Open Access is an initiative that aims to make scientific research freely available to all. To date our community has made over 100 million downloads. It’s based on principles of collaboration, unobstructed discovery, and, most importantly, scientific progression. As PhD students, we found it difficult to access the research we needed, so we decided to create a new Open Access publisher that levels the playing field for scientists across the world. How? By making research easy to access, and puts the academic needs of the researchers before the business interests of publishers.
We are a community of more than 103,000 authors and editors from 3,291 institutions spanning 160 countries, including Nobel Prize winners and some of the world’s most-cited researchers. Publishing on IntechOpen allows authors to earn citations and find new collaborators, meaning more people see your work not only from your own field of study, but from other related fields too.
To purchase hard copies of this book, please contact the representative in India:
CBS Publishers & Distributors Pvt. Ltd.
www.cbspd.com
|
customercare@cbspd.com
The issues of procuring the cybersecurity of modern industrial systems and networks acquire special urgency because of imperfection of their protection tools and presence of vulnerabilities. International standards ISA/IEC 62443 offer the system risk-oriented approach to solve the tasks of providing the security of industrial control systems (ICS) at all stages of life cycle. But in view of high uncertainty and complexity of procedure of formalizing the factors affecting the final indices of system security, the problem of cybersecurity risk assessment remains open and requires applying new approaches based on the technology of data mining and cognitive modeling. Cognitive modeling of risk assessment using fuzzy grey cognitive maps (FGCM) allows us to take into account the uncertainty factor arising in the process of vulnerability probability assessment for each of security nodes. The interval estimates of FGCM connection weights can reflect the scatter of expert group opinions that allows us to take into account more completely the data available for risk analysis. The main stages of ICS security assessment with use of FGCM are analyzed in the chapter on the example of distributed industrial automation network. The recommendations concerning the choice of the necessary countermeasures improving the level of network security in the conditions of possible external and internal threats are considered.
Ufa State Aviation Technical University, Ufa, Russian Federation
Alexey M. Vulfin
Ufa State Aviation Technical University, Ufa, Russian Federation
Liliya R. Chernyakhovskaya
Ufa State Aviation Technical University, Ufa, Russian Federation
*Address all correspondence to: vasilyev@ugatu.ac.ru
1. Introduction
Digital economy, cyber-physical objects, cyberspace, and Internet of Things are concepts that have firmly entered our lives in recent years. As a part of industrial revolution “Industry 4.0,” the face of modern industrial enterprises, which actively use the transition to unmanned production technologies, the integration of information technologies into the most complex production processes, has dramatically changed. In this case, a distinctive feature of production is the close connection of technological networks with the corporate network, as it is necessary both for production management and for administration of industrial networks and systems. Modern technological networks, as a rule, have direct access to the Internet, for example, for maintenance and technical support of industrial automation systems by employees of organizations—contractors. Also, computers of contractors, developers, integrators, and system/network administrators connected to the technological network of the service company from the outside often have free access to the Internet.
Under such conditions, the problem of ensuring the security (cybersecurity) of industrial automation and control systems (IACS) sharply increases. In corporate networks, the object of protection is information and the problem of ensuring the confidentiality of information is primarily addressed. However, in the case of industrial automated control systems, the object of protection is already technological processes (TP), and not ensuring the confidentiality of information comes to the fore, but first of all ensuring the continuity and integrity of the TP itself. Speaking of IACS cybersecurity, the so-called digital attacks (cyber-attacks) are primarily considered associated with exposure to IACS through the control and monitoring devices—controllers, data acquisition and transmission devices, SCADA servers, workstations, telecom equipment, communication lines, etc.
The severity and relevance of IACS cybersecurity problem are confirmed by statistics of recent years, showing a sharp increase in the number of the targeted attacks on industrial networks and systems, as well as an increase in the scale of consequences of these attacks. A vivid example of a large-scale cyber-attack that hit a lot of companies around the world from May 12 to May 15, 2017 is the attack of a network worm—the coder WannaCry [1]. Among the victims of this well-coordinated attack were companies engaged in various types of production, oil refineries, urban infrastructure facilities, and distribution power grids.
