Main Article Content
Evaluating Industrial Control System (ICS) security vulnerability through functional dependency analysis
Abstract
Industrial Control Systems are highly interconnected infrastructures and networks that are used to control and manage industrial processes. Irrespective of the form assumed; Supervisory Control and data Acquisition System (SCADA), Distribution Control System (DCS), Process Control System (PCS), etc., a form of dependency exist within the setup, contextualised defined as the connection between two or more assets or infrastructure, such that the state of one can influence unilaterally, or correlate to the state of the other. This phenomenon introduces security threats, vulnerabilities, and risks in the emerging setup where IT are combined with OT for improving operational performance and productivity. However, since the criticality of cyber-attack impacts on ICS infrastructure can be quite huge, rapid, and damaging; there are needs for responses that can leverage new security concepts and approaches and expedite security assurance. In this paper, a functional dependency modelling perspective is considered, and a cascading impact scoping approach is presented for determining the potential impact of exploiting security vulnerabilities on targeted ICS infrastructure. The outcome can be used to influence security decision-making for improved cybersecure ICS. The proposed technique is validated using real cyber-attack and vulnerability analysis scenario on an assembly-line ICS testbed. The proposed approach offers episteme into the various destructive capacities possible from the failure of functionally dependent ICS components. A cascading impact value (CIV) metric is also proposed which can be adopted when evaluating an industrial system‟s security in a much quicker decision-making and response order, to avert potential damages and help improve cyber security in the ICS environment.
Keywords: Cybersecurity, Functional dependency, Security Interdependencies, Cyber-Physical Interdependencies, Industrial Cyber Security