A Bayesian Framework for the Analysis and Optimal Mitigation of Cyber Threats to Cyber-Physical Systems

Thumbnail Image

Access rights

openAccess
publishedVersion

URL

Journal Title

Journal ISSN

Volume Title

A1 Alkuperäisartikkeli tieteellisessä aikakauslehdessä
This publication is imported from Aalto University research portal.
View publication in the Research portal (opens in new window)
View/Open full text file from the Research portal (opens in new window)

Authors

Date

2022-10

Department

Department of Mathematics and Systems Analysis

Major/Subject

Mcode

Degree programme

Language

en

Pages

16

Series

Risk Analysis, Volume 42, issue 10, pp. 2275-2290

Abstract

Critical infrastructures are increasingly reliant on information and communications technology (ICT) for more efficient operations, which, at the same time, exposes them to cyber threats. As the frequency and severity of cyberattacks are increasing, so are the costs of critical infrastructure security. Efficient allocation of resources is thus a crucial issue for cybersecurity. A common practice in managing cyber threats is to conduct a qualitative analysis of individual attack scenarios through risk matrices, prioritizing the scenarios according to their perceived urgency and addressing them in order until all the resources available for cybersecurity are spent. Apart from methodological caveats, this approach may lead to suboptimal resource allocations, given that potential synergies between different attack scenarios and among available security measures are not taken into consideration. To overcome this shortcoming, we propose a quantitative framework that features: (1) a more holistic picture of the cybersecurity landscape, represented as a Bayesian network (BN) that encompasses multiple attack scenarios and thus allows for a better appreciation of vulnerabilities; and (2) a multiobjective optimization model built on top of the said BN that explicitly represents multiple dimensions of the potential impacts of successful cyberattacks. Our framework adopts a broader perspective than the standard cost–benefit analysis and allows the formulation of more nuanced security objectives. We also propose a computationally efficient algorithm that identifies the set of Pareto–optimal portfolios of security measures that simultaneously minimize various types of expected cyberattack impacts, while satisfying budgetary and other constraints. We illustrate our framework with a case study of electric power grids.

Description

| openaire: EC/H2020/740920/EU//CYBECO Funding Information: The research was partly developed in the Young Scientists Summer Program at the International Institute for Applied Systems Analysis, Laxenburg (Austria) with financial support from the Academy of Finland. The research was partly supported by the European Union's Horizon 2020 Project 740920 CYBECO. Publisher Copyright: © 2022 The Authors. Risk Analysis published by Wiley Periodicals LLC on behalf of Society for Risk Analysis

Keywords

Bayesian networks, cybersecurity, electric power grids, multiobjective optimization, risk management

Other note

DOI

10.1111/risa.13900

Citation

Żebrowski, P, Couce-Vieira, A & Mancuso, A 2022, 'A Bayesian Framework for the Analysis and Optimal Mitigation of Cyber Threats to Cyber-Physical Systems', Risk Analysis, vol. 42, no. 10, pp. 2275-2290. https://doi.org/10.1111/risa.13900

Permanent link to this item

https://urn.fi/URN:NBN:fi:aalto-202204062750

Collections

[article-cris] Perustieteiden korkeakoulu / SCI