In May 2018, VPNFilter malware, which infected at least 500,000 routers and data storage devices in 54 countries around the world, was detected. The purpose of this software is to steal credentials, detect industrial SCADA equipment, and carry out various attacks using infected devices in the botnets. June 2018 was marked by a large-scale cyber-attack on telecommunications companies, communication satellite operators, and defense contractors in the United States and Southeast Asia. During the attack, the attackers infected computers used for managing the communication satellites and collecting geoposition data. According to experts’ opinions, the purpose of the cyber-attack was espionage and data interception from civilian and military communication channels. In total, according to Kaspersky Lab, the share of attacked IACS computers in the world in 2018 increased by 3.2% compared with 2017 and amounted to 47.2% [2].
Considering the seriousness of the current situation and the need to take urgent measures, the international community and information security experts are concerned about finding effective ways to solve the problem of ensuring the security of industrial automated systems. For instance, the European Commission has developed the European Program for Critical Infrastructure Protection. Several international standards for ensuring the cybersecurity of automated process control systems have been proposed and effectively used in world practice, such as NERC Critical Infrastructure Protection, NIST SP 800-82 Guide to Industrial Control Systems Security, ISA/IEC 62443 Industrial Automation and Control Systems Security [3, 4].
The basis of the requirements presented by the ISA/IEC 62443 standards series for ensuring the IACS security is a risk-oriented approach. In accordance with this approach, designing of a management system for a protected IACS involves the following stages:
high-level (preliminary) risk assessment of cyber-attacks effects;
building a reference model of IACS as the protection object, describing the classification of main activities types, technological process, automatic control systems, and other assets;
building an asset model, describing the hierarchy of main objects and assets of IACS, their interaction with networks, key divisions, etc.;
building a reference architecture model, reflecting all basic elements of IACS, telecommunication equipment, communication lines, etc.;
building a zone and conduct model, dividing the protected object into separate security zones;
detailed risk analysis for each selected zone; and
determination of the current security level for each zone and requirements to ensure the target security level of the zone, implemented by the choice of appropriate protection measures.
At the same time, the “bottleneck” of the above normative documents regulating the issues of ensuring IACS cybersecurity is the absence of formalized methods for detailed risk assessment. As the volume of statistical data, development of mathematical models of risk, threats, and security incidents increase, it becomes topical to develop methods and algorithms for quantitative risk assessment, ensuring the possibility of a reasonable choice of IACS devices and the necessary countermeasures both within individual security zones and ensuring the required cybersecurity level of IACS as a whole.
A promising way to solve this problem is the use of technology of cognitive modeling, based on construction and analysis of fuzzy grey cognitive maps (FGCM), which has been widely used in recent years [5, 6, 7, 8, 9, 10]. Fuzzy grey (interval) cognitive maps are considered to be a good extension of fuzzy cognitive maps (FCM) family, since they are better suited to experts representations, have a greater interpretability and provide more degrees of freedom to the decision making person on the basis of modeling results.
Brief information concerning the “grey” system, the “grey” number, and the “grey” variable is presented below, and the mathematical apparatus of FGCM is considered. Then, on the example of solving the problem of ensuring the integrity of telemetric information in IACS, the technique of assessing the cybersecurity risks with use of FGCM is discussed. In the end of the chapter, the conclusions are drawn and the list of references is given.
Let us note one important circumstance. When considering below a specific example of AIS risk assessment using FGCM (Section 2), an approach based on decomposition of the original (integrated) FGCM by disclosing (detailing) the content of its concepts is used, resulting in the set of interconnected local FGCM that characterize certain aspects of AIS risks assessment procedure associated with the features of its subsystems. In ideological plan, this approach is based on the FCM decomposition theory and the algebra of FCM causal transformations proposed in [11, 12]. However, the main difference between the approach described in [12] and our approach is that in [12] the detailed FCM system of a large size comes out as the original FCM, which reduces to a simpler (quotient) FCM by using the operations proposed by the authors. Each concept of this quotient FCM accumulates information on the state of several similar concepts of the original FCM, thus aggregating the corresponding concepts. In our case, on the contrary, the original FGCM has a small dimension, the number of forming its basic concepts corresponds to the number of basic subsystems of the system under study, and the decomposition of FGCM implies a representation of each concept of the original FGCM in the form of independent (local) FGCM, describing the behavior of this concept.
