System-level operational cyber risks identification in industrial control systems

Figures & data

Table 1. Notable ICS cyberattacks (2000 – 2023).

Year	Target	Method
2000	Australian Sewage Plant	Insider
2010	Iranian Uranium Enrichment	Stuxnet
2013	ICS Supply Chain attack	Havex
2014	German Still Mill	Stuxnet
2015	Ukraine Power Grid	BlackEnergy
2016	Ukraine Substation	CrashOveride
2017	Global shipping company	NotPetya
2017	Healthcare, Automotive, others	WannaCry
2017	Saudi Arabia Petrochemical	Triton/Trisis
2019	SolarWinds Supply Chain attack	Sunburst
2019	Norwegian Aluminum Company	LockerGaga
2021	Colonial Pipeline	Ransomware
2021	JBS Food	Ransomware
2023	Johnson Controls International (JCI)	Ransomware
2023	Dole Food	Ransomware

Figure 1. Dependency modelling graph.

Figure 2. RiskED process flow.

Algorithm 1. RiskED Process Flow

1: procedure transform

2:      global root infer, labellist, t0

3:      f ← open(”posterior.csv”, ”rt”, encoding = ”utf − 8”)

4:      for x in range(len(valuea)) do

5:            valueb.append(round(float(1 − valuea[x]), 4))

6:      end for

7:      values ← [valueb, valuea]

8:      if len(evidence) == 0 then

9:            model.add node(labellist[num])

10:          cpd[num] ← TabularCPD(variable = labellist[num], variable card = 2, values = values)

11:         model.add cpds(cpd[num])

12:    else

13:        model.add node(labellist[num])

14:       for x in range(len(evidence)) do

15:           model.add edge(evidence[x], labellist[num])

16:       end for

17:      cpd[num] ← TabularCPD(variable = labellist[num], variable card = 2, values = values, evidence = evidence, evidence card = evidence card)

18:      model.add cpds(cpd[num])

19:    end if

20:    root infer ← VariableElimination(model)

21:    rootvariable ← root infer.query(variables = [labellist[0]])

22:    t0 ← rootvariable.get value(labellist[0], 1)

23: end procedure

24: return

Figure 3. High-level depiction of the dependency model.

Figure 4. Communication network segmentation showing zones and conduits.

Table 2. Risk assessment data based on IEC 62,443 method.

