Open access peer-reviewed chapter - ONLINE FIRST

Cybersecurity Risk Analysis of Industrial Automation Systems on the Basis of Cognitive Modeling Technology

By Vladimir I. Vasilyev, Alexey M. Vulfin and Liliya R. Chernyakhovskaya

Submitted: April 17th 2019Reviewed: August 16th 2019Published: September 23rd 2019

DOI: 10.5772/intechopen.89215

Downloaded: 53

Abstract

The issues of procuring the cybersecurity of modern industrial systems and networks acquire special urgency because of imperfection of their protection tools and presence of vulnerabilities. International standards ISA/IEC 62443 offer the system risk-oriented approach to solve the tasks of providing the security of industrial control systems (ICS) at all stages of life cycle. But in view of high uncertainty and complexity of procedure of formalizing the factors affecting the final indices of system security, the problem of cybersecurity risk assessment remains open and requires applying new approaches based on the technology of data mining and cognitive modeling. Cognitive modeling of risk assessment using fuzzy grey cognitive maps (FGCM) allows us to take into account the uncertainty factor arising in the process of vulnerability probability assessment for each of security nodes. The interval estimates of FGCM connection weights can reflect the scatter of expert group opinions that allows us to take into account more completely the data available for risk analysis. The main stages of ICS security assessment with use of FGCM are analyzed in the chapter on the example of distributed industrial automation network. The recommendations concerning the choice of the necessary countermeasures improving the level of network security in the conditions of possible external and internal threats are considered.

Keywords

  • fuzzy grey cognitive map
  • cybersecurity risk analysis
  • industrial automation systems
  • cognitive modeling
  • integrity control model automation system

1. Introduction

Digital economy, cyber-physical objects, cyberspace, and Internet of Things are concepts that have firmly entered our lives in recent years. As a part of industrial revolution “Industry 4.0,” the face of modern industrial enterprises, which actively use the transition to unmanned production technologies, the integration of information technologies into the most complex production processes, has dramatically changed. In this case, a distinctive feature of production is the close connection of technological networks with the corporate network, as it is necessary both for production management and for administration of industrial networks and systems. Modern technological networks, as a rule, have direct access to the Internet, for example, for maintenance and technical support of industrial automation systems by employees of organizations—contractors. Also, computers of contractors, developers, integrators, and system/network administrators connected to the technological network of the service company from the outside often have free access to the Internet.

Under such conditions, the problem of ensuring the security (cybersecurity) of industrial automation and control systems (IACS) sharply increases. In corporate networks, the object of protection is information and the problem of ensuring the confidentiality of information is primarily addressed. However, in the case of industrial automated control systems, the object of protection is already technological processes (TP), and not ensuring the confidentiality of information comes to the fore, but first of all ensuring the continuity and integrity of the TP itself. Speaking of IACS cybersecurity, the so-called digital attacks (cyber-attacks) are primarily considered associated with exposure to IACS through the control and monitoring devices—controllers, data acquisition and transmission devices, SCADA servers, workstations, telecom equipment, communication lines, etc.

The severity and relevance of IACS cybersecurity problem are confirmed by statistics of recent years, showing a sharp increase in the number of the targeted attacks on industrial networks and systems, as well as an increase in the scale of consequences of these attacks. A vivid example of a large-scale cyber-attack that hit a lot of companies around the world from May 12 to May 15, 2017 is the attack of a network worm—the coder WannaCry [1]. Among the victims of this well-coordinated attack were companies engaged in various types of production, oil refineries, urban infrastructure facilities, and distribution power grids.

In May 2018, VPNFilter malware, which infected at least 500,000 routers and data storage devices in 54 countries around the world, was detected. The purpose of this software is to steal credentials, detect industrial SCADA equipment, and carry out various attacks using infected devices in the botnets. June 2018 was marked by a large-scale cyber-attack on telecommunications companies, communication satellite operators, and defense contractors in the United States and Southeast Asia. During the attack, the attackers infected computers used for managing the communication satellites and collecting geoposition data. According to experts’ opinions, the purpose of the cyber-attack was espionage and data interception from civilian and military communication channels. In total, according to Kaspersky Lab, the share of attacked IACS computers in the world in 2018 increased by 3.2% compared with 2017 and amounted to 47.2% [2].