The basis of building FGCM is the Grey Systems Theory, proposed in 1989 by Deng [10]. Within the framework of this theory, objects and systems with high uncertainty, represented by small samples of incomplete and inaccurate data, are studied. Depending on the character of the available information, the studied systems are divided into three types:
“white” systems (the internal structure and the properties of the system are completely known);
“grey” systems (partial information about the system is known); and
“black” systems (the internal structure and the properties of the system are completely unknown).
In accordance with the terminology of the grey systems theory, a fuzzy grey cognitive map is a cognitive model of a system in the form of a directed graph defined with use of the following set:
FGCM=CFW,E1
where C=Ci is the set of concepts (vertices of the graph), i=12…n; F=Fij is the set of connections between concepts (arcs of the graph); and W=Wij is the set of the relationships between the concepts determining the weights of these connections, ij∈Ω. Here, Ω=i1j1i2j2…iLjL is the set of the pairs of adjacent (interconnected) vertices indices, L≤nn−1.
In contrast to the traditional FCM representation, the weights of FGCM connections are set with the use of “grey” (interval) numbers ⊗Wij, defined as
⊗Wij∈Wij¯Wij¯,whereWij¯<Wij¯,Wij¯Wij¯∈−11,E2
where Wij¯ and Wij¯ are, respectively, the lower and the upper boundaries of the grey number. So, the weight of connection between i-th and j-th concepts (Ci→Cj) can take any value within the given range of change Wij¯Wij¯∈−11. In the particular case, when Wij¯=Wij¯, we get ⊗Wij∈Wij¯Wij¯—a “white” (crisp, usual) number.
It is assumed that the change of the concepts state in time is described by equations
⊗Xik+1=f⊗Xik+∑j=1j≠in⊗Wji⊗Xjk,i=12…n,E3
where ⊗Xik is the “grey” (interval) variable of the i-th concept Ci state, the values of which at each time instant k=0,1,2,… belong to some interval Xi¯kXi¯k; f is the activation function of the i-th concept, mapping the argument values into the interval −11. The activation function f∙, as a rule, is accepted in the following form:
linear function with saturation:
fx=x,ifx≤1;sgnx,ifx>1,E4
bipolar sigmoid (hyperbolic tangent):
fx=1−e−x1+e−x=thx2;E5
unipolar sigmoid:
fx=1/1+e−x.E6
To solve the system of equations (Eq. (3)), it is required to set the initial conditions ⊗Xi0, which also should be considered as the grey numbers ⊗Xi0∈Xi¯0Xi¯0. Most interesting is usually to obtain the equilibrium (steady state) solution, which is a grey vector limk→∞⊗Xik=⊗X∗∈X∗¯X∗¯ or a limit cycle (strange attractor).
To determine the stability of the steady-state solution ⊗X∗, one can use the theorem [12], according to which the only equilibrium (steady state) solution of equation (3) (“the fixed point”) exists if and only if
∑i,j=1nW¯ij212<H,E7
where the value of the positive constant H depends on the choice of activation function of the concepts: H=1 for function (Eq. (4)); H=2 for function (Eq. (5)); and H=4 for function (Eq. (6)). In the case of negative connection, i.e., for W¯ij<W¯ij<0, we also put in (Eq. (7)) the upper boundary W¯ij of the grey number ⊗Wij.
More detailed information on FGCM construction and their learning algorithms can be found in [5, 6, 9].
Let us consider the task of assessment of IACS risk on the example of the automated system for collecting, storing, and processing the telemetric information (TMI) of the aviation equipment manufacturer. The current information on the state parameters of on-board aviation systems is continuously collected during the entire period of their operation by the ground services of technical maintenance. The detailed analysis of this information allows the subsequent making the right management decisions on the further operation and modification of on-board aviation systems. Therefore, the task of ensuring the integrity of the mentioned telemetric information under the conditions of possible impact of external and internal threats undoubtedly takes on particular significance.
The generalized structure of the studied territorially distributed automated information system (AIS), providing the collection, storage, and processing of TMI, is presented in Figure 1.
Figure 1.
