Cybersecurity Risk Analysis of Industrial Automation Systems on the Basis of Cognitive Modeling Technology

The issues of procuring the cybersecurity of modern industrial systems and networks acquire special urgency because of imperfection of their protection tools and presence of vulnerabilities. International standards ISA/IEC 62443 offer the system risk-oriented approach to solve the tasks of providing the security of industrial control systems (ICS) at all stages of life cycle. But in view of high uncertainty and complexity of procedure of formalizing the factors affecting the final indices of system security, the problem of cybersecurity risk assessment remains open and requires applying new approaches based on the technology of data mining and cognitive modeling. Cognitive modeling of risk assessment using fuzzy grey cognitive maps (FGCM) allows us to take into account the uncertainty factor arising in the process of vulnerability probability assessment for each of security nodes. The interval estimates of FGCM connection weights can reflect the scatter of expert group opinions that allows us to take into account more completely the data available for risk analysis. The main stages of ICS security assessment with use of FGCM are analyzed in the chapter on the example of distributed industrial automation network. The recommendations concerning the choice of the necessary countermeasures improving the level of network security in the conditions of possible external and internal threats are considered.


Introduction
Digital economy, cyber-physical objects, cyberspace, and Internet of Things are concepts that have firmly entered our lives in recent years. As a part of industrial revolution "Industry 4.0," the face of modern industrial enterprises, which actively use the transition to unmanned production technologies, the integration of information technologies into the most complex production processes, has dramatically changed. In this case, a distinctive feature of production is the close connection of technological networks with the corporate network, as it is necessary both for production management and for administration of industrial networks and systems. Modern technological networks, as a rule, have direct access to the Internet, for example, for maintenance and technical support of industrial automation systems by employees of organizations-contractors. Also, computers of contractors, developers, integrators, and system/network administrators connected to the technological network of the service company from the outside often have free access to the Internet.
Under such conditions, the problem of ensuring the security (cybersecurity) of industrial automation and control systems (IACS) sharply increases. In corporate networks, the object of protection is information and the problem of ensuring the confidentiality of information is primarily addressed. However, in the case of industrial automated control systems, the object of protection is already technological processes (TP), and not ensuring the confidentiality of information comes to the fore, but first of all ensuring the continuity and integrity of the TP itself. Speaking of IACS cybersecurity, the so-called digital attacks (cyber-attacks) are primarily considered associated with exposure to IACS through the control and monitoring devices-controllers, data acquisition and transmission devices, SCADA servers, workstations, telecom equipment, communication lines, etc.
The severity and relevance of IACS cybersecurity problem are confirmed by statistics of recent years, showing a sharp increase in the number of the targeted attacks on industrial networks and systems, as well as an increase in the scale of consequences of these attacks. A vivid example of a large-scale cyber-attack that hit a lot of companies around the world from May 12 to May 15, 2017 is the attack of a network worm-the coder WannaCry [1]. Among the victims of this wellcoordinated attack were companies engaged in various types of production, oil refineries, urban infrastructure facilities, and distribution power grids.
In May 2018, VPNFilter malware, which infected at least 500,000 routers and data storage devices in 54 countries around the world, was detected. The purpose of this software is to steal credentials, detect industrial SCADA equipment, and carry out various attacks using infected devices in the botnets. June 2018 was marked by a large-scale cyber-attack on telecommunications companies, communication satellite operators, and defense contractors in the United States and Southeast Asia. During the attack, the attackers infected computers used for managing the communication satellites and collecting geoposition data. According to experts' opinions, the purpose of the cyber-attack was espionage and data interception from civilian and military communication channels. In total, according to Kaspersky Lab, the share of attacked IACS computers in the world in 2018 increased by 3.2% compared with 2017 and amounted to 47.2% [2].
Considering the seriousness of the current situation and the need to take urgent measures, the international community and information security experts are concerned about finding effective ways to solve the problem of ensuring the security of industrial automated systems. For instance, the European Commission has developed the European Program for Critical Infrastructure Protection. Several international standards for ensuring the cybersecurity of automated process control systems have been proposed and effectively used in world practice, such as NERC Critical Infrastructure Protection, NIST SP 800-82 Guide to Industrial Control Systems Security, ISA/IEC 62443 Industrial Automation and Control Systems Security [3,4].
The basis of the requirements presented by the ISA/IEC 62443 standards series for ensuring the IACS security is a risk-oriented approach. In accordance with this approach, designing of a management system for a protected IACS involves the following stages: • high-level (preliminary) risk assessment of cyber-attacks effects; • building a reference model of IACS as the protection object, describing the classification of main activities types, technological process, automatic control systems, and other assets; • building an asset model, describing the hierarchy of main objects and assets of IACS, their interaction with networks, key divisions, etc.; • building a reference architecture model, reflecting all basic elements of IACS, telecommunication equipment, communication lines, etc.; • building a zone and conduct model, dividing the protected object into separate security zones; • detailed risk analysis for each selected zone; and • determination of the current security level for each zone and requirements to ensure the target security level of the zone, implemented by the choice of appropriate protection measures.
At the same time, the "bottleneck" of the above normative documents regulating the issues of ensuring IACS cybersecurity is the absence of formalized methods for detailed risk assessment. As the volume of statistical data, development of mathematical models of risk, threats, and security incidents increase, it becomes topical to develop methods and algorithms for quantitative risk assessment, ensuring the possibility of a reasonable choice of IACS devices and the necessary countermeasures both within individual security zones and ensuring the required cybersecurity level of IACS as a whole.
A promising way to solve this problem is the use of technology of cognitive modeling, based on construction and analysis of fuzzy grey cognitive maps (FGCM), which has been widely used in recent years [5][6][7][8][9][10]. Fuzzy grey (interval) cognitive maps are considered to be a good extension of fuzzy cognitive maps (FCM) family, since they are better suited to experts representations, have a greater interpretability and provide more degrees of freedom to the decision making person on the basis of modeling results.
Brief information concerning the "grey" system, the "grey" number, and the "grey" variable is presented below, and the mathematical apparatus of FGCM is considered. Then, on the example of solving the problem of ensuring the integrity of telemetric information in IACS, the technique of assessing the cybersecurity risks with use of FGCM is discussed. In the end of the chapter, the conclusions are drawn and the list of references is given.
Let us note one important circumstance. When considering below a specific example of AIS risk assessment using FGCM (Section 2), an approach based on decomposition of the original (integrated) FGCM by disclosing (detailing) the content of its concepts is used, resulting in the set of interconnected local FGCM that characterize certain aspects of AIS risks assessment procedure associated with the features of its subsystems. In ideological plan, this approach is based on the FCM decomposition theory and the algebra of FCM causal transformations proposed in [11,12]. However, the main difference between the approach described in [12] and our approach is that in [12] the detailed FCM system of a large size comes out as the original FCM, which reduces to a simpler (quotient) FCM by using the operations proposed by the authors. Each concept of this quotient FCM accumulates information on the state of several similar concepts of the original FCM, thus aggregating the corresponding concepts. In our case, on the contrary, the original FGCM has a small dimension, the number of forming its basic concepts corresponds to the number of basic subsystems of the system under study, and the decomposition of FGCM implies a representation of each concept of the original FGCM in the form of independent (local) FGCM, describing the behavior of this concept.