SPE 1			SPE 2
	Maturity			Maturity
Control	Desired	Actual	Control	Desired	Actual
ORG 1 – Security related organisation and policies			CM 1 – Inventory management of IACS hardware/software components and network communications
ORG 1.1: Information security management system (ISMS)	3	2	CM 1.1: Asset inventory baseline	3	3
ORG 1.2: Background checks	3	2	CM 1.2: Infrastructure drawings/documentation	3	3
ORG 1.3: Security roles and responsibilities	3	2	CM 1.3: Configuration settings	3	3
ORG 1.4: Security awareness training	3	2	CM 1.4: Change control	3	3
ORG 1.5: Security responsibilities training	3	2
ORG 1.6: Supply chain security	3	2
ORG 2 – Security assessments and reviews
ORG 2.1: Security risk mitigation	3	2
ORG 2.2: Processes for discovery of security anomalies	3	2
ORG 2.3: Secure development and support	3	2
ORG 2.4: SP reviews	3	2
ORG 3 – Security of physical access
ORG 3.1: Physical access control	4	4
SPE 3			SPE 4
NET 1 – System segmentation			COMP 1 – Devices and media
NET 1.1: Segmentation from non-IACS networks	3	2	COMP 1.1: Device hardening	2	0
NET 1.2: Documentation of network segment interconnections	3	2	COMP 1.2: Dedicated portable media	2	1
NET 1.3: Network segmentation from safety systems	3	2	COMP 2 – Malware protection
NET 1.4: Network autonomy	3	2	COMP 2.1: Malware free	2	0
NET 1.5: Network disconnection from external networks	3	2	COMP 2.2: Malware protection	2	0
NET 1.6: Internal network access control	3	2	COMP 2.3: Malware protection software validation and installation	2	0
NET 1.7: Device connections	3	2	COMP 3 – Patch management
NET 1.8: Network accessible services	3	2	COMP 3.1: Security patch authenticity/integrity	2	0
NET 1.9: User messaging	3	2	COMP 3.2: Security patch validation and installation	2	0
NET 1.10: Network time distribution	3	2	COMP 3.3: Security patch status	2	0
NET 2 – Secure wireless access			COMP 3.4: Security patching retention of security	2	0
NET 2.1: Wireless protocols	2	0	COMP 3.5: Security patch mitigation	2	0
NET 2.2: Wireless network segmentation	2	0
NET 2.3: Wireless properties and addresses	2	0
NET 3 – Secure remote access
NET 3.1: Remote access applications	3	2
NET 3.2: Remote access connections	3	2
NET 3.3: Remote access termination	3	2
SPE 5			SPE 6
DATA 1 – Protection of data			USER 1 – Identification and authentication
DATA 1.1: Data classification	2	2	USER 1.1: User identity assignment	2	2
DATA 1.2: Protection of data	2	2	USER 1.2: User identity removal	2	2
DATA 1.3: Safety system configuration mode	2	2	USER 1.3: User identity persistence	2	2
DATA 1.4: Failure-state	2	2	USER 1.4: Access rights assignment	2	2
DATA 1.5: Data retention	2	2	USER 1.5: Least privilege	2	1
DATA 1.6: Data purging	2	2	USER 1.6: Software service authentication	2	2
DATA 1.7: Cryptographic mechanisms	2	2	USER 1.7: Software services interactive login rights	2	2
DATA 1.8: Key management	2	2	USER 1.8: User authentication	2	2
DATA 1.9: Public key infrastructure (PKI)	2	2	USER 1.9: Multifactor authentication	2	1
			USER 1.10: Mutual authentication	2	2
			USER 1.11: Password protection	2	1
			USER 1.12: Shared and disclosed/compromised passwords	2	1
			USER 1.13: User login display information	2	1
			USER 1.14: User login failure displays	2	1
			USER 1.15: Consecutive login failures	2	2
			USER 1.16: Session integrity	2	1
			USER 1.17: Concurrent sessions	2	2
			USER 1.18: Screen lock	2	2
			USER 2 – Authorisation and access control
			USER 2.1: Authorisation	2	1
			USER 2.2: Administrative rights authorization	2	1
			USER 2.3: Multiple approvals	2	1
			USER 2.4: Manual elevation of privileges	2	1
SPE 7			SPE 8
EVENT 1 – Event and incident management			AVAIL 1 – System availability and intended functionality
EVENT 1.1: Event detection	2	1	AVAIL 1.1: Continuity management	2	1
EVENT 1.2: Event reporting	2	1	AVAIL 1.2: Resource management	2	1
EVENT 1.3: Event reporting interfaces	2	1	AVAIL 1.3: DoS attacks	2	1
EVENT 1.4: Logging	2	1	AVAIL 2 – Backup/restore/archive
EVENT 1.5: Log entries	2	1	AVAIL 2.1: Backup	2	1
EVENT 1.6: Log access	2	1	AVAIL 2.2: Backup non-interference	2	1
EVENT 1.7: Event analysis	2	1	AVAIL 2.3: Backup verification	2	1
EVENT 1.8: Incident handling and response	2	1	AVAIL 2.4: Backup media	2	1
EVENT 1.9: Vulnerability handling	2	1	AVAIL 2.5: Backup restoration	2	1

Table 3. Case study: dependency model.