The generalized structure of territorially distributed automated information system for the collection, storage, and processing of TMI. The corresponding subsystems (security zones) are interconnected with the aid of telecommunication channels (conducts).
As the parts of AIS, the following subsystems (zones), combined according to the principle of the unity of functions performed and security requirements for their implementation, are identified:
The subsystem for collecting and storing the primary data at the service stations (Zone 1), which includes:
Element 1—the client part of the SCADA system Web-base;
Element 2—the server part of the SCADA system Web-base;
Element 3—OPC UA client;
Element 4—the temporary storage for accommodating the operative telemetry data accumulated at the object;
Element 5—the server part of the accumulated data transmission to the storage of the aviation equipment manufacturer;
The core of the corporate information network (CIN) of the enterprise-manufacturer (Zone 2), where:
Element 6—the client part for providing access to the server of the service station transferring the accumulated operational data of TMI to the enterprise-manufacturer’s storage;
Element 8—the workstations of administrator and service personnel of the CIN core of the enterprise-manufacturer;
TMI storage subsystem with fault tolerance functions (Zone 3), where:
Element 7—the node of access to TMI data storage at the enterprise-manufacturer;
TMI data processing subsystem with the use of a hierarchy of mathematical models of aviation equipment (Zone 4);
Subsystem of support and implementation of business processes of the enterprise-manufacturer (Zone 5).
The corresponding subsystems (security zones) are interconnected (see Figure 1) with the aid of telecommunication channels (conducts).
Using FGCM as a tool for cognitive modeling, let us turn to the task of analyzing the risks associated with ensuring the TMI integrity in AIS considered above, taking into account the impact of possible external and internal threats to the system. The original (integrated) FGCM for assessing the risks of AIS, serving in this case as the AIS cognitive model of initial approximation (zero decomposition level), is presented in Figure 2.
Figure 2.
Integrated FGCM for AIS risk assessment. ⊗W∼ij—the grey connection weights indicate an uncertainty in the assessment of the mutual influence of main risk factors and C∗—concepts.
The following descriptions are used in Figure 2: superscript (“*”) denotes the affiliation of the concept Cp∗ to integrated FGCM and subscript (p) denotes the number of the concept (Table 1).
Concept
Concept name
CT1∗
Internal threat to TMI integrity (e.g., due to failures or erroneous actions of staff)
CT2∗
External threat to TMI integrity (e.g., due to attempts of unauthorized access from outside to information)
C1∗
Modification of TMI data in Zone 1
C2∗
Modification of TMI data in Zone 2
C3∗
Modification of TMI data in Zone 3
C5∗
Modification of TMI data in Zone 5
CR∗
Potential damage caused by violation of TMI integrity in AIS
Table 1.
List of the concepts of the integrated FGCM.
The presence of the grey connection weights ⊗W∼ij indicates an uncertainty in the assessment of the mutual influence of main risk factors. The state variables of concepts ⊗XT1∗, ⊗XT2∗, ⊗Xi, i=12…5, ⊗XR∗ represent the probabilities of occurrence of the enumerated events corresponding to the concepts CT1∗, CT2∗, C1∗, …, C5∗,CR∗. Let us note that in this case we mean so-called subjective probabilities, reflecting the expert’s point of view on the possibility of an event occurrence [13]. Taking into account that each of these events is a complex event consisting of a chain of consecutive elementary events, it is reasonable to decompose FGCM of AIS shown in Figure 2 as the set of FGCMs for separate concepts (AIS security zones containing targets objects for attack to TMI).
The first decomposition level of the original (integrated) FGCM is presented in Figure 3.
Figure 3.
The first level of FGCM decomposition to assess the AIS risks.
The following designations of the concepts are used in Figure 3: the superscript (q) of Cpq indicates the belongings to the concept Cq of the integrated FGCM; and the subscript (p) is the number of the concepts in the FGCM of the first level of decomposition (Table 2).
