Computer Science

Computer Science ›› 2024, Vol. 51 ›› Issue (10): 380-390.doi: 10.11896/jsjkx.231000189

• Information Security • Previous Articles     Next Articles

SSPN-RA:Security Integration Risk Assessment Method for ICS Based on SS-petri Net

MA Zigang1, MA Rongkuan1, LI Beibei2, XIE Yaobin1, WEI Qiang1, PENG Minwei1   

  1. 1 School of Cyber Security,Information Engineering University,Zhengzhou 450001,China
    2 School of Cyber Science and Engineering,Sichuan University,Chengdu 610065,China
  • Received:2023-10-27 Revised:2024-03-23 Online:2024-10-15 Published:2024-10-11
  • About author:MA Zigang,born in 1999,postgraduate.His main research interests include industrial security and so on.
    MA Rongkuan,born in 1992,Ph.D.His main research interests include indus-trial security and IoT security.
  • Supported by:
    National Key R&D Program of China(2020YFB2010900) and Program for Innovation Leading Scientists and Technicans of Zhongyuan(224200510002).

PDF (PC)

215

Abstract: With the continuous integration of informatization and industrialization,there are more and more intersecting parts between information domain and physical domain in industrial control systems,and network attacks on traditional information systems will threaten the industrial control system network.Traditional industrial control systems only consider the risks of functional safety,ignoring the impact of information security risks on functional safety.This paper proposes an integrated risk mode-ling method for functional safety and information security of industrial control system named SSPN-RA based on improved petri net,which includes three steps:integrated risk identification,integrated risk analysis and integrated risk assessment.This paper firstly identifies and abstracts the functional safety data and information safety data in the industrial control system,and then analyzes the collaborative attack path of functional safety and information security by constructing the petri net model combined with Kill Chain in the risk analysis process.Subsequently it quantifies the functional safety and information security nodes in the petri net,and finally calculates the risk value through the possibility of safety events and various losses caused by these safety events,so as to complete the integrated risk assessment of the industrial control system.In this paper,the feasibility of the proposed method is verified under the open-source simulation of chemical tank industrial control system,and compared with fault tree ana-lysis and attack tree analysis.Experimental results show that the proposed method can quantitatively obtain the risk value of industrial control system,and also solve the problem of cyber-physical collaborative attack and security risk that cannot be identified by the analysis of functional safety and information security.

Key words: Risk assessment, Petri net, Industrial control system, Security integrity, Functional safety, Information security

CLC Number: 