Considering the seriousness of the current situation and the need to take urgent measures, the international community and information security experts are concerned about finding effective ways to solve the problem of ensuring the security of industrial automated systems. For instance, the European Commission has developed the European Program for Critical Infrastructure Protection. Several international standards for ensuring the cybersecurity of automated process control systems have been proposed and effectively used in world practice, such as NERC Critical Infrastructure Protection, NIST SP 800-82 Guide to Industrial Control Systems Security, ISA/IEC 62443 Industrial Automation and Control Systems Security [3, 4].

The basis of the requirements presented by the ISA/IEC 62443 standards series for ensuring the IACS security is a risk-oriented approach. In accordance with this approach, designing of a management system for a protected IACS involves the following stages:

  • high-level (preliminary) risk assessment of cyber-attacks effects;

  • building a reference model of IACS as the protection object, describing the classification of main activities types, technological process, automatic control systems, and other assets;

  • building an asset model, describing the hierarchy of main objects and assets of IACS, their interaction with networks, key divisions, etc.;

  • building a reference architecture model, reflecting all basic elements of IACS, telecommunication equipment, communication lines, etc.;

  • building a zone and conduct model, dividing the protected object into separate security zones;

  • detailed risk analysis for each selected zone; and

  • determination of the current security level for each zone and requirements to ensure the target security level of the zone, implemented by the choice of appropriate protection measures.

At the same time, the “bottleneck” of the above normative documents regulating the issues of ensuring IACS cybersecurity is the absence of formalized methods for detailed risk assessment. As the volume of statistical data, development of mathematical models of risk, threats, and security incidents increase, it becomes topical to develop methods and algorithms for quantitative risk assessment, ensuring the possibility of a reasonable choice of IACS devices and the necessary countermeasures both within individual security zones and ensuring the required cybersecurity level of IACS as a whole.

A promising way to solve this problem is the use of technology of cognitive modeling, based on construction and analysis of fuzzy grey cognitive maps (FGCM), which has been widely used in recent years [5, 6, 7, 8, 9, 10]. Fuzzy grey (interval) cognitive maps are considered to be a good extension of fuzzy cognitive maps (FCM) family, since they are better suited to experts representations, have a greater interpretability and provide more degrees of freedom to the decision making person on the basis of modeling results.

Brief information concerning the “grey” system, the “grey” number, and the “grey” variable is presented below, and the mathematical apparatus of FGCM is considered. Then, on the example of solving the problem of ensuring the integrity of telemetric information in IACS, the technique of assessing the cybersecurity risks with use of FGCM is discussed. In the end of the chapter, the conclusions are drawn and the list of references is given.

Let us note one important circumstance. When considering below a specific example of AIS risk assessment using FGCM (Section 2), an approach based on decomposition of the original (integrated) FGCM by disclosing (detailing) the content of its concepts is used, resulting in the set of interconnected local FGCM that characterize certain aspects of AIS risks assessment procedure associated with the features of its subsystems. In ideological plan, this approach is based on the FCM decomposition theory and the algebra of FCM causal transformations proposed in [11, 12]. However, the main difference between the approach described in [12] and our approach is that in [12] the detailed FCM system of a large size comes out as the original FCM, which reduces to a simpler (quotient) FCM by using the operations proposed by the authors. Each concept of this quotient FCM accumulates information on the state of several similar concepts of the original FCM, thus aggregating the corresponding concepts. In our case, on the contrary, the original FGCM has a small dimension, the number of forming its basic concepts corresponds to the number of basic subsystems of the system under study, and the decomposition of FGCM implies a representation of each concept of the original FGCM in the form of independent (local) FGCM, describing the behavior of this concept.

2. Theoretical foundations of building FGCM

The basis of building FGCM is the Grey Systems Theory, proposed in 1989 by Deng [10]. Within the framework of this theory, objects and systems with high uncertainty, represented by small samples of incomplete and inaccurate data, are studied. Depending on the character of the available information, the studied systems are divided into three types:

  • “white” systems (the internal structure and the properties of the system are completely known);

  • “grey” systems (partial information about the system is known); and

  • “black” systems (the internal structure and the properties of the system are completely unknown).