Label	Node	Child Node	Dependants	Probability
0	Secured System		8	0.011
1	SPE1	Secured System	3	0.5366668
2	SPE2	Secured System	1	0.9942488
3	SPE3	Secured System	3	0.01
4	SPE4	Secured System	3	0.01
11	Security of Physical Access	SPE1	1	0.9985591
12	Information Security Management System (ISMS)	Security Related Organisation and Policies	0	0.9333333
13	Background Checks	Security Related Organisation and Policies	0	0.9333333
14	Security Roles and Responsibilities	Security Related Organisation and Policies	0	0.9333333
28	System Segmentation	SPE3	10	0.2426199
48	Malware Protection	SPE4	3	0.0010323
103	Vulnerability handling	Event and incident management	0	0.7667
104	System availability and intended functionality	SPE8	3	0.4506884
105	Backup/restore/archive	SPE8	5	0.2649277
109	Backup	Backup/restore/archive	0	0.7667
110	Backup non-interference	Backup/restore/archive	0	0.7667
111	Backup verification	Backup/restore/archive	0	0.7667
112	Backup media	Backup/restore/archive	0	0.7667
113	Backup restoration	Backup/restore/archive	0	0.7667

Table 4. Causal inference with single node.

Node Label	Marginal Probability	$\mathit{P}(\mathit{G}|$ E1=0)	$\mathit{P}(\mathit{G}|$ E1=1)	P1	P2
[24]	0.32957	0.00420	0.32989	0.98742	0.01258
[25]	0.32957	0.00420	0.32989	0.98742	0.01258
[26]	0.32957	0.00420	0.32989	0.98742	0.01258
[27]	0.32957	0.00420	0.32989	0.98742	0.01258
[66]	0.32957	0.02002	0.33050	0.94289	0.05711
[65]	0.32957	0.02002	0.33050	0.94289	0.05711
[63]	0.32957	0.02002	0.33050	0.94289	0.05711
[62]	0.32957	0.02002	0.33050	0.94289	0.05711
[61]	0.32957	0.02002	0.33050	0.94289	0.05711
[64]	0.32957	0.02002	0.33050	0.94289	0.05711

Table 5. Causal inference with two nodes.

Node Label	Marginal Probability	$\mathit{P}(\mathit{G}|$ E1&E2=0)	$\mathit{P}(\mathit{G}|$ E1&E2=1)	P1	P2
[26+66]	0.32957	0.00003	0.33082	0.99992	0.00008
[26+67]	0.32957	0.00003	0.33082	0.99992	0.00008
[24+60]	0.32957	0.00003	0.33082	0.99992	0.00008
[24+61]	0.32957	0.00003	0.33082	0.99992	0.00008
[24+62]	0.32957	0.00003	0.33082	0.99992	0.00008
[24+63]	0.32957	0.00003	0.33082	0.99992	0.00008
[24+64]	0.32957	0.00003	0.33082	0.99992	0.00008
[24+65]	0.32957	0.00003	0.33082	0.99992	0.00008
[24+67]	0.32957	0.00003	0.33082	0.99992	0.00008
[27+66]	0.32957	0.00003	0.33082	0.99992	0.00008

Table 6. Causal inference with three nodes.

Node Label	Marginal Probability	$\mathit{P}(\mathit{G}|$ E1,E2,E3=0)	$\mathit{P}(\mathit{G}|$ E1,E2,E3=1)	P1	P2
[24+25+65]	0.32957	0.00023	0.33115	0.99930	0.00070
[25+26+68]	0.32957	0.00023	0.33115	0.99930	0.00070
[24+25+64]	0.32957	0.00023	0.33115	0.99930	0.00070
[25+26+67]	0.32957	0.00023	0.33115	0.99930	0.00070
[25+26+66]	0.32957	0.00023	0.33115	0.99930	0.00070
[25+26+65]	0.32957	0.00023	0.33115	0.99930	0.00070
[25+26+64]	0.32957	0.00023	0.33115	0.99930	0.00070
[25+26+63]	0.32957	0.00023	0.33115	0.99930	0.00070
[25+26+62]	0.32957	0.00023	0.33115	0.99930	0.00070
[25+27+61]	0.32957	0.00023	0.33115	0.99930	0.00070

Figure 5. Single node 3-point sensitivity using causal inference.

Figure 6. Two-nodal 3-point sensitivity analysis using causal inference.

Figure 7. Three-nodal 3-point sensitivity analysis using causal inference.

Figure 8. Two-nodal frequency analysis - negative impact.

Figure 9. Three-nodal frequency analysis - negative impact.

Data availability statement

All data is provided in full in the results section of this paper. No new data was created during this study.