Theoretical foundations of building FGCM
The basis of building FGCM is the Grey Systems Theory, proposed in 1989 by Deng [10]. Within the framework of this theory, objects and systems with high uncertainty, represented by small samples of incomplete and inaccurate data, are studied. Depending on the character of the available information, the studied systems are divided into three types: • "white" systems (the internal structure and the properties of the system are completely known); • "grey" systems (partial information about the system is known); and • "black" systems (the internal structure and the properties of the system are completely unknown).
In accordance with the terminology of the grey systems theory, a fuzzy grey cognitive map is a cognitive model of a system in the form of a directed graph defined with use of the following set: where is the set of connections between concepts (arcs of the graph); and W ¼ W ij È É is the set of the relationships between the concepts determining the weights of these connections, i, j ð Þ∈ Ω. Here, is the set of the pairs of adjacent (interconnected) vertices indices, L ≤ n n À 1 ð Þ. In contrast to the traditional FCM representation, the weights of FGCM connections are set with the use of "grey" (interval) numbers ⊗ W ij , defined as where W ij and W ij are, respectively, the lower and the upper boundaries of the grey number. So, the weight of connection between i-th and j-th concepts (C i ! C j ) can take any value within the given range of change W ij , W ij It is assumed that the change of the concepts state in time is described by equations where ⊗ X i k ð Þ is the "grey" (interval) variable of the i-th concept C i state, the values of which at each time instant k ¼ 0, 1, 2, … belong to some interval ; f is the activation function of the i-th concept, mapping the argument values into the interval À1, 1 ½ .
The activation function f • ð Þ, as a rule, is accepted in the following form: a. linear function with saturation: b. bipolar sigmoid (hyperbolic tangent): c. unipolar sigmoid: To solve the system of equations (Eq. (3)), it is required to set the initial conditions ⊗ X i 0 ð Þ, which also should be considered as the grey numbers Most interesting is usually to obtain the equilibrium (steady state) solution, which is a grey vector lim To determine the stability of the steady-state solution ⊗ X * , one can use the theorem [12], according to which the only equilibrium (steady state) solution of equation (3) where the value of the positive constant H depends on the choice of activation function of the concepts: H ¼ 1 for function (Eq. (4)); H ¼ 2 for function (Eq. (5)); and H ¼ 4 for function (Eq. (6)). In the case of negative connection, i.e., for W ij < W ij < 0, we also put in (Eq. (7)) the upper boundary W ij of the grey number ⊗ W ij .
More detailed information on FGCM construction and their learning algorithms can be found in [5,6,9].