Concept
Concept name
Parent concept
T11−T18
Internal threats to the integrity of TMI (concept T1∗ decomposition on the block diagram of AIS, Figure 1, i.e., the points of potential realization of the threat to TMI integrity by the internal subject of the system)
T1∗
T21,T22
External threats to TMI integrity (concept T2∗ decomposition)
T2∗
C11
Access to TMI in the client-server SCADA Web-base before adding to the database of TMI operational storage
C1∗ (Zone 1)
C21
Access to the database of operative TMI data storage
C31
Access to the network equipment
C41
Access to the module of Web server sending TMI data in the long-term storage of the enterprise-manufacturer
C52
Access to the network infrastructure
C2∗ (Zone 2)
C62
Access to the Web client module that implements receiving TMI at the enterprise-manufacturer from remote service stations
C82
Unauthorized access to workstation (node 8 in Figure 1) of the core of CIN of the enterprise-manufacturer
C102
Access to the server of equipment status reports generated for users of Zone 4
C73
Access to TMI in the long-term storage
C3∗ (Zone 3)
C95
Access to computing cluster management server of Zone 5
C5∗ (Zone 5)
IST5
TMI integrity control model
Table 2.
List of the first level decomposition concepts of the FGCM.
Figure 4 shows the further decomposition level (the second level) for the concept C1∗, allowing to make clearer the impact of the threats on the considered target concept.
Figure 4.
The second level of FGCM decomposition for assessing AIS risk in Zone 1.
On the scheme, the following designations of the concepts of FGCM second-level decomposition are used: the superscript (q) of the Crq,p concept is the number of the concept (the parent concept of the zero decomposition level) of the original FGCM whose decomposition includes this element, the superscript index p is the number of the parent concept of the first level of decomposition, the subscript (r) is the number of the concept of the current level (Table 3).
Concept
Concept name
Parent concept
C11,1
Access to HMI client SCADA
C11
C21,1
Access to operative TMI data on the client-server part of the SCADA before entering in the operative storage
C31,2
Access to the client to interact with the OPC UA server
C21
C41,2
Access to the database of operative TMI storage data
Table 3.
List of second-level decomposition concepts for Zone 1.
The further decomposition of the third level allows us to go to the detailed FGCM, which allows us to take into account the influence of individual vulnerabilities on the potential violation of TMI integrity in the intermediate information processing elements.
As for the concept C11,1, characterizing the possibility to run in the browser of the client part of SCADA system on the base on Web technology (Zone 1), the corresponding decomposition can be represented as FGCM in Figure 5.
Figure 5.
The third level of FGCM decomposition—the conceptC11,1.
Here, the numbers 1–5 denote the following concepts:
the exploitation of the vulnerability of OS authorization system;
the exploitation of the vulnerability of SCADA Web client;
the exploitation of the vulnerability of OS browser for launching the client part of SCADA;
the exploitation of the vulnerability of access to OS memory;
the exploitation of the vulnerability of OPC UA client authorization system.
Similarly, it is possible to decompose the other concepts of original FGCM for the second decomposition level of Zone 1 presented in Figure 4 (Figures 6–9, Tables 4–6). The corresponding FGCM, revealing the content of the concept C21,1 (Zone 2), is shown in Figure 6.
Figure 6.
Decomposition of the concept C21,1 of FGCM for AIS risk assessment (Zone 1)
Figure 7.
Decomposition of the concepts C61,3 and C51,4 of the second level of FGCM decomposition
Figure 8.
Decomposition of the concepts C31,2 and C41,2 of FGCM for AIS risk assessment
Figure 9.
FGCM concepts states for risk assessment of Zone 1 (the change in the state of concepts over time and the final states of the target concepts of the FGCM, software window form).
Concept
Concept name
Parent concept
6
Exploitation of the vulnerability of authorization system of the primary OS user
C21,1
7
Exploitation of the vulnerability of access to operating system memory
8
Exploitation of the vulnerability of Java virtual machine
9
Exploitation of the vulnerability of system software of application server for running the SCADA server Web application
10
The target concept of access to operative TMI data, which can be modified before adding to the database on the nodes of SCADA client-server type
Table 4.
List of the concepts of the third decomposition level for AIS risks assessment of Zone 1.
