infras-tructures to such threats. Notable incidents like Stuxnet and BlackEnergy3 have demonstrated the potential for significant operational disruptions. Such a new situation calls for a successful risk assessment approach that can address the multifaceted nature of cyber threats. Addressing such need, this paper in-troduces a novel holistic risk assessment framework combining Bayesian Networks (BNs) with Multi-Criteria Decision Making (MCDM) to compute and integrate heterogeneous risk values into a single, comprehensive risk metric. In more detail, a set of heterogeneous risk metrics, derived by resorting to an array of risk-specific BNs, is combined through the Incomplete Analytic Hierarchy Process (AHP) technique. Briefly, a set of experts is asked to compare the relevance of pairs of risks, and this relative information is translated into a weight associated to each metric. The effectiveness of the proposed risk assessment technique is evaluated against a real hardware-in-the-loop case study in a laboratory environment, namely the Water Distribution Testbed (WDT) for cyber-physical security testing.
Holistic Risk Assessment in Industrial Control Systems: Combining Multiple Bayesian Networks with Multi-Criteria Decision Making
Guarino S.;Faramondi L.;Oliva G.;Setola R.
2024-01-01
Abstract
In recent years, the increase in cyber-attacks on Industrial Control Systems (ICS) due to open industrial protocols has highlighted the vulnerability of critical infras-tructures to such threats. Notable incidents like Stuxnet and BlackEnergy3 have demonstrated the potential for significant operational disruptions. Such a new situation calls for a successful risk assessment approach that can address the multifaceted nature of cyber threats. Addressing such need, this paper in-troduces a novel holistic risk assessment framework combining Bayesian Networks (BNs) with Multi-Criteria Decision Making (MCDM) to compute and integrate heterogeneous risk values into a single, comprehensive risk metric. In more detail, a set of heterogeneous risk metrics, derived by resorting to an array of risk-specific BNs, is combined through the Incomplete Analytic Hierarchy Process (AHP) technique. Briefly, a set of experts is asked to compare the relevance of pairs of risks, and this relative information is translated into a weight associated to each metric. The effectiveness of the proposed risk assessment technique is evaluated against a real hardware-in-the-loop case study in a laboratory environment, namely the Water Distribution Testbed (WDT) for cyber-physical security testing.I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.