Risk assessment of IACS cybersecurity
Let us consider the task of assessment of IACS risk on the example of the automated system for collecting, storing, and processing the telemetric information (TMI) of the aviation equipment manufacturer. The current information on the state parameters of on-board aviation systems is continuously collected during the entire period of their operation by the ground services of technical maintenance. The detailed analysis of this information allows the subsequent making the right management decisions on the further operation and modification of on-board aviation systems. Therefore, the task of ensuring the integrity of the mentioned telemetric information under the conditions of possible impact of external and internal threats undoubtedly takes on particular significance.
The generalized structure of the studied territorially distributed automated information system (AIS), providing the collection, storage, and processing of TMI, is presented in Figure 1.
As the parts of AIS, the following subsystems (zones), combined according to the principle of the unity of functions performed and security requirements for their implementation, are identified: 1. The subsystem for collecting and storing the primary data at the service stations (Zone 1), which includes: The corresponding subsystems (security zones) are interconnected (see Figure 1) with the aid of telecommunication channels (conducts).
Using FGCM as a tool for cognitive modeling, let us turn to the task of analyzing the risks associated with ensuring the TMI integrity in AIS considered above, taking into account the impact of possible external and internal threats to the system. The original (integrated) FGCM for assessing the risks of AIS, serving in this case as the AIS cognitive model of initial approximation (zero decomposition level), is presented in Figure 2.
The following descriptions are used in Figure 2: superscript ("*") denotes the affiliation of the concept C * p to integrated FGCM and subscript (p) denotes the number of the concept ( Table 1).
The presence of the grey connection weights ⊗W ij indicates an uncertainty in the assessment of the mutual influence of main risk factors. The state variables of concepts ⊗ X * T 1 , ⊗ X * T 2 , ⊗ X i , i ¼ 1, 2, …, 5 ð Þ , ⊗ X * R represent the probabilities of occurrence of the enumerated events corresponding to the concepts C * T 1 , C * T 2 , C * 1 , …, C * 5 , C * R . Let us note that in this case we mean so-called subjective probabilities, reflecting the expert's point of view on the possibility of an event occurrence [13]. Taking into account that each of these events is a complex event consisting of a chain of consecutive elementary events, it is reasonable to decompose FGCM of AIS shown in Figure 2 as the set of FGCMs for separate concepts (AIS security zones containing targets objects for attack to TMI).
The first decomposition level of the original (integrated) FGCM is presented in Figure 3.
The following designations of the concepts are used in Figure 3: the superscript (q) of C q p indicates the belongings to the concept C q of the integrated FGCM; and the subscript (p) is the number of the concepts in the FGCM of the first level of decomposition ( Table 2). Figure 4 shows the further decomposition level (the second level) for the concept C * 1 , allowing to make clearer the impact of the threats on the considered target concept.
On the scheme, the following designations of the concepts of FGCM secondlevel decomposition are used: the superscript (q) of the C q, p r concept is the number of the concept (the parent concept of the zero decomposition level) of the original FGCM whose decomposition includes this element, the superscript index p is the number of the parent concept of the first level of decomposition, the subscript (r) is the number of the concept of the current level ( Table 3).
The further decomposition of the third level allows us to go to the detailed FGCM, which allows us to take into account the influence of individual vulnerabilities on the potential violation of TMI integrity in the intermediate information processing elements. Integrated FGCM for AIS risk assessment. ⊗W ij -the grey connection weights indicate an uncertainty in the assessment of the mutual influence of main risk factors and C * -concepts.
Concept Concept name C *