In accordance with the terminology of the grey systems theory, a fuzzy grey cognitive map is a cognitive model of a system in the form of a directed graph defined with use of the following set:

FGCM=CFW,E1

where C=Ciis the set of concepts (vertices of the graph), i=12n; F=Fijis the set of connections between concepts (arcs of the graph); and W=Wijis the set of the relationships between the concepts determining the weights of these connections, ijΩ. Here, Ω=i1j1i2j2iLjLis the set of the pairs of adjacent (interconnected) vertices indices, Lnn1.

In contrast to the traditional FCM representation, the weights of FGCM connections are set with the use of “grey” (interval) numbers Wij, defined as

WijWij¯Wij¯,whereWij¯<Wij¯,Wij¯Wij¯11,E2

where Wij¯and Wij¯are, respectively, the lower and the upper boundaries of the grey number. So, the weight of connection between i-th and j-th concepts (CiCj) can take any value within the given range of change Wij¯Wij¯11. In the particular case, when Wij¯=Wij¯, we get WijWij¯Wij¯—a “white” (crisp, usual) number.

It is assumed that the change of the concepts state in time is described by equations

Xik+1=fXik+j=1jinWjiXjk,i=12n,E3

where Xikis the “grey” (interval) variable of the i-th concept Cistate, the values of which at each time instant k=0,1,2,belong to some interval Xi¯kXi¯k; fis the activation function of the i-th concept, mapping the argument values into the interval 11. The activation function f, as a rule, is accepted in the following form:

  1. linear function with saturation:

fx=x,ifx1;sgnx,ifx>1,E4

  1. bipolar sigmoid (hyperbolic tangent):

fx=1ex1+ex=thx2;E5

  1. unipolar sigmoid:

fx=1/1+ex.E6

To solve the system of equations (Eq. (3)), it is required to set the initial conditions Xi0, which also should be considered as the grey numbers Xi0Xi¯0Xi¯0. Most interesting is usually to obtain the equilibrium (steady state) solution, which is a grey vector limkXik=XX¯X¯or a limit cycle (strange attractor).

To determine the stability of the steady-state solution X,one can use the theorem [12], according to which the only equilibrium (steady state) solution of equation (3) (“the fixed point”) exists if and only if

i,j=1nW¯ij212<H,E7

where the value of the positive constant Hdepends on the choice of activation function of the concepts: H=1for function (Eq. (4)); H=2for function (Eq. (5)); and H=4for function (Eq. (6)). In the case of negative connection, i.e., for W¯ij<W¯ij<0, we also put in (Eq. (7)) the upper boundary W¯ijof the grey number Wij.

More detailed information on FGCM construction and their learning algorithms can be found in [5, 6, 9].

3. Risk assessment of IACS cybersecurity

Let us consider the task of assessment of IACS risk on the example of the automated system for collecting, storing, and processing the telemetric information (TMI) of the aviation equipment manufacturer. The current information on the state parameters of on-board aviation systems is continuously collected during the entire period of their operation by the ground services of technical maintenance. The detailed analysis of this information allows the subsequent making the right management decisions on the further operation and modification of on-board aviation systems. Therefore, the task of ensuring the integrity of the mentioned telemetric information under the conditions of possible impact of external and internal threats undoubtedly takes on particular significance.

The generalized structure of the studied territorially distributed automated information system (AIS), providing the collection, storage, and processing of TMI, is presented in Figure 1.

Figure 1.

The generalized structure of territorially distributed automated information system for the collection, storage, and processing of TMI. The corresponding subsystems (security zones) are interconnected with the aid of telecommunication channels (conducts).

As the parts of AIS, the following subsystems (zones), combined according to the principle of the unity of functions performed and security requirements for their implementation, are identified:

  1. The subsystem for collecting and storing the primary data at the service stations (Zone 1), which includes:

    Element 1—the client part of the SCADA system Web-base;

    Element 2—the server part of the SCADA system Web-base;

    Element 3—OPC UA client;

    Element 4—the temporary storage for accommodating the operative telemetry data accumulated at the object;

    Element 5—the server part of the accumulated data transmission to the storage of the aviation equipment manufacturer;

  2. The core of the corporate information network (CIN) of the enterprise-manufacturer (Zone 2), where:

    Element 6—the client part for providing access to the server of the service station transferring the accumulated operational data of TMI to the enterprise-manufacturer’s storage;

    Element 8—the workstations of administrator and service personnel of the CIN core of the enterprise-manufacturer;

  3. TMI storage subsystem with fault tolerance functions (Zone 3), where:

    Element 7—the node of access to TMI data storage at the enterprise-manufacturer;

  4. TMI data processing subsystem with the use of a hierarchy of mathematical models of aviation equipment (Zone 4);

  5. Subsystem of support and implementation of business processes of the enterprise-manufacturer (Zone 5).

The corresponding subsystems (security zones) are interconnected (see Figure 1) with the aid of telecommunication channels (conducts).

