IDEAS home Printed from https://ideas.repec.org/a/eee/reensy/v193y2020ics0951832018314558.html
   My bibliography  Save this article

An iterative learning and inference approach to managing dynamic cyber vulnerabilities of complex systems

Author

Listed:
  • Chatterjee, Samrat
  • Thekdi, Shital

Abstract

As modern infrastructure systems become increasingly reliant on cyber technologies and continue to be integrated with physical systems, managing risks from deliberate and non-deliberate sources is a significant research challenge. Unlike strictly physical systems, cyber-enabled physical systems are influenced by dynamic and evolving technologies, environments, and attack mechanisms. As a result, vulnerabilities are rapidly changing and difficult to detect and manage. While there is recent interest in the dynamic properties of performance through resilience analysis, limited research addresses the dynamic nature of cyber-system vulnerability. This paper presents an iterative data-driven learning approach to evaluate and manage vulnerabilities for such complex systems. These time-varying system health characteristics may not be directly observable, but can be inferred using observable indicators. The approach recognizes that multiple types of vulnerabilities need to be included in a holistic system health assessment. The methods are applied to the Common Vulnerability Scoring System (CVSS) database containing thousands of documented cybersecurity vulnerabilities over nearly two decades. We acknowledge the dynamic properties of cyber vulnerability, while also inferring system health using observable data and hidden operational states. The results will be of interest to managers of large-scale cyber-enabled physical systems who are seeking to prioritize system health investments.

Suggested Citation

  • Chatterjee, Samrat & Thekdi, Shital, 2020. "An iterative learning and inference approach to managing dynamic cyber vulnerabilities of complex systems," Reliability Engineering and System Safety, Elsevier, vol. 193(C).
    • Handle: RePEc:eee:reensy:v:193:y:2020:i:c:s0951832018314558
    DOI: 10.1016/j.ress.2019.106664
    as

    Download full text from publisher

    File URL: http://www.sciencedirect.com/science/article/pii/S0951832018314558
    Download Restriction: Full text for ScienceDirect subscribers only
    File URL: https://libkey.io/10.1016/j.ress.2019.106664?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    As the access to this document is restricted, you may want to search for a different version of it.

    References listed on IDEAS

    as
    1. Bolbot, Victor & Theotokatos, Gerasimos & Bujorianu, Luminita Manuela & Boulougouris, Evangelos & Vassalos, Dracos, 2019. "Vulnerabilities and safety assurance methods in Cyber-Physical Systems: A comprehensive review," Reliability Engineering and System Safety, Elsevier, vol. 182(C), pages 179-193.
    2. SICARD, Franck & ZAMAI, Éric & FLAUS, Jean-Marie, 2019. "An approach based on behavioral models and critical states distance notion for improving cybersecurity of industrial control systems," Reliability Engineering and System Safety, Elsevier, vol. 188(C), pages 584-603.
    3. Trucco, P. & Cagno, E. & De Ambroggi, M., 2012. "Dynamic functional modelling of vulnerability and interoperability of Critical Infrastructures," Reliability Engineering and System Safety, Elsevier, vol. 105(C), pages 51-63.
    4. George E. Apostolakis & Douglas M. Lemon, 2005. "A Screening Methodology for the Identification and Ranking of Infrastructure Vulnerabilities Due to Terrorism," Risk Analysis, John Wiley & Sons, vol. 25(2), pages 361-376, April.
    5. Yacov Y. Haimes, 2006. "On the Definition of Vulnerabilities in Measuring Risks to Infrastructures," Risk Analysis, John Wiley & Sons, vol. 26(2), pages 293-296, April.
    6. Silva, Nuno & Cunha, João Carlos & Vieira, Marco, 2017. "A field study on root cause analysis of defects in space software," Reliability Engineering and System Safety, Elsevier, vol. 158(C), pages 213-229.
    7. Jung, Seunghwa & Choi, Jihwan P., 2019. "Predicting system failure rates of SRAM-based FPGA on-board processors in space radiation environments," Reliability Engineering and System Safety, Elsevier, vol. 183(C), pages 374-386.
    8. Reinhard Mechler & Laurens Bouwer, 2015. "Understanding trends and projections of disaster losses and climate change: is vulnerability the missing link?," Climatic Change, Springer, vol. 133(1), pages 23-35, November.
    9. Sven Fuchs & Thomas Glade, 2016. "Foreword: Vulnerability assessment in natural hazard risk—a dynamic perspective," Natural Hazards: Journal of the International Society for the Prevention and Mitigation of Natural Hazards, Springer;International Society for the Prevention and Mitigation of Natural Hazards, vol. 82(1), pages 1-5, May.
    10. Shital A. Thekdi & Samrat Chatterjee, 2019. "Toward adaptive decision support for assessing infrastructure system resilience using hidden performance measures," Journal of Risk Research, Taylor & Francis Journals, vol. 22(8), pages 1020-1043, August.
    11. Kriaa, Siwar & Pietre-Cambacedes, Ludovic & Bouissou, Marc & Halgand, Yoran, 2015. "A survey of approaches combining safety and security for industrial control systems," Reliability Engineering and System Safety, Elsevier, vol. 139(C), pages 156-178.
    Full references (including those not matched with items on IDEAS)

