Cybersecurity Risk Assessment in Industrial Control Systems

Authors

  • Ahmad Rudy Wijaya Department of Industrial Engineering, Universitas Brawijaya, Malang, Indonesia Author
  • Zulfa Ikhtiar Ramadhani Department of Information Systems, Institut Teknologi Bandung, Bandung, Indonesia Author
  • Daniel Thomas Sharkey Department of Electrical and Computer Engineering, University of New Hampshire, Durham, United States Author

DOI:

https://doi.org/10.70716/reswara.v2i3.388

Keywords:

industrial control systems, cybersecurity risk assessment, cyber-physical systems, bayesian network, risk modeling

Abstract

Industrial Control Systems play a critical role in modern industrial infrastructures, including manufacturing, energy, transportation, and critical utilities. The increasing integration of operational technology with information technology has significantly expanded the attack surface of these systems, making cybersecurity risk assessment an essential component of industrial resilience. This study aims to analyze and synthesize existing cybersecurity risk assessment approaches for Industrial Control Systems by examining quantitative, qualitative, and hybrid methods reported in recent literature. The research adopts a structured literature-based analytical method, focusing on models such as Bayesian networks, game theory, fuzzy logic, optimization-based frameworks, and vulnerability scoring systems. The results indicate that dynamic and asset-based risk assessment models provide more accurate and context-aware risk estimations compared to static approaches. Furthermore, integrating cyber and physical impact analysis enhances the capability to prioritize critical assets and predict worst-case attack scenarios. The findings contribute to a comprehensive understanding of current risk assessment methodologies and highlight key challenges related to data availability, model scalability, and real-time applicability. This study concludes that future cybersecurity risk assessment frameworks for Industrial Control Systems should emphasize dynamic modeling, cyber-physical integration, and adaptive evaluation mechanisms to address evolving threats effectively.

References

Alhasawi, S. (2020). ICSrank: A security assessment framework for industrial control systems (ICS) (Doctoral dissertation, Liverpool John Moores University). https://doi.org/10.24377/LJMU.T.00013480

Bhosale, P., Kastner, W., & Sauter, T. (2023). Integrated safety-security risk assessment for production systems: A use case using Bayesian belief networks. In Proceedings of the IEEE International Conference on Industrial Informatics. https://doi.org/10.1109/INDIN51400.2023.10217926

Busby, J., Green, B., & Hutchison, D. (2017). Analysis of affordance, time and adaptation in the assessment of industrial control system cybersecurity risk. Risk Analysis, 37(7), 1298–1313. https://doi.org/10.1111/risa.12681

Eckhart, M., Brenner, B., Ekelhart, A., & Weippl, E. (2019). Quantitative security risk assessment for industrial control systems: Research opportunities and challenges. In Proceedings of the International Conference on Applied Cryptography and Network Security.

Kim, A., Oh, J., Kwon, K., & Kim, Y. (2022). Consider the consequences: A risk assessment approach for industrial control systems. Security and Communication Networks, 2022, Article 3455647. https://doi.org/10.1155/2022/3455647

Li, D., & Sharkey, T. D. (2023). An integrated cyber-physical risk assessment framework for worst-case attacks in industrial control systems.

Li, X., Zhou, C., Tian, Y.-C., Xiong, N., & Li, Z. (2018). Asset-based dynamic impact assessment of cyberattacks for risk analysis in industrial control systems. IEEE Transactions on Industrial Informatics, 14(2), 608–618. https://doi.org/10.1109/TII.2017.2740571

Liu, K., Xie, Y., Xie, S., & Zhang, H. (2023). SEAG: A novel dynamic security risk assessment method for industrial control systems with consideration of social engineering. Journal of Process Control, 130, Article 103131. https://doi.org/10.1016/j.jprocont.2023.103131

Lomovatskaya, L. A. (2023). Vulnerability assessment of industrial control system with an improved CVSS. arXiv. https://doi.org/10.48550/arXiv.2306.08631

Lykou, G., Anagnostopoulou, A., Stergiopoulos, G., & Gritzalis, D. (2018). Cybersecurity self-assessment tools: Evaluating the importance for securing industrial control systems in critical infrastructures. In Critical infrastructure security and resilience (pp. 155–170). Springer. https://doi.org/10.1007/978-3-030-05849-4_10

Nassar, M., Khoury, J., Erradi, A., & Ahmed, S. (2021). Game theoretical model for cybersecurity risk assessment of industrial control systems. In Proceedings of the IEEE International Conference on New Technologies, Mobility and Security. https://doi.org/10.1109/NTMS49979.2021.9432668

