№1, 2024

CYBERSECURITY RISKS MANAGEMENT OF INDUSTRIAL CONTROL SYSTEMS: A REVIEW

Ramiz Shikhaliyev

Industrial control systems (ICS) form the basis of critical infrastructures, managing complex processes in various sectors of industry, energy, etc. With the increasing frequency and complexity of cyber threats, effective management of ICS cybersecurity risks is critical. This paper is devoted to the analysis of approaches used in the field of cybersecurity risk management of automated process control systems. The study examines the cybersecurity risks of ICS and the role of international standards in managing cybersecurity risks. The results of the analysis carried out in this paper can serve as information for the development of new reliable cybersecurity risk management systems for ICS (pp.37-43).

Keywords: Industrial control systems, Cybersecurity risks, Cybersecurity risk management, Risk management standard, Risk management methods
References
  • Aissa, A. B., Abercrombie, R. K., Sheldon, F. T., & Mili, A. (2010). Quantifying security threats and their potential impacts: a case study. Innovations in Systems and Software Engineering, 6, 269-281.
    https://doi.org/10.1007/s11334-010-0123-2
  • Al-Abassi, A., Karimipour, H., Dehghantanha, A., & Parizi, R. M. (2020). An ensemble deep learning-based cyber-attack detection in industrial control system. IEEE Access, 8, 83965-83973.
    https://doi.org/10.1109/ACCESS.2020.2992249
  • Alguliyev, R., Sukhostat, L., & Mammadov, A (2022). Anomaly detection in cyber-physical systems based on BiGRU-VAE. 2022 IEEE 16th International Conference on Application of Information and Communication Technologies (AICT), Washington, USA, October 2022 (pp. 1-5). https://doi.org/10.1109/AICT55583.2022.10013581
  • Alguliyev, R. M., Imamverdiyev, Y. N., & Sukhostat, L. V. (2021). Hybrid DeepGCL model for cyber-attacks detection on cyber-physical systems. Neural Computing and Applications, 33(16), 10211-10226.
    https://doi.org/10.1007/s00521-021-05785-2
  • Alguliyev, R. M., Imamverdiyev, Y. N., & Sukhostat, L. V. (2018). Cyber-physical systems and their security issues. Computers in Industry, 100, 212-223.
    https://doi.org/10.1016/j.compind.2018.04.017
  • Cheng, L., & Liu, F. (2017). Enterprise data breach: Causes, challenges, prevention, and future directions. Wiley Interdisciplinary Reviews: Data Mining and Knowledge Discovery, 7(5), e1211.
    https://doi.org/10.1002/widm.1211
  • Cherdantseva, Y., Burnap, P., Blyth, A., Eden, P., Jones, K., Soulsby, H., & Stoddart, K. (2016). A review of cyber security risk assessment methods for SCADA systems. Computers & Security, 56, 1-27.
    https://doi.org/10.1016/j.cose.2015.09.009
  • Cook, A., Smith, R., Maglaras, L., & Janicke, H. (2016). Measuring the risk of cyber-attack in industrial control systems. 4th International Symposium for ICS & SCADA Cyber Security Research (ICS-CSR’16), Belfast, UK, August 2016 (pp. 1-11).
    https://doi.org/10.14236/ewic/ICS2016.12
  • David, L. (2017). Cybersecurity: Industrial Control Systems and the U.S. Electric Grid. https://mse238blog.stanford.edu/2017/07/dllove/cybersecurity-industrial-control-systems-and-the-u-s-electric-grid/.
  • Digioia, G., Foglietta, C., Panzieri, S., & Falleni, A. (2012). Mixed holistic reductionistic approach for impact assessment of cyber attacks. 2012 European Intelligence and Security Informatics Conference (EISIC), Odense, Denmark, August 2012 (pp. 123-130). https://doi.org/10.1109/EISIC.2012.30
  • Eckhart, M., Brenner, B., Ekelhart, A., & Weipp, E. (2019). Quantitative Security Risk Assessment for Industrial Control Systems: Research Opportunities and Challenges. Journal of Internet Services and Information Security (JISIS), 9(3), 52-73. https://doi.org/10.22667/JISIS.2019.08.31.052
  • Enterprise-control system integration – part 3: Activity models of manufacturing operations management. IEC 62264-3:2016.
  • Fault tree analysis (FTA).
  • https://fiixsoftware.com/glossary/fault-tree-analysis/
  • Flaus, J.-M. (2019). Cybersecurity of industrial systems. London: ISTE Ltd.; Hoboken, NJ: John Wiley & Sons, Inc. https://doi.org/10.1002/9781119644538
  • FMEA (Failure Modes and Effects Analysis). https://www.ifm.eng.cam.ac.uk/research/dmg/tools-and-techniques/fmea-failure-modes-and-effects-analysis/
  • Freund, J. & Jones, J. (2014). Measuring and managing information risk: A FAIR approach. Newton, MA: Butterworth-Heinemann.
  • Functional Safety - Safety Instrumented Systems for the Process Industry Sector - Part 1: Framework, Definitions, System, Hardware and Application Programming Requirements. ISA/IEC 61511.1:2016.
  • Georgios, G., Roberto, F., & Muriel, S. (2012). Risk assessment methodologies for Critical Infrastructure Protection. Part I: A state of the art, EUR - Scientific and Technical Research Reports.
  • Guide for Applying the Risk Management Framework. NIST Special Publication (SP) 800-39.
  • Guide for Conducting Risk Assessments. NIST Special Publication (SP) 800-30.