Using FGCM as a tool for cognitive modeling, let us turn to the task of analyzing the risks associated with ensuring the TMI integrity in AIS considered above, taking into account the impact of possible external and internal threats to the system. The original (integrated) FGCM for assessing the risks of AIS, serving in this case as the AIS cognitive model of initial approximation (zero decomposition level), is presented in Figure 2.

Figure 2.

Integrated FGCM for AIS risk assessment. ⊗ W ∼ ij —the grey connection weights indicate an uncertainty in the assessment of the mutual influence of main risk factors and C ∗ —concepts.

The following descriptions are used in Figure 2: superscript (“*”) denotes the affiliation of the concept Cpto integrated FGCM and subscript (p) denotes the number of the concept (Table 1).

ConceptConcept name
CT1Internal threat to TMI integrity (e.g., due to failures or erroneous actions of staff)
CT2External threat to TMI integrity (e.g., due to attempts of unauthorized access from outside to information)
C1Modification of TMI data in Zone 1
C2Modification of TMI data in Zone 2
C3Modification of TMI data in Zone 3
C5Modification of TMI data in Zone 5
CRPotential damage caused by violation of TMI integrity in AIS

Table 1.

List of the concepts of the integrated FGCM.

The presence of the grey connection weights Wijindicates an uncertainty in the assessment of the mutual influence of main risk factors. The state variables of concepts XT1, XT2, Xi, i=125, XRrepresent the probabilities of occurrence of the enumerated events corresponding to the concepts CT1, CT2, C1, …, C5,CR. Let us note that in this case we mean so-called subjective probabilities, reflecting the expert’s point of view on the possibility of an event occurrence [13]. Taking into account that each of these events is a complex event consisting of a chain of consecutive elementary events, it is reasonable to decompose FGCM of AIS shown in Figure 2 as the set of FGCMs for separate concepts (AIS security zones containing targets objects for attack to TMI).

The first decomposition level of the original (integrated) FGCM is presented in Figure 3.

Figure 3.

The first level of FGCM decomposition to assess the AIS risks.

The following designations of the concepts are used in Figure 3: the superscript (q) of Cpqindicates the belongings to the concept Cqof the integrated FGCM; and the subscript (p) is the number of the concepts in the FGCM of the first level of decomposition (Table 2).

ConceptConcept nameParent concept
T11T18Internal threats to the integrity of TMI (concept T1decomposition on the block diagram of AIS, Figure 1, i.e., the points of potential realization of the threat to TMI integrity by the internal subject of the system)T1
T21,T22External threats to TMI integrity (concept T2decomposition)T2
C11Access to TMI in the client-server SCADA Web-base before adding to the database of TMI operational storageC1(Zone 1)
C21Access to the database of operative TMI data storage
C31Access to the network equipment
C41Access to the module of Web server sending TMI data in the long-term storage of the enterprise-manufacturer
C52Access to the network infrastructureC2(Zone 2)
C62Access to the Web client module that implements receiving TMI at the enterprise-manufacturer from remote service stations
C82Unauthorized access to workstation (node 8 in Figure 1) of the core of CIN of the enterprise-manufacturer
C102Access to the server of equipment status reports generated for users of Zone 4
C73Access to TMI in the long-term storageC3(Zone 3)
C95Access to computing cluster management server of Zone 5C5(Zone 5)
IST5TMI integrity control model

Table 2.

List of the first level decomposition concepts of the FGCM.

Figure 4 shows the further decomposition level (the second level) for the concept C1, allowing to make clearer the impact of the threats on the considered target concept.

Figure 4.

The second level of FGCM decomposition for assessing AIS risk in Zone 1.