  • TP309
[1]WEI Q,WANG W H,CHEN P.Industrial Internet Security:Architecture and Defense [M].China Machine Press,2021.
[2]JIN J H,MO C Y,LI G.Integration Technology of Functional Safety and Cyber Security for Industrial Control System[J].Industrial Safety and Environmental Protection,2020,46(1):53-60.
[3]LANGNER R.Stuxnet:Dissecting a cyberwarfare weapon[J].IEEE Security & Privacy,2011,9(3):49-51.
[4]全国工业过程测量控制和自动化标准化技术委员会.GB/T 20438-2017:电气/电子/可编程电子安全相关系统的功能安全[S].中国国家标准化管理委员会:中国国家标准化管理委员会,2017.
[5]全国工业过程测量和控制标准化技术委员会,全国信息安全标准化技术委员会.GB/T 30976.1-2014:工业控制系统信息安全-第 1 部分:评估规范[S].中国国家标准化管理委员会:中国国家标准化管理委员会,2014.
[6]ISO technical committee 262:Risk management,IEC technical committee 56:Dependability.ISO 31010-2019:Risk management-Risk assessment techniques[S].ISO:ISO,2019.
[7]IEC/SC 65A.IEC EN 61508-2010:Functional safety of electrical/electronic/ programmable electronic safety-related systems[S].IEC:IEC,2010.
[8]KABIR S,WALKER M,PAPADOPOULOS Y.Dynamic system safety analysis in HiP-HOPS with Petri Nets and Bayesian Networks[J].Safety Science,2018,105:55-70.
[9]BADIDA P,BALASUBRAMANIAM Y,JAYAPRAKASH J.Risk evaluation of oil and natural gas pipelines due to natural hazards using fuzzy fault tree analysis[J].Journal of Natural Gas Science and Engineering,2019,66:284-292.
[10]CUI Y,QUDDUS N,MASHUGA C V.Bayesian network andgame theory risk assessment model for third-party damage to oil and gas pipelines[J].Process Safety and Environmental Protection,2020,134:178-188.
[11]MAHMOUDI J.A Four-Step Safety Integrity Level Analysis of Numerous Subsea Control System Components[J].ASCE-ASME Journal of Risk and Uncertainty in Engineering Systems,Part B:Mechanical Engineering,2021,7(3):031005.
[12]HUANG K,ZHOU C,TIAN Y C,et al.Application of Bayesiannetwork to data-driven cyber-security risk assessment in SCADA networks[C]//2017 27th International Telecommunication Networks and Applications Conference(ITNAC).IEEE,2017:1-6.
[13]ZHANG Q,ZHOU C,TIAN Y C,et al.A fuzzy probabilityBayesian network approach for dynamic cybersecurity risk assessment in industrial control systems[J].IEEE Transactions on Industrial Informatics,2017,14(6):2497-2506.
[14]ZHANG Q,ZHOU C,TIAN Y C,et al.A fuzzy probabilityBayesian network approach for dynamic cybersecurity risk assessment in industrial control systems[J].IEEE Transactions on Industrial Informatics,2017,14(6):2497-2506.
[15]LI X,ZHOU C,TIAN Y C,et al.Asset-based dynamic impact assessment of cyberattacks for risk analysis in industrial control systems[J].IEEE Transactions on Industrial Informatics,2017,14(2):608-618.
[16]SCHMITTNER C,GRUBER T,PUSCHNER P,et al.Security application of failure mode and effect analysis(FMEA)[C]//Computer Safety,Reliability,and Security:33rd International Conference(SAFECOMP 2014).Springer International Publi-shing,2014:310-325.
[17]PIÈTRE-CAMBACÉDÈS L,BOUISSOU M.Cross-fertilizationbetween safety and security engineering[J].Reliability Engineering & System Safety,2013,110:110-126.
[18]SABALIAUSKAITE G,ADEPU S.Integrating six-step model with information flow diagrams for comprehensive analysis of cyber-physical system safety and security[C]//2017 IEEE 18th International Symposium on High Assurance Systems Enginee-ring(HASE).IEEE,2017:41-48.
[19]ABDO H,KAOUK M,FLAUS J M,et al.A safety/security risk analysis approach of Industrial Control Systems:A cyber bowtie-combining new version of attack tree with bowtie analysis[J].Computers & Security,2018,72:175-195.
[20]FRIEDBERG I,MCLAUGHLIN K,SMITH P,et al.STPA-SafeSec:Safety and security analysis for cyber-physical systems[J].Journal of Information Security and Applications,2017,34:183-196.
[21]KRIAA S,BOUISSOU M,LAAROUCHI Y.A new safety and security risk analysis framework for industrial control systems[J].Proceedings of the Institution of Mechanical Engineers,Part O:Journal of risk and reliability,2019,233(2):151-174.
[22]ASSANTE M J,LEE R M.The industrial control system cyber kill chain[J].SANS Institute InfoSec Reading Room,2015,1:24.
[23]RUIJTERS E,STOELINGA M.Fault tree analysis:A survey of the state-of-the-art in modeling,analysis and tools[J].Computer Science Review,2015,15:29-62.
[24]LALLIE H S,DEBATTISTA K,BAL J.A review of attack graph and attack tree visual syntax in cyber security[J].Computer Science Review,2020,35:100219.
[25]ALAEDDINI A,DOGAN I.Using Bayesian networks for rootcause analysis in statistical process control[J].Expert Systems with Applications,2011,38(9):11230-11243.
[26]KHAKZAD N,KHAN F,AMYOTTE P.Dynamic risk analysis using bow-tie approach[J].Reliability Engineering & System Safety,2012,104:36-44.
[27]Forum of Incident Response and Security Teams.Common Vulnerability Scoring System version 3.1:Specification Document [OL].[2021].https://www.first.org/cvss/specification-document.