T1
Internal threat to TMI integrity (e.g., due to failures or erroneous actions of staff) C *

T2
External threat to TMI integrity (e.g., due to attempts of unauthorized access from outside to information)  Table 1.
List of the concepts of the integrated FGCM.
As for the concept C 1, 1 1 , characterizing the possibility to run in the browser of the client part of SCADA system on the base on Web technology (Zone 1), the corresponding decomposition can be represented as FGCM in Figure 5.
Here, the numbers 1-5 denote the following concepts: 1. the exploitation of the vulnerability of OS authorization system; 2. the exploitation of the vulnerability of SCADA Web client; 3. the exploitation of the vulnerability of OS browser for launching the client part of SCADA; 4. the exploitation of the vulnerability of access to OS memory; 5. the exploitation of the vulnerability of OPC UA client authorization system.
Similarly, it is possible to decompose the other concepts of original FGCM for the second decomposition level of Zone 1 presented in Figure 4 (Figures 6-9, Tables 4-6). The corresponding FGCM, revealing the content of the concept C 1, 1 2 (Zone 2), is shown in Figure 6. Consider the numerical example of risk assessment for the concept C 1, 1 1 ( Figure 5). Let us assume that while choosing the grey values of FGCM weights, it is necessary to focus on a certain fuzzy scale, which determines the strength of the connections between different concepts (see, e.g., Table 7).
Let us further assume that the expert estimated the values of FGCM connections weights in Figure 5 as follows ( Table 8).

Concept Concept name
Parent concept Internal threats to the integrity of TMI (concept T * 1 decomposition on the block diagram of AIS, Figure 1, i.e., the points of potential realization of the threat to TMI integrity by the internal subject of the system) External threats to TMI integrity (concept T * 2 decomposition) Access to TMI in the client-server SCADA Web-base before adding to the database of TMI operational storage C * 1 (Zone 1) Access to the database of operative TMI data storage Access to the network equipment Access to the module of Web server sending TMI data in the long-term storage of the enterprise-manufacturer Access to the network infrastructure C * 2 (Zone 2) Access to the Web client module that implements receiving TMI at the enterprise-manufacturer from remote service stations Unauthorized access to workstation (node 8 in Figure 1) of the core of CIN of the enterprise-manufacturer Access to the server of equipment status reports generated for users of Zone 4 Access to TMI in the long-term storage C * 3 (Zone 3) Access to computing cluster management server of Zone 5 C * 5 (Zone 5) IST 5 TMI integrity control model Table 2.
List of the first level decomposition concepts of the FGCM. Let us take a bipolar sigmoid (5) here as an activation function f • ð Þ for the concepts 1-5. Checking condition (7) for the data presented in Table 2 shows that i.e., the steady-states of FGCM will be stable. Access to operative TMI data on the client-server part of the SCADA before entering in the operative storage Access to the client to interact with the OPC UA server Access to the database of operative TMI storage data Table 3.
List of second-level decomposition concepts for Zone 1.  Using for calculation the "Cognitive Map Constructor" tool, which is described more detailed in the next section of this chapter, we will estimate the change in the upper and lower boundaries of the state variable X 5 over time k ¼ 1, 2, 3, …

Concept Concept name
Parent concept 6 Exploitation of the vulnerability of authorization system of the primary OS user Exploitation of the vulnerability of access to operating system memory 8 Exploitation of the vulnerability of Java virtual machine 9 Exploitation of the vulnerability of system software of application server for running the SCADA server Web application 10 The target concept of access to operative TMI data, which can be modified before adding to the database on the nodes of SCADA client-server type Table 4.
List of the concepts of the third decomposition level for AIS risks assessment of Zone 1.
List of the concepts of the third decomposition level of Zone 1.  As a result, the steady-state value of the grey state vector ⊗ X for FGCM presented in Figure 6, i.e., for the concept C 1, 1 1 decomposition is found as  (Figure 2)-the damage caused by the potential violation of TMI integrity in the AIS-after clarifying all weights by the level of decomposition of the original FGCM. Let us assume that the active threat is the internal threat of violation of the integrity of TMI, the value of which is determined by a grey number ⊗ X * T 1 ∈ 0, 6;0, 95 ½ . Risk assessment because of violation of the integrity of TMI information is defined as ⊗ X * R A ∈ 0:19;0:28 ½ . To reduce the potential damage from the violation of TMI integrity, a monitoring system, deployed as a protected container in Zone 5, is used. In Figure 3, this information protection tool is designated as a TMI integrity monitoring modelconcept IST 5 . The protected container ensures the continuous operation of the TMI integrity monitoring system, which implements online and offline analysis of operational data and data collected in the repository (Zone 3).