On the scheme, the following designations of the concepts of FGCM second-level decomposition are used: the superscript (q) of the Crq,pconcept is the number of the concept (the parent concept of the zero decomposition level) of the original FGCM whose decomposition includes this element, the superscript index p is the number of the parent concept of the first level of decomposition, the subscript (r) is the number of the concept of the current level (Table 3).

ConceptConcept nameParent concept
C11,1Access to HMI client SCADAC11
C21,1Access to operative TMI data on the client-server part of the SCADA before entering in the operative storage
C31,2Access to the client to interact with the OPC UA serverC21
C41,2Access to the database of operative TMI storage data

Table 3.

List of second-level decomposition concepts for Zone 1.

The further decomposition of the third level allows us to go to the detailed FGCM, which allows us to take into account the influence of individual vulnerabilities on the potential violation of TMI integrity in the intermediate information processing elements.

As for the concept C11,1, characterizing the possibility to run in the browser of the client part of SCADA system on the base on Web technology (Zone 1), the corresponding decomposition can be represented as FGCM in Figure 5.

Figure 5.

The third level of FGCM decomposition—the concept C 1 1 , 1 .

Here, the numbers 1–5 denote the following concepts:

  1. the exploitation of the vulnerability of OS authorization system;

  2. the exploitation of the vulnerability of SCADA Web client;

  3. the exploitation of the vulnerability of OS browser for launching the client part of SCADA;

  4. the exploitation of the vulnerability of access to OS memory;

  5. the exploitation of the vulnerability of OPC UA client authorization system.

Similarly, it is possible to decompose the other concepts of original FGCM for the second decomposition level of Zone 1 presented in Figure 4 (Figures 69, Tables 46). The corresponding FGCM, revealing the content of the concept C21,1(Zone 2), is shown in Figure 6.

Figure 6.

Decomposition of the concept C 2 1 , 1 of FGCM for AIS risk assessment (Zone 1).

Figure 7.

Decomposition of the concepts C 6 1 , 3 and C 5 1 , 4 of the second level of FGCM decomposition.

Figure 8.

Decomposition of the concepts C 3 1 , 2 and C 4 1 , 2 of FGCM for AIS risk assessment.

Figure 9.

FGCM concepts states for risk assessment of Zone 1 (the change in the state of concepts over time and the final states of the target concepts of the FGCM, software window form).

ConceptConcept nameParent concept
6Exploitation of the vulnerability of authorization system of the primary OS userC21,1
7Exploitation of the vulnerability of access to operating system memory
8Exploitation of the vulnerability of Java virtual machine
9Exploitation of the vulnerability of system software of application server for running the SCADA server Web application
10The target concept of access to operative TMI data, which can be modified before adding to the database on the nodes of SCADA client-server type

Table 4.

List of the concepts of the third decomposition level for AIS risks assessment of Zone 1.

ConceptConcept nameParent concept
19Exploitation of the vulnerability of authorization system of the main OS userC51,4
20Exploitation of the vulnerability of system software implementing work of Apache Web application server, MySQL DBMS, PHP runtime frameworks to support interactive Web pages
21Exploitation of the vulnerability of OS memory access
22Exploitation of the vulnerability of Java Virtual Machine Memory Access
23Exploitation of the vulnerability of Application Server Software
24The target concept of unauthorized launching of the module for access to the database of operative storage of TMI at service stations
25Exploitation of the vulnerability of authorization system of the main OS userC61,3
26Exploitation of the vulnerability of access to operating system memory

Table 5.

List of the concepts of the third decomposition level of Zone 1.

ConceptConcept nameParent concept
14Exploitation of the vulnerability of authorization system of the main OS userC41,2
15Exploitation of the vulnerability of OS memory access
16Exploitation of the vulnerability of authorization system of the main DBMS user
17Exploitation of the vulnerability of DBMS memory access
18The target concept of unauthorized modification of TMI operative data TMI stored in the database
11Exploitation of the vulnerability of authorization system of the client part of OPC Client UA softwareC31,2
12Exploitation of the vulnerability of authorization system of the main OS user
13Exploitation of the vulnerability of OS memory access

Table 6.

List of the concepts of the third level of FGCM decomposition of Zone 1.

Consider the numerical example of risk assessment for the concept C11,1(Figure 5).

Let us assume that while choosing the grey values of FGCM weights, it is necessary to focus on a certain fuzzy scale, which determines the strength of the connections between different concepts (see, e.g., Table 7).