  • Haugen, S. & Rausand, M. (2020). Risk Assessment: Theory, Methods, and Applications. Hoboken, NJ: John Wiley & Sons, Inc. https://doi.org/10.1002/9781119377351
  • Hentea, M. (2008). Improving security for SCADA control systems. Interdisciplinary Journal of Information, Knowledge, and Management, 3, 73-86. https://doi.org/10.28945/3185
  • Hocking, B. & Sproston, C. (2019). Bowtie risk assessment methodology in practice. https://shoalgroup.com/wp-content/uploads/2019/04/Hocking-and-Sproston-Bowtie-risk-assessment-methodology-in-practice-AMPEAK2019.pdf.
  • Hubbard, D. W. & Seiersen, R. (2023). How to measure anything in cybersecurity risk. Hoboken, NJ: John Wiley & Sons Inc.
  • Iaiani, M., Tugnoli, A., Bonvicini, S., & Cozzani, V. (2021). Analysis of cybersecurity-related incidents in the process industry. Reliability Engineering & System Safety, 209, 107485. https://doi.org/10.1016/j.ress.2021.107485
  • Information security management. ISO/IEC 27000 family.
  • Information security, cybersecurity and privacy protection - Information security management systems. Requirements. ISO/IEC 27001:2022.
  • Information technology – Security techniques – Information security risk management. ISO/IEC 27005:2018.
  • Katze, S., Stouffer, K., Abrams, M., Norton, D., & Weiss, J. (2006). Applying NIST SP 800-53 to Industrial Control Systems, NIST 2006.
  • Keliris, A., Konstantinou, C., & Maniatakos, M. (2017). GE multilin SR protective relays passcode vulnerability, Black Hat USA.
  • Leszczyna, R. (2021). Review of cybersecurity assessment methods: Applicability perspective. Computers & Security, 108, 102376. https://doi.org/10.1016/j.cose.2021.102376
  • Makrakis, G. M., Kolias, C., Kambourakis, G., Rieger, C., & Benjamin, J. (2021). Vulnerabilities and attacks against industrial control systems and critical infrastructures. arXiv preprint arXiv: 2109.03945.
  • Merz, T. R., Fallon, C., & Scalco, A. (2019). A context-centred research approach to phishing and operational technology in industrial control systems. Journal of Information Warfare, 18(4), 24-36.
  • National Institute of Standards and Technology (NIST), SP 800-53, Guide to Industrial Control Systems (ICS) Security.
  • Nicholson, A., Webber, S., Dyer, S., Patel, T., & Janicke, H. (2012). SCADA security in the light of Cyber-Warfare, Computers & Security, 31(4), 418-436. https://doi.org/10.1016/j.cose.2012.02.009
  • Risk management – Principles and guidelines. ISO 31000:2009
  • Risk management – Vocabulary. ISO Guide 73:2009.
  • Security for Industrial Automation and Control Systems - Part 1-1: Terminology, Concepts, and Models. ISA/IEC 62443-1-1:2007.
  • Security for industrial automation and control systems - Part 3-2: Security risk assessment for system design. IEC 62443-3-2:2020.
  • Security for industrial automation and control systems, Part 3-3: System security requirements and security levels. ISA/IEC 62443-3-3:2013
  • Shikhaliyev, R. H. (2023). Using machine learning methods for industrial control systems intrusion detection. Problems of Information Technology, 14(2), 37-48.
    http://dx.doi.org/10.25045/jpit.v14.i2.05
  • Stouffer, K., Falco, J., & Scarfone, K. (2011). Guide to industrial control systems (ICS) security. NIST Special Publication. https://doi.org/10.6028/NIST.SP.800-82r3
  • Stouffer, K., Pillitteri, V., Lightman, S., Abrams, M., & Hahn, A. (2015). Guide to Industrial Control Systems (ICS) Security, NIST Special Publication 800-82 Revision 2.
    http://dx.doi.org/10.6028/NIST.SP.800-82r2.
  • Sukhostat, L. (2021). An intelligent model based on deep transfer learning for detecting anomalies in cyber-physical systems, Radio Electronics, Computer Science, Control, 3, 124-132.
    https://doi.org/10.15588/1607-3274-2021-3-11
  • Sukhostat, L. (2022). Anomaly detection in industrial control system based on the hierarchical hidden Markov model. In O. Popov & L. Sukhostat (Eds.), Cybersecurity for Critical Infrastructure Protection via Reflection of Industrial Control Systems (pp. 48-55). IOS Press. http://dx.doi.org/10.3233/NICSP220033
  • Teixeira, A., Sou, K. C., Sandberg, H., & Johansson, K. H. (2015). Secure control systems: A quantitative risk management approach, IEEE Control Systems Magazine, 35(1), 24–45.
    http://dx.doi.org/10.1109/MCS.2014.2364709
  • Volkova, A., Niedermeier, M., Basmadjian, R., & Meer, H. (2019). Security challenges in control network protocols: A survey, IEEE Communications Surveys & Tutorials, 21(1), 619-639.
    https://doi.org/10.1109/COMST.2018.2872114
  • Xu, Y., Yang, Y., Li, T., Ju, J., & Wang, Q. (2017). Review on cyber vulnerabilities of communication protocols in industrial control systems, IEEE Conference on Energy Internet and Energy System Integration (EI2), Beijing, China, November 2017 (pp. 1-6). https://doi.org/10.1109/EI2.2017.8245509
  • Yampolskiy, M., Horvath, P., Koutsoukos, X. D., Xue, Y., & Sztipanovits, J. (2013). Taxonomy for description of cross-domain attacks on CPS. 2nd ACM International Conference on High Confidence Networked Systems (HiCoNS’13), Philadelphia, Pennsylvania, USA, April 2013, pp. 135–142. https://doi.org/10.1145/2461446.2461465