Nobili, M., Fioravanti, C., Guarino, S., Bartoli, A., & Colombo, A. W. (2023). DRIVERS: A platform for dynamic risk assessment of emergent cyber threats for industrial control systems. In Proceedings of the IEEE Mediterranean Conference on Embedded Computing. https://doi.org/10.1109/MED59994.2023.10185686

Peng, Y., Huang, K., Tu, W., Qin, Y., & Wang, X. (2018). A model-data integrated cyber security risk assessment method for industrial control systems. In Proceedings of the IEEE Conference on Decision and Control and Chinese Control Conference. https://doi.org/10.1109/DDCLS.2018.8516022

Poletykin, A. (2018). Cyber security risk assessment method for SCADA of industrial control systems. In Proceedings of the IEEE Russian Automation Conference. https://doi.org/10.1109/RUSAUTOCON.2018.8501811

Qin, Y., Peng, Y., Huang, K., Tu, W., & Wang, X. (2021). Association analysis-based cybersecurity risk assessment for industrial control systems. IEEE Systems Journal, 15(1), 123–134. https://doi.org/10.1109/JSYST.2020.3010977

Qu, Y. (2023). Quantifying the effects of operational technology or industrial control system–based cybersecurity controls via CVSS scoring. European Journal of Electrical Engineering and Computer Science, 7(4). https://doi.org/10.24018/ejece.2023.7.4.546

Sani, A. S., Yuan, D., Yeoh, P. L., Shamsi, J. A., & Walters, R. (2019). CyRA: A real-time risk-based security assessment framework for cyber attacks prevention in industrial control systems. In Proceedings of the IEEE Power & Energy Society General Meeting. https://doi.org/10.1109/PESGM40551.2019.8973948

Tiwari, P. K. (2023). An industrial control system vulnerability analysis method for cyber security in nuclear power plant. In Advances in nuclear power plant safety (pp. 245–260). Springer. https://doi.org/10.1007/978-981-99-3455-3_12

Urooj, B., Ullah, U., Shah, M. A., Khan, A., & Maple, C. (2022). Risk assessment of SCADA cyber attack methods: A technical review on securing automated real-time SCADA systems. In Proceedings of the IEEE International Conference on Automation and Computing. https://doi.org/10.1109/ICAC55051.2022.9911122

Vasilyev, V., Vulfin, A., & Chernyakhovskaya, L. R. (2019). Cybersecurity risk analysis of industrial automation systems on the basis of cognitive modeling technology. In Cybersecurity in digital transformation (pp. 89–105). IntechOpen. https://doi.org/10.5772/intechopen.89215

Wang, S., Ding, L., Sui, H., & Liu, Y. (2021). Cybersecurity risk assessment method of ICS based on attack-defense tree model. Journal of Intelligent and Fuzzy Systems, 40(2), 2675–2686. https://doi.org/10.3233/JIFS-201126

Wang, T., Zhao, J. M., & Zhang, B. (2022). Research on information security risk assessment based on integrated influence of neighborhood. In Proceedings of the ACM International Conference on Information Management. https://doi.org/10.1145/3573428.3573466

Wen, H. (2023). Vulnerability assessment of industrial control system with an improved CVSS. arXiv. https://doi.org/10.48550/arXiv.2306.08631

Zhang, F. (2022). Overview and recommendations for cyber risk assessment in nuclear power plants. Nuclear Technology, 208(9), 1269–1282. https://doi.org/10.1080/00295450.2022.2092356

Zhang, Q., Zhou, C., Tian, Y.-C., Xiong, N., Qin, Y., & Li, Z. (2018). A fuzzy probability Bayesian network approach for dynamic cybersecurity risk assessment in industrial control systems. IEEE Transactions on Industrial Informatics, 14(6), 2457–2467. https://doi.org/10.1109/TII.2017.2768998

Zhang, Q., Zhou, C., Xiong, N., & Tian, Y.-C. (2016). Multimodel-based incident prediction and risk assessment in dynamic cybersecurity protection for industrial control systems. IEEE Transactions on Systems, Man, and Cybernetics: Systems, 46(9), 1211–1224. https://doi.org/10.1109/TSMC.2015.2503399

Zheng, Y., & Zheng, S. (2015). Cyber security risk assessment for industrial automation platform. In Proceedings of the IEEE International Conference on Intelligent Information Hiding and Multimedia Signal Processing. https://doi.org/10.1109/IIH-MSP.2015.58

Downloads

Published

2024-07-29

Issue

Vol. 2 No. 3 (2024): RESWARA: Jurnal Riset Ilmu Teknik, July 2024

Section

Articles

License

Copyright (c) 2024 Ahmad Rudy Wijaya, Zulfa Ikhtiar Ramadhani, Daniel Thomas Sharkey (Author)

Creative Commons License

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.