Concept Concept name
The concept of TMI integrity monitoring system as a whole has some peculiarities: • Simulated parameters of the aviation engine operation and TMI can be presented in the form of multidimensional technological time series; • Monitoring the TMI integrity is based on the analysis of the consistency of the behavior of parameters obtained by using the model of complex technical object, and taken from the on-board aircraft systems; • The output of the monitoring system is the evaluation of conditional probability of the events of data integrity violation events.
Risk value estimate due to violation of TMI information integrity after applying the tool based on the integrity monitoring model is ⊗ X * R A ∈ 0:07;0:15 ½ . Due to the significant amount of computation when working with FGCM containing a large number of concepts, it was necessary to develop a software tool to automate cognitive modeling with use of FGCM. The change in the state of concepts over time and the final states of the target concepts of the FGCM, calculated in the developed software tool, are presented in Figure 9.

Automation of risk analysis and management on the base of cognitive modeling technology
To improve an efficiency of risk analysis and management with use of FGCM, the special software tool "Cognitive Map Constructor" was developed. This software allows us to build and edit FGCM, use them to carry out the security risk analysis, and justify the choice of the necessary countermeasures from the given user-specified set. As a result, a diagram of risk assessment is built under various scenarios of countermeasures' implementation and threats' realization.
Besides supporting the FGCM with the installation of connections weights in the form of the upper and lower boundaries, the software allows us the use of linguistic terms of fuzzy logic, as well as setting the weights in the form of "white" crisp numbers. The software has the interface implemented in HTML using CSS, which allows displaying the FGCM and all the necessary accompanying information by the concepts and connections, and also is able to work on any graphical operating system that has a current Web browser.
There are five kinds of concepts which are used in FGCM: threats, information assets, intermediate concepts, targets, and countermeasures, which can be marked by different colors for convenience and clarity.
The set of the options depends on the type of the concept, but in most cases its name is specified with description, as well as its current state. In the case when the weights of all connections, pointing to the concept, are assumed to be equal, one can mark the option "Imposed weight" and set the desired value. For countermeasures, it is permissible to indicate which of existing countermeasure it is, that allows realizing situations when one countermeasure acts on several connections at once.
To establish the relationships between the concepts, it is necessary to click on the button "Placement" of the action group "Connections" in the tool window. After that, the connections are located by pressing consecutively on the initial and final element. The located countermeasures and initial states of the concepts can be adjusted and combined, creating the different scenarios that allow us to compare the effectiveness of countermeasures. Figures 10 and 11 show the FGCM risk estimates built in the "Cognitive Map Constructor." Thus, the developed software "Cognitive Map Constructor" allows evaluating the effectiveness of the use of the TMI integrity monitoring system in the protection of telemetric information from the effects of external and internal threats.

Conclusions
A promising way to solve the problem of assessing the cybersecurity risks of industrial automated systems is to model the threats realization scenarios using the tools of topological analysis of the system security and cognitive modeling with the aid of Fuzzy Grey Cognitive Maps.
At the basis of this approach, the construction of original FGCM is proposed to assess the risk of automated control system with the following decomposition of FGCM into the number of cognitive maps of the next level of detail (the same as it is done in IDEF0 Functional Modeling technology). The features of construction of this procedure are discussed in this chapter in relation to the task of ensuring the telemetry information integrity in the industrial automated system for collecting, storing, and processing information on the conditions of on-board aviation systems. It is shown that the use of FGCM allows us to obtain more reliable estimates of security risk factors with account of the possible variations of the available actual data and expert opinions.
To automate the proposed risk assessment procedure in the considered system for collecting, storing, and processing telemetry information with use of FGCM, the software tool "Cognitive Map Constructor" was developed, which can be used for identifying the most dangerous vulnerabilities in the system and evaluating the effectiveness of various measures (countermeasures) realization for telemetric information protection from the impact of external and internal threats.