Linguistic meaning of connection strengthNumeric range
Does not affect0
Very weak(0; 0.15]
Weak(0.15; 0.35]
Average(0.35; 0.6]
Strong(0.6; 0.85]
Very strong(0.85; 1]

Table 7.

Evaluation of the strength of communication between concepts.

Let us further assume that the expert estimated the values of FGCM connections weights in Figure 5 as follows (Table 8).

Connection weightThe value of the connection weightGreyness (scatter of assessment)
WT11[0.6; 0.75]0.075
W12[0.5; 0.7]0.1
W13[0.5; 0.7]0.1
W14[0.15; 0.3]0.075
W25[0.55; 0.65]0.05
W32[0.35; 0.55]0.1
W35[0.55; 0.65]0.05
W42[0.3; 0.5]0.1
W43[0.15; 0.3]0.075
W45[0.2; 0.45]0.125

Table 8.

The values of communications FGCM weights.

Let us take a bipolar sigmoid (5) here as an activation function ffor the concepts 1–5. Checking condition (7) for the data presented in Table 2 shows that

i,j=15W¯ij212=2,76=1.66<2,E8

i.e., the steady-states of FGCM will be stable.

Using for calculation the “Cognitive Map Constructor” tool, which is described more detailed in the next section of this chapter, we will estimate the change in the upper and lower boundaries of the state variable X5over time k=1,2,3,(Tables 9 and 10). The state of the input concept CT1is defined here as XT1k=0.81for all =0,1,2,; the initial conditions for other state variables X10÷X50are assumed to be zero, i.e., equal to 00.

k12345678
X¯i
X¯10.360.500.550.570.580.580.580.58
X¯200.1250.280.400.480.520.540.55
X¯300.1250.240.320.360.380.390.40
X¯400.0540.100.130.150.160.160.16
X¯5000.0930.230.360.450.500.53

Table 9.

Upper boundaries of concept state estimates.

k12345678
X¯i
X¯10.240.340.390.410.430.430.430.43
X¯200.0590.130.180.220.250.270.28
X¯300.0590.1150.160.180.190.200.20
X¯400.0180.0340.0460.0520.0580.060.06
X¯5000.0340.0870.140.180.210.24

Table 10.

Lower boundaries of concept state estimates.

As a result, the steady-state value of the grey state vector Xfor FGCM presented in Figure 6, i.e., for the concept C11,1decomposition is found as

X=081043058028055020040006016024053,

and the final value for the target concept state is determined by the grey number X5024053.

Consider the state of the target concept CR(Figure 2)—the damage caused by the potential violation of TMI integrity in the AIS—after clarifying all weights by the level of decomposition of the original FGCM. Let us assume that the active threat is the internal threat of violation of the integrity of TMI, the value of which is determined by a grey number XT106095.

Risk assessment because of violation of the integrity of TMI information is defined as XRA0.190.28.

To reduce the potential damage from the violation of TMI integrity, a monitoring system, deployed as a protected container in Zone 5, is used. In Figure 3, this information protection tool is designated as a TMI integrity monitoring model—concept IST5. The protected container ensures the continuous operation of the TMI integrity monitoring system, which implements online and offline analysis of operational data and data collected in the repository (Zone 3).

The concept of TMI integrity monitoring system as a whole has some peculiarities:

  • Simulated parameters of the aviation engine operation and TMI can be presented in the form of multidimensional technological time series;

  • Monitoring the TMI integrity is based on the analysis of the consistency of the behavior of parameters obtained by using the model of complex technical object, and taken from the on-board aircraft systems;

  • The output of the monitoring system is the evaluation of conditional probability of the events of data integrity violation events.

Risk value estimate due to violation of TMI information integrity after applying the tool based on the integrity monitoring model is XRA0.070.15.

Due to the significant amount of computation when working with FGCM containing a large number of concepts, it was necessary to develop a software tool to automate cognitive modeling with use of FGCM. The change in the state of concepts over time and the final states of the target concepts of the FGCM, calculated in the developed software tool, are presented in Figure 9.