[28]SWINBURNE R.Bayes' theorem[J].Revue PhilosophiqueDeLla France Et De L,2004,194(2):250-251.
[29]GB/T 36466-2018,信息安全技术工业控制系统风险评估实施指南[S].中国国家标准化管理委员会:中国国家标准化管理委员会,2018.
[30]GONG S D.Cyber Security Risk Assessment for Industrial Control System based on Analytic Hierarchy Process and Attack Graph[D].Nanchang:Nanchang Hangkong University,2018.
[31]FORMBY D,RAD M,BEYAH R.Lowering the barriers to industrial control system security with {GRFICS}[C]//2018 USENIX Workshop on Advances in Security Education(ASE 18).2018.
[32]FORTIPHYD N.Version 2 of the Graphical Realism Framework for Industrial Control Simulation(GRFICS) [OL].https://github.com/Fortiphyd/GRFICSv2.
[33]ALVES T R,BURATTO M,DE SOUZA F M,et al.OpenPLC:An open source alternative to automation[C]//IEEE Global Humanitarian Technology Conference(GHTC 2014).IEEE,2014:585-589.
[34]DERAISON R,GULA R,HUFFARD J.Tenable Nessus [OL].https://www.tenable.com/downloads/nessus.
[35]ZAREI E,KHAN F,ABBASSI R.Importance of human reliabi-lity in process operation:A critical analysis[J].Reliability Engineering & System Safety,2021,211:107607.
[36]全国信息安全标准化技术委员会.GB/T 31509-2015:信息安全技术信息安全风险评估实施指南[S].中国国家标准化管理委员会:中国国家标准化管理委员会,2017.
[37]FAKHRAVAR D,COZZANI V,KHAKZAD N,et al.Security vulnerability assessment of gas pipeline using Bayesian network[C]//27th European Safety and Reliability Conference,ESREL 2017.CRC Press/Balkema-Taylor & Francis Group,2017:1171-1180.
[1] DENG Hannian, ZHOU Jie, YANG Bo, YI Lili, FU Guang, ZHOU Peng. Modeling and Analysis of Implementation Process for Civil Aircraft Certification Test Flight Based on Stochastic Petri Net [J]. Computer Science, 2024, 51(6A): 230700050-6.
[2] PANG Yuxiang, CHEN Zemao. Security Scheme of UAV Flight Control Based on Attribute Access Control Policy [J]. Computer Science, 2024, 51(4): 366-372.
[3] SUN Pengzhao, BI Kejun, TANG Chao, LI Dongfen, YING Shi, WANG Ruijin. Risk Assessment Model for Industrial Chain Based on Neighbor Sampling and GraphAttention Mechanism [J]. Computer Science, 2024, 51(10): 218-226.
[4] WANG Jing, ZHANG Miao, LIU Yang, LI Haoling, LI Haotian, WANG Bailing, WEI Yuliang. Study on Dual-security Knowledge Graph for Process Industrial Control [J]. Computer Science, 2023, 50(9): 68-74.
[5] YAO Xi, CHEN Yande. Path Planning of Hydrographic Mapping UAV Based on Multi-constraint Petri Net [J]. Computer Science, 2023, 50(6A): 220700079-7.
[6] LIN Feilong, YUE Yuedong, ZHENG Jianhui, CHEN Zhongyu, LI Minglu. Blockchain-based Identity Authentication and Authorization Mechanism [J]. Computer Science, 2023, 50(6A): 220700158-9.
[7] XU Changqian, WANG Dong, SU Feng, ZHANG Jun, BIAN Haifeng, LI Long. Image Recognition Method of Transmission Line Safety Risk Assessment Based on MultidimensionalData Coupling [J]. Computer Science, 2023, 50(6A): 220500032-6.
[8] YANG Yahui, MA Rongkuan, GENG Yangyang, WEI Qiang, JIA Yan. Black-box Fuzzing Method Based on Reverse-engineering for Proprietary Industrial Control Protocol [J]. Computer Science, 2023, 50(4): 323-332.
[9] LAI Qi, CAI Yuhui, XIA Siqiong, XIE Xiaoquan, LIU Pei, LI Kenli. Standardization Definition and Design of Robotic Process Automation [J]. Computer Science, 2023, 50(12): 82-88.
[10] LIU Zhenyu, DONG Hui, LI Hua, WANG Lu. Compliance Check Method for Data Flow Process Based on Extended Reachability Graph withLabeled Timing Constraint Petri Net [J]. Computer Science, 2023, 50(11A): 221000118-12.
[11] LIU Jie-ling, LING Xiao-bo, ZHANG Lei, WANG Bo, WANG Zhi-liang, LI Zi-mu, ZHANG Hui, YANG Jia-hai, WU Cheng-nan. Network Security Risk Assessment Framework Based on Tactical Correlation [J]. Computer Science, 2022, 49(9): 306-311.
[12] LI Qing, LIU Wei, GUAN Meng-zhen, DU Yu-yue, SUN Hong-wei. Modeling and Analysis of Emergency Decision Making Based on Logical Probability GamePetri Net [J]. Computer Science, 2022, 49(4): 294-301.
[13] ZHOU Fan, CHEN Xiao-die, ZHONG Ting, WU Jin. Survey of Deep Learning Technologies for Financial Technology [J]. Computer Science, 2022, 49(11A): 210900016-17.
[14] GUO Xian, WANG Yu-yue, FENG Tao, CAO Lai-cheng, JIANG Yong-bo, ZHANG Di. Blockchain-based Role-Delegation Access Control for Industrial Control System [J]. Computer Science, 2021, 48(9): 306-316.
[15] TAO Xiao-yan, YAN Chun-gang, LIU Guan-jun. Dynamic Data Refining Strategy for Soundness Verification Based on WFT-net [J]. Computer Science, 2021, 48(7): 99-104.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
Add:18# Honghu West Rd., Yubei ,Chongqing,China    Post Code: 401121
Tel: 023-63500828/023-67039612/023-67039623
E-mail: jsjkx12@163.com
Powered by Beijing Magtech Co., Ltd.