In recent years, the increase in cyber-attacks on Industrial Control Systems (ICS) due to open industrial protocols has highlighted the vulnerability of critical infras-tructures to such threats. Notable incidents like Stuxnet and BlackEnergy3 have demonstrated the potential for significant operational disruptions. Such a new situation calls for a successful risk assessment approach that can address the multifaceted nature of cyber threats. Addressing such need, this paper in-troduces a novel holistic risk assessment framework combining Bayesian Networks (BNs) with Multi-Criteria Decision Making (MCDM) to compute and integrate heterogeneous risk values into a single, comprehensive risk metric. In more detail, a set of heterogeneous risk metrics, derived by resorting to an array of risk-specific BNs, is combined through the Incomplete Analytic Hierarchy Process (AHP) technique. Briefly, a set of experts is asked to compare the relevance of pairs of risks, and this relative information is translated into a weight associated to each metric. The effectiveness of the proposed risk assessment technique is evaluated against a real hardware-in-the-loop case study in a laboratory environment, namely the Water Distribution Testbed (WDT) for cyber-physical security testing.

Holistic Risk Assessment in Industrial Control Systems: Combining Multiple Bayesian Networks with Multi-Criteria Decision Making

Guarino S.;Faramondi L.;Oliva G.;Setola R.
2024-01-01

Abstract

In recent years, the increase in cyber-attacks on Industrial Control Systems (ICS) due to open industrial protocols has highlighted the vulnerability of critical infras-tructures to such threats. Notable incidents like Stuxnet and BlackEnergy3 have demonstrated the potential for significant operational disruptions. Such a new situation calls for a successful risk assessment approach that can address the multifaceted nature of cyber threats. Addressing such need, this paper in-troduces a novel holistic risk assessment framework combining Bayesian Networks (BNs) with Multi-Criteria Decision Making (MCDM) to compute and integrate heterogeneous risk values into a single, comprehensive risk metric. In more detail, a set of heterogeneous risk metrics, derived by resorting to an array of risk-specific BNs, is combined through the Incomplete Analytic Hierarchy Process (AHP) technique. Briefly, a set of experts is asked to compare the relevance of pairs of risks, and this relative information is translated into a weight associated to each metric. The effectiveness of the proposed risk assessment technique is evaluated against a real hardware-in-the-loop case study in a laboratory environment, namely the Water Distribution Testbed (WDT) for cyber-physical security testing.
File in questo prodotto:
Non ci sono file associati a questo prodotto.

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/20.500.12610/79051
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 0
  • ???jsp.display-item.citation.isi??? ND
social impact