Concept
Concept name
Parent concept
19
Exploitation of the vulnerability of authorization system of the main OS user
C51,4
20
Exploitation of the vulnerability of system software implementing work of Apache Web application server, MySQL DBMS, PHP runtime frameworks to support interactive Web pages
21
Exploitation of the vulnerability of OS memory access
22
Exploitation of the vulnerability of Java Virtual Machine Memory Access
23
Exploitation of the vulnerability of Application Server Software
24
The target concept of unauthorized launching of the module for access to the database of operative storage of TMI at service stations
25
Exploitation of the vulnerability of authorization system of the main OS user
C61,3
26
Exploitation of the vulnerability of access to operating system memory
Table 5.
List of the concepts of the third decomposition level of Zone 1.
Concept
Concept name
Parent concept
14
Exploitation of the vulnerability of authorization system of the main OS user
C41,2
15
Exploitation of the vulnerability of OS memory access
16
Exploitation of the vulnerability of authorization system of the main DBMS user
17
Exploitation of the vulnerability of DBMS memory access
18
The target concept of unauthorized modification of TMI operative data TMI stored in the database
11
Exploitation of the vulnerability of authorization system of the client part of OPC Client UA software
C31,2
12
Exploitation of the vulnerability of authorization system of the main OS user
13
Exploitation of the vulnerability of OS memory access
Table 6.
List of the concepts of the third level of FGCM decomposition of Zone 1.
Consider the numerical example of risk assessment for the concept C11,1 (Figure 5).
Let us assume that while choosing the grey values of FGCM weights, it is necessary to focus on a certain fuzzy scale, which determines the strength of the connections between different concepts (see, e.g., Table 7).
Linguistic meaning of connection strength
Numeric range
Does not affect
0
Very weak
(0; 0.15]
Weak
(0.15; 0.35]
Average
(0.35; 0.6]
Strong
(0.6; 0.85]
Very strong
(0.85; 1]
Table 7.
Evaluation of the strength of communication between concepts.
Let us further assume that the expert estimated the values of FGCM connections weights in Figure 5 as follows (Table 8).
Connection weight
The value of the connection weight
Greyness (scatter of assessment)
WT11
[0.6; 0.75]
0.075
W12
[0.5; 0.7]
0.1
W13
[0.5; 0.7]
0.1
W14
[0.15; 0.3]
0.075
W25
[0.55; 0.65]
0.05
W32
[0.35; 0.55]
0.1
W35
[0.55; 0.65]
0.05
W42
[0.3; 0.5]
0.1
W43
[0.15; 0.3]
0.075
W45
[0.2; 0.45]
0.125
Table 8.
The values of communications FGCM weights.
Let us take a bipolar sigmoid (5) here as an activation function f∙ for the concepts 1–5. Checking condition (7) for the data presented in Table 2 shows that
∑i,j=15W¯ij212=2,76=1.66<2,E8
i.e., the steady-states of FGCM will be stable.
Using for calculation the “Cognitive Map Constructor” tool, which is described more detailed in the next section of this chapter, we will estimate the change in the upper and lower boundaries of the state variable X5 over time k=1,2,3,… (Tables 9 and 10). The state of the input concept CT1 is defined here as ⊗XT1k=0.81 for all =0,1,2,…; the initial conditions for other state variables ⊗X10÷⊗X50 are assumed to be zero, i.e., equal to 00.
k
1
2
3
4
5
6
7
8
X¯i
X¯1
0.36
0.50
0.55
0.57
0.58
0.58
0.58
0.58
X¯2
0
0.125
0.28
0.40
0.48
0.52
0.54
0.55
X¯3
0
0.125
0.24
0.32
0.36
0.38
0.39
0.40
X¯4
0
0.054
0.10
0.13
0.15
0.16
0.16
0.16
X¯5
0
0
0.093
0.23
0.36
0.45
0.50
0.53
Table 9.
Upper boundaries of concept state estimates
k
1
2
3
4
5
6
7
8
X¯i
X¯1
0.24
0.34
0.39
0.41
0.43
0.43
0.43
0.43
X¯2
0
0.059
0.13
0.18
0.22
0.25
0.27
0.28
X¯3
0
0.059
0.115
0.16
0.18
0.19
0.20
0.20
X¯4
0
0.018
0.034
0.046
0.052
0.058
0.06
0.06
X¯5
0
0
0.034
0.087
0.14
0.18
0.21
0.24
Table 10.