    Citations

    Citations are extracted by the CitEc Project, subscribe to its RSS feed for this item.
    as


    Cited by:

    1. Monzer, Mohamad-Houssein & Beydoun, Kamal & Ghaith, Alaa & Flaus, Jean-Marie, 2022. "Model-based IDS design for ICSs," Reliability Engineering and System Safety, Elsevier, vol. 225(C).
    2. Wang, Wei & Cova, Gregorio & Zio, Enrico, 2022. "A clustering-based framework for searching vulnerabilities in the operation dynamics of Cyber-Physical Energy Systems," Reliability Engineering and System Safety, Elsevier, vol. 222(C).
    3. Frank Cremer & Barry Sheehan & Michael Fortmann & Arash N. Kia & Martin Mullins & Finbarr Murphy & Stefan Materne, 2022. "Cyber risk and cybersecurity: a systematic review of data availability," The Geneva Papers on Risk and Insurance - Issues and Practice, Palgrave Macmillan;The Geneva Association, vol. 47(3), pages 698-736, July.
    4. Alberto Sardi & Alessandro Rizzi & Enrico Sorano & Anna Guerrieri, 2021. "Cyber Risk in Health Facilities: A Systematic Literature Review," Papers 2102.04093, arXiv.org.
    5. Alberto Sardi & Alessandro Rizzi & Enrico Sorano & Anna Guerrieri, 2020. "Cyber Risk in Health Facilities: A Systematic Literature Review," Sustainability, MDPI, vol. 12(17), pages 1-16, August.