4. Automation of risk analysis and management on the base of cognitive modeling technology

To improve an efficiency of risk analysis and management with use of FGCM, the special software tool “Cognitive Map Constructor” was developed. This software allows us to build and edit FGCM, use them to carry out the security risk analysis, and justify the choice of the necessary countermeasures from the given user-specified set. As a result, a diagram of risk assessment is built under various scenarios of countermeasures’ implementation and threats’ realization.

Besides supporting the FGCM with the installation of connections weights in the form of the upper and lower boundaries, the software allows us the use of linguistic terms of fuzzy logic, as well as setting the weights in the form of “white” crisp numbers. The software has the interface implemented in HTML using CSS, which allows displaying the FGCM and all the necessary accompanying information by the concepts and connections, and also is able to work on any graphical operating system that has a current Web browser.

There are five kinds of concepts which are used in FGCM: threats, information assets, intermediate concepts, targets, and countermeasures, which can be marked by different colors for convenience and clarity.

The set of the options depends on the type of the concept, but in most cases its name is specified with description, as well as its current state. In the case when the weights of all connections, pointing to the concept, are assumed to be equal, one can mark the option “Imposed weight” and set the desired value. For countermeasures, it is permissible to indicate which of existing countermeasure it is, that allows realizing situations when one countermeasure acts on several connections at once.

To establish the relationships between the concepts, it is necessary to click on the button “Placement” of the action group “Connections” in the tool window. After that, the connections are located by pressing consecutively on the initial and final element. The located countermeasures and initial states of the concepts can be adjusted and combined, creating the different scenarios that allow us to compare the effectiveness of countermeasures.

Figures 10 and 11 show the FGCM risk estimates built in the “Cognitive Map Constructor.”

Figure 10.

FGCM for risk assessment of data collection and storage subsystem at the service stations (Zone 1) (software window form).

Figure 11.

FGCM for risk assessment in the core of the CIN (Zone 2) and TMI (software window form).

Thus, the developed software “Cognitive Map Constructor” allows evaluating the effectiveness of the use of the TMI integrity monitoring system in the protection of telemetric information from the effects of external and internal threats.

5. Conclusions

A promising way to solve the problem of assessing the cybersecurity risks of industrial automated systems is to model the threats realization scenarios using the tools of topological analysis of the system security and cognitive modeling with the aid of Fuzzy Grey Cognitive Maps.

At the basis of this approach, the construction of original FGCM is proposed to assess the risk of automated control system with the following decomposition of FGCM into the number of cognitive maps of the next level of detail (the same as it is done in IDEF0 Functional Modeling technology). The features of construction of this procedure are discussed in this chapter in relation to the task of ensuring the telemetry information integrity in the industrial automated system for collecting, storing, and processing information on the conditions of on-board aviation systems. It is shown that the use of FGCM allows us to obtain more reliable estimates of security risk factors with account of the possible variations of the available actual data and expert opinions.

To automate the proposed risk assessment procedure in the considered system for collecting, storing, and processing telemetry information with use of FGCM, the software tool “Cognitive Map Constructor” was developed, which can be used for identifying the most dangerous vulnerabilities in the system and evaluating the effectiveness of various measures (countermeasures) realization for telemetric information protection from the impact of external and internal threats.

Acknowledgments

The reported study was funded by RFBR according to the research Project No. 18-00-00238 “Decision support methods and models for innovative project management based on knowledge engineering.”

Download

chapter PDF

© 2019 The Author(s). Licensee IntechOpen. This chapter is distributed under the terms of the Creative Commons Attribution 3.0 License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

How to cite and reference

Link to this chapter Copy to clipboard

Cite this chapter Copy to clipboard

Vladimir I. Vasilyev, Alexey M. Vulfin and Liliya R. Chernyakhovskaya (September 23rd 2019). Cybersecurity Risk Analysis of Industrial Automation Systems on the Basis of Cognitive Modeling Technology [Online First], IntechOpen, DOI: 10.5772/intechopen.89215. Available from:

chapter statistics

53total chapter downloads

More statistics for editors and authors

Login to your personal dashboard for more detailed statistics on your publications.

Access personal reporting

We are IntechOpen, the world's leading publisher of Open Access books. Built by scientists, for scientists. Our readership spans scientists, professors, researchers, librarians, and students, as well as business professionals. We share our knowledge and peer-reveiwed research papers with libraries, scientific and engineering societies, and also work with corporate R&D departments and government entities.

More About Us