Lower boundaries of concept state estimates.
As a result, the steady-state value of the grey state vector ⊗X for FGCM presented in Figure 6, i.e., for the concept C11,1 decomposition is found as
⊗X=081043058028055020040006016024053,
and the final value for the target concept state is determined by the grey number ⊗X5∈024053.
Consider the state of the target concept CR (Figure 2)—the damage caused by the potential violation of TMI integrity in the AIS—after clarifying all weights by the level of decomposition of the original FGCM. Let us assume that the active threat is the internal threat of violation of the integrity of TMI, the value of which is determined by a grey number ⊗XT1∗∈06095.
Risk assessment because of violation of the integrity of TMI information is defined as ⊗XR∗A∈0.190.28.
To reduce the potential damage from the violation of TMI integrity, a monitoring system, deployed as a protected container in Zone 5, is used. In Figure 3, this information protection tool is designated as a TMI integrity monitoring model—concept IST5. The protected container ensures the continuous operation of the TMI integrity monitoring system, which implements online and offline analysis of operational data and data collected in the repository (Zone 3).
The concept of TMI integrity monitoring system as a whole has some peculiarities:
Simulated parameters of the aviation engine operation and TMI can be presented in the form of multidimensional technological time series;
Monitoring the TMI integrity is based on the analysis of the consistency of the behavior of parameters obtained by using the model of complex technical object, and taken from the on-board aircraft systems;
The output of the monitoring system is the evaluation of conditional probability of the events of data integrity violation events.
Risk value estimate due to violation of TMI information integrity after applying the tool based on the integrity monitoring model is ⊗XR∗A∈0.070.15.
Due to the significant amount of computation when working with FGCM containing a large number of concepts, it was necessary to develop a software tool to automate cognitive modeling with use of FGCM. The change in the state of concepts over time and the final states of the target concepts of the FGCM, calculated in the developed software tool, are presented in Figure 9.
4. Automation of risk analysis and management on the base of cognitive modeling technology
To improve an efficiency of risk analysis and management with use of FGCM, the special software tool “Cognitive Map Constructor” was developed. This software allows us to build and edit FGCM, use them to carry out the security risk analysis, and justify the choice of the necessary countermeasures from the given user-specified set. As a result, a diagram of risk assessment is built under various scenarios of countermeasures’ implementation and threats’ realization.
Besides supporting the FGCM with the installation of connections weights in the form of the upper and lower boundaries, the software allows us the use of linguistic terms of fuzzy logic, as well as setting the weights in the form of “white” crisp numbers. The software has the interface implemented in HTML using CSS, which allows displaying the FGCM and all the necessary accompanying information by the concepts and connections, and also is able to work on any graphical operating system that has a current Web browser.
There are five kinds of concepts which are used in FGCM: threats, information assets, intermediate concepts, targets, and countermeasures, which can be marked by different colors for convenience and clarity.
The set of the options depends on the type of the concept, but in most cases its name is specified with description, as well as its current state. In the case when the weights of all connections, pointing to the concept, are assumed to be equal, one can mark the option “Imposed weight” and set the desired value. For countermeasures, it is permissible to indicate which of existing countermeasure it is, that allows realizing situations when one countermeasure acts on several connections at once.
To establish the relationships between the concepts, it is necessary to click on the button “Placement” of the action group “Connections” in the tool window. After that, the connections are located by pressing consecutively on the initial and final element. The located countermeasures and initial states of the concepts can be adjusted and combined, creating the different scenarios that allow us to compare the effectiveness of countermeasures.
Figures 10 and 11 show the FGCM risk estimates built in the “Cognitive Map Constructor.”
Figure 10.
FGCM for risk assessment of data collection and storage subsystem at the service stations (Zone 1) (software window form).
Figure 11.
FGCM for risk assessment in the core of the CIN (Zone 2) and TMI (software window form).
Thus, the developed software “Cognitive Map Constructor” allows evaluating the effectiveness of the use of the TMI integrity monitoring system in the protection of telemetric information from the effects of external and internal threats.
A promising way to solve the problem of assessing the cybersecurity risks of industrial automated systems is to model the threats realization scenarios using the tools of topological analysis of the system security and cognitive modeling with the aid of Fuzzy Grey Cognitive Maps.