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Bier, Vicki & Gutfraind, Alexander, 2019. "Risk analysis beyond vulnerability and resilience – characterizing the defensibility of critical systems," European Journal of Operational Research, Elsevier, vol. 276(2), pages 626-636.
    2. Zio, E., 2018. "The future of risk assessment," Reliability Engineering and System Safety, Elsevier, vol. 177(C), pages 176-190.
    3. Yi‐Ping Fang & Giovanni Sansavini & Enrico Zio, 2019. "An Optimization‐Based Framework for the Identification of Vulnerabilities in Electric Power Grids Exposed to Natural Hazards," Risk Analysis, John Wiley & Sons, vol. 39(9), pages 1949-1969, September.
    4. R. Piccinelli & G. Sansavini & R. Lucchetti & E. Zio, 2017. "A General Framework for the Assessment of Power System Vulnerability to Malicious Attacks," Risk Analysis, John Wiley & Sons, vol. 37(11), pages 2182-2190, November.
    5. H Jönsson & J Johansson & H Johansson, 2008. "Identifying critical components in technical infrastructure networks," Journal of Risk and Reliability, , vol. 222(2), pages 235-243, June.
    6. Bolbot, Victor & Kulkarni, Ketki & Brunou, Päivi & Banda, Osiris Valdez & Musharraf, Mashrura, 2022. "Developments and research directions in maritime cybersecurity: A systematic literature review and bibliometric analysis," International Journal of Critical Infrastructure Protection, Elsevier, vol. 39(C).
    7. Alanen, Jarmo & Linnosmaa, Joonas & Malm, Timo & Papakonstantinou, Nikolaos & Ahonen, Toni & Heikkilä, Eetu & Tiusanen, Risto, 2022. "Hybrid ontology for safety, security, and dependability risk assessments and Security Threat Analysis (STA) method for industrial control systems," Reliability Engineering and System Safety, Elsevier, vol. 220(C).
    8. Chen, Shun & Zhao, Xudong & Chen, Zhilong & Hou, Benwei & Wu, Yipeng, 2022. "A game-theoretic method to optimize allocation of defensive resource to protect urban water treatment plants against physical attacks," International Journal of Critical Infrastructure Protection, Elsevier, vol. 36(C).
    9. Xiaobing Yu & Hong Chen & Chenliang Li, 2019. "Evaluate Typhoon Disasters in 21st Century Maritime Silk Road by Super-Efficiency DEA," IJERPH, MDPI, vol. 16(9), pages 1-10, May.
    10. Trucco, Paolo & Petrenj, Boris, 2023. "Characterisation of resilience metrics in full-scale applications to interdependent infrastructure systems," Reliability Engineering and System Safety, Elsevier, vol. 235(C).
    11. Khastgir, Siddartha & Brewerton, Simon & Thomas, John & Jennings, Paul, 2021. "Systems Approach to Creating Test Scenarios for Automated Driving Systems," Reliability Engineering and System Safety, Elsevier, vol. 215(C).
    12. P. Daniel Wright & Matthew J. Liberatore & Robert L. Nydick, 2006. "A Survey of Operations Research Models and Applications in Homeland Security," Interfaces, INFORMS, vol. 36(6), pages 514-529, December.
    13. Monzer, Mohamad-Houssein & Beydoun, Kamal & Ghaith, Alaa & Flaus, Jean-Marie, 2022. "Model-based IDS design for ICSs," Reliability Engineering and System Safety, Elsevier, vol. 225(C).
    14. Siwar Kriaa & Marc Bouissou & Youssef Laarouchi, 2019. "A new safety and security risk analysis framework for industrial control systems," Journal of Risk and Reliability, , vol. 233(2), pages 151-174, April.
    15. Wang, Wei & Cammi, Antonio & Di Maio, Francesco & Lorenzi, Stefano & Zio, Enrico, 2018. "A Monte Carlo-based exploration framework for identifying components vulnerable to cyber threats in nuclear power plants," Reliability Engineering and System Safety, Elsevier, vol. 175(C), pages 24-37.
    16. Michael Greenberg, 2012. "Our Deteriorating Physical Structures and Risk Analysis," Risk Analysis, John Wiley & Sons, vol. 32(12), pages 2008-2009, December.
    17. Yang, Shunkun & Shao, Qi & Bian, Chong, 2022. "Reliability analysis of ensemble fault tolerance for soft error mitigation against complex radiation effect," Reliability Engineering and System Safety, Elsevier, vol. 217(C).
    18. Augutis, Juozas & Jokšas, Benas & Krikštolaitis, Ričardas & Urbonas, Rolandas, 2016. "The assessment technology of energy critical infrastructure," Applied Energy, Elsevier, vol. 162(C), pages 1494-1504.
    19. Ibrahim, Muhammad Sohail & Dong, Wei & Yang, Qiang, 2020. "Machine learning driven smart electric power systems: Current trends and new perspectives," Applied Energy, Elsevier, vol. 272(C).
    20. Kim, Hee Eun & Son, Han Seong & Kim, Jonghyun & Kang, Hyun Gook, 2017. "Systematic development of scenarios caused by cyber-attack-induced human errors in nuclear power plants," Reliability Engineering and System Safety, Elsevier, vol. 167(C), pages 290-301.

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:eee:reensy:v:193:y:2020:i:c:s0951832018314558. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Catherine Liu (email available below). General contact details of provider: https://www.journals.elsevier.com/reliability-engineering-and-system-safety .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.