At the basis of this approach, the construction of original FGCM is proposed to assess the risk of automated control system with the following decomposition of FGCM into the number of cognitive maps of the next level of detail (the same as it is done in IDEF0 Functional Modeling technology). The features of construction of this procedure are discussed in this chapter in relation to the task of ensuring the telemetry information integrity in the industrial automated system for collecting, storing, and processing information on the conditions of on-board aviation systems. It is shown that the use of FGCM allows us to obtain more reliable estimates of security risk factors with account of the possible variations of the available actual data and expert opinions.
To automate the proposed risk assessment procedure in the considered system for collecting, storing, and processing telemetry information with use of FGCM, the software tool “Cognitive Map Constructor” was developed, which can be used for identifying the most dangerous vulnerabilities in the system and evaluating the effectiveness of various measures (countermeasures) realization for telemetric information protection from the impact of external and internal threats.
The reported study was funded by RFBR according to the research Project No. 18-00-00238 “Decision support methods and models for innovative project management based on knowledge engineering.”
References
1.WannaCry. Threat Landscape for Industrial Automation Systems in H2 2017 [Internet]. Available from: https://ics-cert.kaspersky.com/tag/ wannacry/ [Accessed: 10 May 2019]
2.Threat Landscape for Industrial Automation Systems. H2 2018 [Internet]. Available from: https://ics- cert.kaspersky.com/reports/2019/03/27 [Accessed: 10 May 2019]
3.Cyber Security Standards [Internet]. Available from: https://en.wikipedia.org/wiki/Cyber_security_standards [Accessed: 10 May 2019]
4.Byres E. Using ISA/IEC 62443 Standards to Improve Control System Security. Tofino Security White Paper. Version 1.2. Deutschland GmbH: Tofino Security, a Belden Brand, Belden Inc.; 2014
5.Salmeron JL. Modelling grey uncertainty with fuzzy grey cognitive maps. Expert Systems with Applications. 2010;37(12):7581-7588
6.Salmeron JL, Papageorgiou EI. Chapter 14: Using Fuzzy Grey Cognitive maps for industrial processes control. In: Fuzzy Cognitive Maps for Applied Sciences and Engineering: From Foundations to Extensions and Learning Algorithms. Intelligent Systems Reference Library. Vol. 54. Berlin/Heidelberg: Springer; 2014
7.Salmeron JL. Fuzzy grey cognitive maps-based intelligent security system. In: 2015 IEEE International Conference on Grey Systems and Intelligent Services (GSIS); August 12–20, 2015; Leicester, UK; 2015. pp. 29-32
8.Shishkin VM, Savkov SV. The method of interval estimation of risk-analysis system. In: Proceedings of the Second International Conference on Security of Information and Networks (SIN’09); October 6–10, 2009; Famagusta, North Cyprus; 2009. pp. 3-7
9.Hajek P, Prochazka O. Interval-valued fuzzy cognitive maps with genetic learning for predicting corporate financial distress. Univerzitet u Nišu. 2018;32(5):1657-1662
10.Vasilyev VI, Vulfin AM, Guzairov MB, Kirillova AD. Interval evaluation of information risk with the aid of fuzzy grey cognitive maps. Information Technology. 2018;24(10):657-664
11.Harmati IA, Koczy LT. On the Convergence of Fuzzy Grey Cognitive Maps. Information Technology, Systems Research, and Computational Physics. Springer Verlag; 2018. pp. 74-84
12.Zhang JY, Liu ZQ, Zhou S. Quotient FCMs—A decomposition theory for fuzzy cognitive maps. IEEE Transactions on Fuzzy Systems. 2003;11(5):593-604
13.D’Agostini C. Role and meaning of subjective probability: Some comments on common misconceptions. AIP Conference Proceedings. 2001;568(1):23-30. Available from: https://aip.scitation.org/doi/pdf [Accessed: 10 May 2019]
Written By
Vladimir I. Vasilyev, Alexey M. Vulfin and Liliya R. Chernyakhovskaya
Submitted: 17 April 2019Reviewed: 16 August 2019Published: 23 September 2019
Open access peer-reviewed chapter
